Russia Tied to Ukrainian Military Recruit Malware Targeting
p
Cyberwarfare NationState Attacks
Endpoint Security
Fraud Management Cybercrime
ppPotential Ukrainian military recruits are being targeted with malware and antimobilization messaging through legitimate Telegram channelsppSee Also 5 Ways Exabeam Helps Eliminate Compromised Credential BlindspotsppA report from Googles Threat Intelligence Group attributes the hybrid espionage and information operation to a suspected Russian group codenamed UNC5812 whose Telegram persona goes by the handle Civil DefenseppTelegram remains a vital source of information for many Ukrainians as Russia continues its war of conquest against the country and so is a target for the Kremlins disinformation campaigns and other malign influence effortsppIn the case of UNC5812 Google researchers said threat actors using the Ukrainianlanguage Telegram channel civildefensecomua as well as a website hosted at civildefensecomua as part of a campaign that appears to have become fully operational last month To drive potential victims toward these actorcontrolled resources we assess that UNC5812 is likely purchasing promoted posts in legitimate established Ukrainianlanguage Telegram channels said the research team comprised of Googles Threat Analysis Group which researches nationstate threats to individuals plus its Mandiant incident response groupppOne post directing users to visit the Civil Defense site first registered in April appeared on a Telegram channel devoted to missile alerts The Sept 18 post claimed to provide free Windows macOS iPhone and Android software designed to help potential military recruits view and share crowdsourced locations of Ukrainian military recruiters the report saysppIn reality the site only served up two different applications one for Windows another for Android devices that werent legitimate mapping software but rather the beginning stages of a malware installation chain the researchers said For Windows the website pushed an installer called Pronsis Loader designed to install first the bogus mapping software codenamed SunSpinner which displays bogus location data and then to install malware called PureStealerppPureStealer is an infostealer offered for sale by Pure Coder Team with prices ranging from 150 for a monthly subscription to 699 for a lifetime license which is designed to steal browser data including stored cookies and passwords including for access to cryptocurrency wallets and messaging applications Google saidppFor Android users the Civil Defense pushed a malicious Android package file CivilDefensseapk that tried to install a variant of the Craxs remoteaccess Trojan to provide remote backdoor access to the device after which in some cases the APK then attempted to install an Android version of SunSpinner researchers saidppAfter being alerted by Google Ukrainian authorities began blocking national access to the Civil Defense website Google has also added the sites and files it identified to the Safe Browsing service which warns users should they visit dangerous sites or download dangerous files Google said installing the Android malware also requires users to first deactivate Google Play Protect as well as to manually enable required permissions with the site including a detailed rationale and instructions including a video that attempt to socially engineer victims into doing soppThe campaign highlights how Russian attackers have continued to disseminate antimobilization messages oftentimes by exploiting already existing societal divisions or points of friction including recent changes to Ukraines national mobilization laws and introduction of a new national digital military ID to manage the details of those liable for military service and boost recruitment Google saidppFrequent topics for Russian propagandists include not just mobilization but also the battlefield alleged corruption Ukrainian authorities demoralization and demonizing the West the EUs Ukraines Centre for Strategic Communication and Information Security said in a recent reportppThe Kremlin assets conducting these psychological operations exploit natural human fears fear of death fear of mutilation and fear of the unknown as well as documented shortcomings with various organizations such as Ukraines Territorial Recruitment and Social Support Centers or TRCs according to the reportppThe Russian authorities carefully monitor the Ukrainian media space for news that it could use to promote antimobilization messages eg allegations about bribery or other possible TRC employee transgressions it said The Kremlin also seeks to exploit any news about conflicts involving the military Ukrainian military losses or Ukrainian men trying to cross the border illegallyppThe recent campaign attributed to UNC5812 follows in this mold In addition to using its Telegram channel and website for malware delivery UNC5812 is also actively engaged in influence activity delivering narratives and soliciting content intended to undermine support for Ukraines mobilization efforts Googles report saysppExecutive Editor DataBreachToday Europe ISMGppSchwartz is an awardwinning journalist with two decades of experience in magazines newspapers and electronic media He has covered the information security and privacy sector throughout his career Before joining Information Security Media Group in 2014 where he now serves as the executive editor DataBreachToday and for European news coverage Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading among other publications He lives in Scotlandpp
ppCovering topics in risk management compliance fraud and information securityppBy submitting this form you agree to our Privacy GDPR StatementppwhitepaperppwhitepaperppCritical Infrastructure SecurityppDevSecOpsppGeo Focus AsiappSecurity and Exchange Commission compliance SECppppContinue pp
90 minutes Premium OnDemand
ppOverviewppFrom heightened risks to increased regulations senior leaders at all levels are pressured to
improve their organizations risk management capabilities But no one is showing them how
until nowppLearn the fundamentals of developing a risk management program from the man who wrote the book
on the topic Ron Ross computer scientist for the National Institute of Standards and
Technology In an exclusive presentation Ross lead author of NIST Special Publication 80037
the bible of risk assessment and management will share his unique insights on how toppSr Computer Scientist Information Security Researcher
National Institute of Standards and Technology NISTppWas added to your briefcaseppRussia Tied to Ukrainian Military Recruit Malware TargetingppRussia Tied to Ukrainian Military Recruit Malware Targetingpp
Just to prove you are a human please solve the equation
ppSign in now ppNeed help registering
Contact support
ppComplete your profile and stay up to dateppContact Support ppCreate an ISMG account now ppCreate an ISMG account now ppNeed help registering
Contact support
ppSign in now ppNeed help registering
Contact support
ppSign in now ppOur website uses cookies Cookies enable us to provide the best experience possible and help us understand how visitors use our website By browsing bankinfosecuritycom you agree to our use of cookiesp
