Russian state-sponsored threat groups, such as Fancy Bear (APT28),
Cozy Bear (APT29), Turla, and Sandworm, among others, are well-known for complex
cyber-espionage operations, targeted intrusions, destructive attacks, and
disinformation campaigns. Some of the capabilities of Russian threat groups,
however, are not well-known and extend beyond the usual targeting of government
and critical infrastructure enterprise networks.
The main three Russian intelligence services (GRU, FSB,
and SVR) have also conducted less well-known and underreported intelligence
gathering campaigns against Android and iPhone users delivering spyware as well
as collecting credentials for specific mobile applications.
In this blog, I will be examining open source intelligence
(OSINT) reports, leveraging the findings and citing investigations
conducted by other threat researchers, to present my key findings and an overall
assessment of these mobile threat campaigns.
Multiple threat groups belonging to each of the three main Russian
intelligence agencies have been observed leveraging mobile spyware or targeting
the credentials of specific mobile applications over the course of the last decade.
Having dedicated mobile spyware and exploit developers or
acquiring these capabilities from external third-party vendors is expensive and
requires vast resources. It further shows the considerable investments,
willingness, and value the Kremlin places upon offensive cyber operations against
its targets.
On 22 December 2016, CrowdStrike published a report on X-Agent, an Android malware that CrowdStrike linked to Fancy Bear, a threat group attributed to the Russian GRU Unit 26165. The researchers uncovered a fake Android APK posing as an application developed in Ukraine by an officer of the 55th Artillery Brigade to help reduce targeting time for the soviet-era D-30 122mm towed howitzer. Between 2014 and 2016, Fancy Bear reportedly distributed the Android X-Agent malware via Ukrainian military forums. Successful deployment of the Fancy Bear malware via this fake application would have facilitated reconnaissance against Ukrainian troops, such as their location and their communications. This sensitive information gleaned from infected devices could easily be useful to identify positions of Ukrainian artillery forces and target them, giving themselves a battlefield advantage.
On 24 July 2019, Lookout shared a report
on Monokle, a custom Android spyware developed by the Russian private contractor firm Special
Technology Centre (STC). The very same STC has also been sanctioned
by the US government for supporting the GRU with Russian interference in the
2016 US presidential election. Interestingly, Monokle was developed by STC
alongside its Android antivirus solution called Defender (in Russian).
What made Monokle notable was its novel methods to
exfiltrate data from the victim's device, even without root access. It made
extensive use of Android accessibility services to collect information from
Android apps installed on the target device and could download and use an
attacker-supplied SSL/TLS certificate that enabled Adversary-in-the-Middle (AiTM) attacks.
Other capabilities of Monokle include its use of keyword dictionaries to
search for topics of interest on the device as well as recording the device's
screen when locked allowing it to steal the user's PIN, pattern, or password.
Monokle was reportedly distributed via valid Android APKs with legitimate functionality, so users would be less suspicious of it. Lookout has observed a low number of samples of Monokle being deployed in the wild as early as March 2016 in highly targeted attacks. Targets of Monokle were likely located in the Caucasus or from the Ahrar al-Sham militant group in Syria, as well as other English-, Arabic- or Russian-speaking victims.
Figure 1: Malicious apps containing Monokle. (Source: Lookout)
On 26 November 2019, Google reported they had discovered a series of Android malware campaigns tied to Sandworm, a threat group linked to the Russian GRU Unit 74455. The first detected Sandworm campaign targeted users in South Korea in December 2017. They modified up to eight legitimate Android applications with malware and uploaded them to the Google Play Store using attacker-created developer accounts. These apps, however, had fewer than 10 total installs each. The second detected Sandworm campaign targeted users in Ukraine and was earlier in September 2017. The adversary used a similar tactic to deploy a fake version of the UKR.net email app on the Google Play Store, which managed to earn around 1,000 total installs.
Figure 2: Malicious
apps by Sandworm targeting South Korea. (Source: Google)
The third Sandworm campaign Google detected involved
spear-phishing attacks towards Android app developers also in Ukraine and was later in
November 2018. In at least one case, Sandworm managed to compromise an Android
app developer from Ukraine with several published Google Play Store apps, one
with over 200,000 installs. Using the hijacked developer account, Sandworm
built a customer backdoor into one of the legitimate apps, signed it with one
of the developer’s stolen code-signing keys, and attempted to publish it on the Google
Play Store. However, the Google Play Protect team caught the attempt at the
time of upload and prevented any infections.
