Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime
Russia Tied to Ukrainian Military Recruit Malware Targeting
Anti-Mobilization Messaging Lead to Malware-Pushing 'Civil Defense' SitePotential Ukrainian military recruits are being targeted with malware and anti-mobilization messaging through legitimate Telegram channels.
See Also: Panel | Cyberattacks Are Increasing — And Cyber Insurance Rates Are Skyrocketing
A report from Google's Threat Intelligence Group attributes the "hybrid espionage and information operation" to a suspected Russian group, codenamed UNC5812, whose Telegram persona goes by the handle "Civil Defense."
Telegram remains a vital source of information for many Ukrainians - as Russia continues its war of conquest against the country - and so is a target for the Kremlin's disinformation campaigns and other malign influence efforts.
In the case of UNC5812, Google researchers said threat actors using the Ukrainian-language Telegram channel @civildefense_com_ua
as well as a website hosted at civildefense.com.ua
as part of a campaign that appears to have become fully operational last month. "To drive potential victims toward these actor-controlled resources, we assess that UNC5812 is likely purchasing promoted posts in legitimate, established Ukrainian-language Telegram channels," said the research team, comprised of Google's Threat Analysis Group, which researches nation-state threats to individuals, plus its Mandiant incident response group.
One post directing users to visit the Civil Defense site - first registered in April - appeared on a Telegram channel devoted to missile alerts. The Sept. 18 post claimed to provide free Windows, macOS, iPhone and Android software designed to help potential military recruits "view and share crowdsourced locations of Ukrainian military recruiters," the report says.
In reality, the site only served up two different applications - one for Windows, another for Android devices - that weren't legitimate mapping software but rather the beginning stages of a malware installation chain, the researchers said. For Windows, the website pushed an installer called Pronsis Loader, designed to install first the bogus mapping software, codenamed SunSpinner, which displays bogus location data, and then to install malware called PureStealer.
PureStealer is an infostealer "offered for sale by 'Pure Coder Team' with prices ranging from $150 for a monthly subscription to $699 for a lifetime license," which is designed to steal browser data, including stored cookies and passwords, including for access to cryptocurrency wallets and messaging applications, Google said.
For Android users, the Civil Defense pushed a malicious Android package file - CivilDefensse.apk
- that tried to install a variant of the Craxs remote-access Trojan, to provide remote, backdoor access to the device, after which in some cases the APK then attempted to install an Android version of SunSpinner, researchers said.
After being alerted by Google, Ukrainian authorities began blocking national access to the Civil Defense website. Google has also added the sites and files it identified to the Safe Browsing service, which warns users should they visit dangerous sites or download dangerous files. Google said installing the Android malware also requires users to first deactivate Google Play Protect as well as to manually enable required permissions, with the site including a detailed rationale and instructions - including a video - that attempt to socially engineer victims into doing so.
The campaign highlights how Russian attackers have continued to disseminate anti-mobilization messages, oftentimes by exploiting already existing societal divisions or points of friction, including recent changes to Ukraine's national mobilization laws and introduction of a new, national digital military ID "to manage the details of those liable for military service and boost recruitment," Google said.
Frequent topics for Russian propagandists include not just mobilization, but also the battlefield, alleged corruption, Ukrainian authorities, demoralization and demonizing the West, the EU's Ukraine's Centre for Strategic Communication and Information Security said in a recent report.
"The Kremlin assets conducting these psychological operations exploit natural human fears - fear of death, fear of mutilation, and fear of the unknown" as well as documented shortcomings with various organizations, such as Ukraine's Territorial Recruitment and Social Support Centers, or TRCs, according to the report.
"The Russian authorities carefully monitor the Ukrainian media space for news that it could use to promote anti-mobilization messages, e.g. allegations about bribery or other possible TRC employee transgressions," it said. "The Kremlin also seeks to exploit any news about conflicts involving the military, Ukrainian military losses or Ukrainian men trying to cross the border illegally."
The recent campaign attributed to UNC5812 follows in this mold. "In addition to using its Telegram channel and website for malware delivery, UNC5812 is also actively engaged in influence activity, delivering narratives and soliciting content intended to undermine support for Ukraine's mobilization efforts," Google's report says.