Connect with us

Hi, what are you looking for?



Five Eyes Report: New Russian Malware Targeting Ukrainian Military Android Devices

Five Eyes report details ‘Infamous Chisel’ malware used by Russian state-sponsored hackers to target the Ukrainian military’s Android devices. 

Infamous Chisel malware used by Russia to target Ukrainian military Android devices

Five Eyes agencies have issued a joint report on the malware used recently by Russian state-sponsored hackers to target Android devices belonging to the Ukrainian military. 

The new malware, named Infamous Chisel, is actually a collection of components designed to provide persistent backdoor access to compromised Android devices over the Tor network, and enable the attackers to collect and exfiltrate data.

The campaign has been linked to the threat actor known as Sandstorm, which was previously connected to Russia’s GRU foreign military intelligence agency.

According to the agencies, the Infamous Chisel malware is designed to periodically scan infected Android devices for information and files that could be of interest to the attackers. 

Targeted information includes device details, as well as data associated with commercial apps and applications used by the Ukrainian military. 

“The searching of specific files and directory paths that relate to military applications and exfiltration of this data reinforces the intention to gain access to these networks,” the report reads.

In addition, the malware scans the local network for information on active hosts, banners and open ports. Capabilities provided by Infamous Chisel also include SSH access to the device, SCP file transfer, and network monitoring and traffic collection. 

“The Infamous Chisel components are low to medium sophistication and appear to have been

Advertisement. Scroll to continue reading.

developed with little regard to defense evasion or concealment of malicious activity,” the report explains. “Although the components lack basic obfuscation or stealth techniques to disguise activity, the actor may have deemed this not necessary, since many Android devices do not have a host-based detection system.”

The joint report was written by the UK’s National Cyber Security Centre (NCSC); the US’s National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and  Federal Bureau of Investigation (FBI); New Zealand’s National Cyber Security Centre (NCSC-NZ); Canada’s Centre for Cyber Security; and the Australian Signals Directorate (ASD).

The report includes technical details on each Infamous Chisel component, MITRE ATT&CK information, and indicators of compromise (IoCs).

The report does not mention how the malware has been distributed. However, earlier this month, the Security Service of Ukraine (SBU) reported that Russian forces had captured Ukrainian tablets on the battlefield and attempted to use them to spread malware. They also tried to leverage the access provided by the tablets to breach military networks. 

The SBU said the attacks, which involved nearly 10 malware samples designed for stealing information, were linked to the Sandworm group. The agency said the attack attempts were blocked. 

Related: North Korean Hackers Targeted Russian Missile Developer

Related: A Year of Conflict: Cybersecurity Industry Assesses Impact of Russia-Ukraine War

Related: Deadly Secret: Electronic Warfare Shapes Russia-Ukraine War

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights