2023-09-01
Sandworm is Targeting Ukrainian Soldiers’ Phones with Malware
According to analysis published by intelligence agencies from the Five Eyes countries (Australia, Canada, New Zealand, the UK, and the US), the Sandworm hacker group is targeting phones used by Ukrainian soldiers. The malware being deployed in the attacks is known as Infamous Chisel-A, which scans files and network data for exfiltration, provides backdoor access on infected devices, and includes network monitoring and scanning, traffic collection, SSH access, and SCOP file transfer capabilities.
Editor's Note
The CISA report notes “The Infamous Chisel components are low to medium sophistication and appear to have been developed with little regard to defense evasion or concealment of malicious activity.” Spillover potential may be low, but it is worth warning Android phone users and updating MDM checks.
John Pescatore
Sandworm, we meet again. This time you're wielding Chisel, far less subtle and effective compared to NotPetya. Chisel is not intended to be subtle nor evade defenses, albeit the TOR backdoor is hidden, it's still possible to detect and block the activity. The report includes IOCs, and the NIST analysis includes downloadable YARA rules to aid hunting. Odds are you're going to want to do a factory reset or replacement of any impacted devices.