Russian malware steals data from Ukrainian troops' phones: report

A Russian cyber threat actor launched a novel malware campaign against Ukrainian military personnel, targeting Android devices to steal sensitive information from the battlefield, according to an international report published Wednesday.

Sandworm, a Russian state-sponsored threat actor linked to the Kremlin's military intelligence service, used malware known as "Infamous Chisel" to infect Android devices and periodically scan files and network information for exfiltration, the report said. 

The new malware allowed the Russian threat actor to monitor networks, collect traffic data, and send files. 

The report, which provides technical details into the new kind of malware, was published by the Cybersecurity and Infrastructure Security Agency, the FBI, the National Security Agency, and several international partners, including the U.K. National Cyber Security Centre, the New Zealand National Cyber Security Centre, and the Canadian Centre for Cyber Security. 

Ukraine's security agency uncovered the Russian-linked cyberattack; earlier this month, officials announced that they had "exposed and blocked" attempts by Sandworm to gain unauthorized access to a combat data exchange system maintained by the country's armed forces. 

"Since the first days of the full-scale war, we have been fending off cyberattacks of Russian intelligence services aiming to break our military command system and more," Illia Vitiuk, head of the Ukrainian security agency's cybersecurity department, said at the time. 

The report described how Sandworm used Infamous Chisel in an attempt to establish a persistent presence on affected networks; it includes indicators of compromise for affected devices. 

The malware can be used to steal a combination of system device information, the report said, including details about commercial applications and others specific to the Ukrainian military. 

CISA Executive Assistant Director for Cybersecurity Eric Goldstein said in a statement that the joint report reflects the urgency for all international cyber defense partners "to detect and mitigate Russian cyber activity" and "the importance of continued focus on maintaining operational resilience under all conditions."

"For years, the U.S. government has been calling out Russian actors who have engaged in a range of malicious cyber activity targeting U.S. and allied partners for cyber espionage and potential disruptive actions,” Goldstein added.

The U.S. and its international partners have provided Ukraine with cybersecurity assistance since before the start of the Russian invasion to help boost the country's cyber workforce and evade Russian cyberattacks. 

Earlier this year, the U.S. Agency for International Development announced a $60 million investment to help Ukraine ensure its critical infrastructure is protected against cyberattacks.