Cyberwarfare NationState Attacks
Endpoint Security
Fraud Management Cybercrime
ppPotential Ukrainian military recruits are being targeted with malware and antimobilization messaging through legitimate Telegram channelsppSee Also 5 Ways Exabeam Helps Eliminate Compromised Credential BlindspotsppA report from Googles Threat Intelligence Group attributes the hybrid espionage and information operation to a suspected Russian group codenamed UNC5812 whose Telegram persona goes by the handle Civil DefenseppTelegram remains a vital source of information for many Ukrainians as Russia continues its war of conquest against the country and so is a target for the Kremlins disinformation campaigns and other malign influence effortsppIn the case of UNC5812 Google researchers said threat actors using the Ukrainianlanguage Telegram channel civildefensecomua as well as a website hosted at civildefensecomua as part of a campaign that appears to have become fully operational last month To drive potential victims toward these actorcontrolled resources we assess that UNC5812 is likely purchasing promoted posts in legitimate established Ukrainianlanguage Telegram channels said the research team comprised of Googles Threat Analysis Group which researches nationstate threats to individuals plus its Mandiant incident response groupppOne post directing users to visit the Civil Defense site first registered in April appeared on a Telegram channel devoted to missile alerts The Sept 18 post claimed to provide free Windows macOS iPhone and Android software designed to help potential military recruits view and share crowdsourced locations of Ukrainian military recruiters the report saysppIn reality the site only served up two different applications one for Windows another for Android devices that werent legitimate mapping software but rather the beginning stages of a malware installation chain the researchers said For Windows the website pushed an installer called Pronsis Loader designed to install first the bogus mapping software codenamed SunSpinner which displays bogus location data and then to install malware called PureStealerppPureStealer is an infostealer offered for sale by Pure Coder Team with prices ranging from 150 for a monthly subscription to 699 for a lifetime license which is designed to steal browser data including stored cookies and passwords including for access to cryptocurrency wallets and messaging applications Google saidppFor Android users the Civil Defense pushed a malicious Android package file CivilDefensseapk that tried to install a variant of the Craxs remoteaccess Trojan to provide remote backdoor access to the device after which in some cases the APK then attempted to install an Android version of SunSpinner researchers saidppAfter being alerted by Google Ukrainian authorities began blocking national access to the Civil Defense website Google has also added the sites and files it identified to the Safe Browsing service which warns users should they visit dangerous sites or download dangerous files Google said installing the Android malware also requires users to first deactivate Google Play Protect as well as to manually enable required permissions with the site including a detailed rationale and instructions including a video that attempt to socially engineer victims into doing soppThe campaign highlights how Russian attackers have continued to disseminate antimobilization messages oftentimes by exploiting already existing societal divisions or points of friction including recent changes to Ukraines national mobilization laws and introduction of a new national digital military ID to manage the details of those liable for military service and boost recruitment Google saidppFrequent topics for Russian propagandists include not just mobilization but also the battlefield alleged corruption Ukrainian authorities demoralization and demonizing the West the EUs Ukraines Centre for Strategic Communication and Information Security said in a recent reportppThe Kremlin assets conducting these psychological operations exploit natural human fears fear of death fear of mutilation and fear of the unknown as well as documented shortcomings with various organizations such as Ukraines Territorial Recruitment and Social Support Centers or TRCs according to the reportppThe Russian authorities carefully monitor the Ukrainian media space for news that it could use to promote antimobilization messages eg allegations about bribery or other possible TRC employee transgressions it said The Kremlin also seeks to exploit any news about conflicts involving the military Ukrainian military losses or Ukrainian men trying to cross the border illegallyppThe recent campaign attributed to UNC5812 follows in this mold In addition to using its Telegram channel and website for malware delivery UNC5812 is also actively engaged in influence activity delivering narratives and soliciting content intended to undermine support for Ukraines mobilization efforts Googles report saysppExecutive Editor DataBreachToday Europe ISMGppSchwartz is an awardwinning journalist with two decades of experience in magazines newspapers and electronic media He has covered the information security and privacy sector throughout his career Before joining Information Security Media Group in 2014 where he now serves as the executive editor DataBreachToday and for European news coverage Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading among other publications He lives in Scotlandpp
ppCovering topics in risk management compliance fraud and information securityppBy submitting this form you agree to our Privacy GDPR StatementppwhitepaperppwhitepaperppCritical Infrastructure SecurityppDevSecOpsppGeo Focus AsiappSecurity and Exchange Commission compliance SECppppContinue pp
90 minutes Premium OnDemand
ppOverviewppFrom heightened risks to increased regulations senior leaders at all levels are pressured to
improve their organizations risk management capabilities But no one is showing them how
until nowppLearn the fundamentals of developing a risk management program from the man who wrote the book
on the topic Ron Ross computer scientist for the National Institute of Standards and
Technology In an exclusive presentation Ross lead author of NIST Special Publication 80037
the bible of risk assessment and management will share his unique insights on how toppSr Computer Scientist Information Security Researcher
National Institute of Standards and Technology NISTppWas added to your briefcaseppRussia Tied to Ukrainian Military Recruit Malware TargetingppRussia Tied to Ukrainian Military Recruit Malware Targetingpp
Just to prove you are a human please solve the equation
ppSign in now ppNeed help registering
Contact support
ppComplete your profile and stay up to dateppContact Support ppCreate an ISMG account now ppCreate an ISMG account now ppNeed help registering
Contact support
ppSign in now ppNeed help registering
Contact support
ppSign in now ppOur website uses cookies Cookies enable us to provide the best experience possible and help us understand how visitors use our website By browsing bankinfosecuritycom you agree to our use of cookiesp
