A sinister piece of malware created by Russian hackers is serving as a cyber weapon against Ukrainian conscripts or others seeking recruitment sites in the country or abroad. This spying and disinformation campaign targets both Android and Windows users. By taking domains off the air, AWS, Google’s Threat Analysis Group (TAG), and Mandiant have managed to have some success against the hackers.
Through a Telegram channel (ironically, Telegram was banned in Russia between 2018 and 2020) called “Civil Defense” and a website of the same name, hackers are trying to get users to download software supposedly intended to locate places where recruits for the Ukrainian military can report. The malware uses craxstat, a backdoor aimed at Android users, and separate malware for Windows devices.
Spying and lowering morale
Based on data from Google, Mandiant, and AWS, Forbes reports that the UNC5812 operation has two goals. One is to spy on users of the malicious software, and the other is to spread disinformation to undermine the mobilization of troops for the Ukrainian military. For example, messages that a specific station is no longer admitting recruits.
Using social engineering tactics, Android users are instructed to download the malware from outside the Google Play Store. They are even told which steps are needed to disable Google Play Protect, which allows the app to bypass the usual security measures. The operation mainly targets potential recruits, but also “ordinary” curious users. The app is promoted in legitimate Ukrainian-language Telegram channels.
Fake AWS domains
The group behind this campaign is believed to be APT29, better known as Midnight Blizzard. This club is considered to be a Russian state-sponsored outfit. To feign legitimacy, the hackers pretended to operate from AWS domains. However, AWS managed to take these domains off the air in cooperation with CERT-UA, Ukraine’s Emergency Response Team and Google’s Threat Analysis Group (TAG). This is not to say that this is the end of the threat, as a new digital abode is usually found in no time.
TAG and Mandiant (now part of Google) uncovered the threat in September. Their analysis revealed a brazen modus operandi. Users were shown complete videos and step-by-step guides to disable security settings, allowing the malware to do its work undetected. The remedy against the campaign is quite simple: keep Play Protect enabled, use only the official app store (even though the EU may have an opinion on this) and keep Safe Browsing enabled when visiting websites.
Also read: Netherlands disrupts Russian disinformation campaign