On 31 August 2023, the UK NCSC published a report
in conjunction with the US, New Zealand, Canada, and Australia on Infamous
Chisel, a new mobile malware linked to Sandworm that was used to target the
Android devices used by the Ukrainian military. Infamous Chisel is an advanced
piece of Android malware with several persistence mechanisms, an unusual C2
communication system, and would search for mobile applications specific to the
Ukrainian military. Infamous Chisel could gain remote access by using Tor and forwarding
to Dropbear to open an SSH
connection. Other notable capabilities of Infamous Chisel includes it being
able to monitoring network traffic for collection, perform local network
scanning, and use SCP file transfer for exfiltration.
On 19 July 2022, Google discovered
Turla, a threat group attributed to the Russian
FSB Center 16, hosting the malicious "CyberAzov" Android APKs on a
domain spoofing the Ukrainian Azov Regiment. The app posed as a Denial of
Service (DoS) attack tool to use against Russian websites that mimicked another
app called “StopWar” that was likely created by pro-Ukrainian hacktivists. However,
it only performed single GET request to the target website, which is nowhere near enough
to be effective. Notably, Turla’s CyberAzov app was not distributed using the
Google Play Store, but was hosted on a domain controlled by the adversary and
disseminated via links on third party messaging services (like Telegram).
Google found, however, that the number of installs was likely miniscule.
Figure 3: Turla’s CyberAzov app. (Source: Google)
This was also the first public disclosure involving Turla,
an FSB threat group that has been active for around two decades, utilizing
Android malware. In this campaign, the Turla operators aimed to exploit one of
the early trends at the start of the Russia-Ukraine war, which was volunteers
hoping to aid Ukraine by launching cyberattacks against Russian organizations. By targeting the Ukrainian
cyber volunteers, Turla could have potentially gained access to these communities
that were organizing such attacks and gain advanced intelligence on which
Russian organizations were going to be targeted next.
On 4 September 2024, the Computer Emergency Response Team of
Ukraine (CERT-UA) disclosed
that a threat group it tracks as UAC-0210 launched a campaign
against the Armed Forces of Ukraine to steal application credentials and transmit
GPS coordinates to target the locations of Ukrainian soldiers with kinetic
weapons. UAC-0210 used Signal, an end-to-end encrypted (E2EE) messaging app, to
send messages containing malicious links. Signal is widely used in Ukraine by
its military and government as a secure alternative to Telegram or WhatsApp.
The malicious links were used to distribute malicious Android APK files posing
as platforms used by the Armed Forces of Ukraine called “GRISELDA” and
“Eyes”.
Figure 4: Fake GRISEDLA
application sent by UAC-0210. (Source: CERT-UA)
Figure 5: Fake Eyes
app sent by UAC-0210. (Source: CERT-UA)
For GRISELDA, the UAC-0210 operators registered a new domain
and hosted a cloned version of the legitimate GRISELDA website to distribute a
malicious APK file. Notably, the malicious APK contained Hydra, an Android malware
developed by cybercriminals and sold on underground forums that can steal
session data (HTTP Cookies), contacts, and log keystrokes. For Eyes, the
UAC-0210 operators delivered the app via Google Drive links. The malicious APK
was a modified the legitimate Eyes program with an additional Java class that
exfiltrates data to a Cloudflare workers[.]dev attacker-controlled domain.
Figure 6: Summary Timeline of Russian Android Malware Case Studies
On 4 February 2015, Trend Micro disclosed
additional details about a long-running cyber-espionage campaign they tracked as
Operation Pawn Storm, which is tied to Fancy Bear. Operation Pawn Storm targeted
a wide range of entities, such as militaries, governments, defense contractors,
and media organisations. During their tracking, Trend Micro detected two
versions of Fancy Bear's mobile spyware for iOS 7 systems. The iOS version of
X-Agent could steal personal data such as text messages, contact lists,
pictures, geo-location data, a list of installed apps, WiFi connectivity data,
record audio, take screenshots, and exfiltrate them to an attacker-controlled
server using file transfer protocol (FTP).
Another variant of X-Agent for iOS was also uncovered by Trend Micro and dubbed
MadCap, which was similar but focused on recording audio. There was, however, one
significant caveat to this mobile malware. In order for the X-Agent to work, the
target iOS device needed to be jailbroken. Trend Micro admitted that the exact
way how Fancy Bear intended to install the mobile malware on iOS devices was not found,
but they suspected it was very likely via social engineering rather than a zero-day exploit. Alternatively, it
was potentially still possible to install the malicious app onto non-jailbroken
devices, if it was signed with a stolen Apple developer code-signing
certificate or if the attacker had the target iPhone and could physically
connect it to another device via a cable.
On 14 July 2021, Google uncovered
that Cozy Bear, a threat group associated with the Russian SVR, had sent
malicious links via LinkedIn direct messages to exploit the iPhones of government
officials from Western European countries. If the target visited the link from
an iOS device and certain conditions were met, a zero-day vulnerability was
exploited in Apple WebKit, which is now tracked as CVE-2021-1879. The zero-day exploit could turn off
protections in Safari that allowed a payload containing a stealer to grab authentication cookies
from several target websites, including Google, Microsoft, LinkedIn, Facebook, and Yahoo. It then sends the cookies via WebSocket to an attacker-controlled IP which could then be used for a session replay attack by Cozy Bear operators to access the victim’s accounts.
On 30 May 2024, a joint investigation between Access
Now and Citizen
Lab was published on how seven Russian- and Belarusian-speaking independent
journalists and opposition activists based in Europe were targeted and/or
infected with NSO Group’s Pegasus spyware. The campaigns reportedly took
place between August 2020 and January 2023 with at least five of the cases potentially
being the result of targeting by a single NSO Group customer. One of the
victims was Galina
Timchenko, an exiled Russian journalist and CEO of Meduza. Many of the
targets publicly criticized the Russian government, including Russia’s invasion
of Ukraine, and have already faced intense threats from Russian and/or
Belarusian state security services.
On 29 August 2024, Google shared
that they uncovered a watering hole attack on cabinet[.]gov[.]mn and
mfa[.]gov[.]mn. These are Mongolian government websites, which were compromised
to load a hidden iframe from the attacker-controlled website to deliver known
(n-day) exploits. In November 2023 and February 2024, the watering hole sites
delivered an iOS WebKit exploit for the previously disclosed flaw tracked as
CVE-2023-41993. If a system was exploited successfully, the iOS payload was the
same cookie stealer payload that Google observed in 2021 used by Cozy
Bear. The cookie stealer continued to target session cookies from accounts such as
Outlook Web App, Gmail, LinkedIn, Yahoo, Facebook, but also GitHub and iCloud.
In July 2024, mfa[.]gov[.]mn was compromised again and was
now infected with JavaScript that redirected Android devices running the Google
Chrome browser to an iframe that delivered an exploit chain targeting
CVE-2024-5274 and CVE-2024-4671 to deploy a Chrome infostealing payload. The
Android payload was also a cookie stealer that collected cookies from all
available sites, autofill data (such as password or credit cards), as well as
web browsing history.
Google assessed with moderate confidence the campaigns are
linked to the Russian government-backed actor Cozy Bear. These campaigns
delivered known exploits with patches already available, but would still be
effective against unpatched devices.
Figure 7: Summary Timelines of Russian iOS Malware Case Studies
On 9 February 2022, ENEA published a report on
HiddenArt, a telecommunications signalling threat group that ENEA assesses to
have ties to Russian government. Art is the Old Irish/Gaelic word for Bear. Active
since at least 2018, HiddenArt has been observed performing periodic network reconnaissance against
mobile networks globally and exploiting Signalling System 7 (SS7) weaknesses,
the protocol suite used to route phone calls, to both track the location of
mobile devices and intercept voice calls and SMS messages.
The adversary managed to stay hidden for years due to a technique they used to make their source SS7 addresses spoof legitimate mobile network nodes located in Africa. These nodes belonging to mobile operators in Africa were observed targeting specific devices belonging to Russian political dissidents as well as undisclosed VIPs with ties to the economic and political spheres. ENEA worked with the affected group of mobile operators in Africa to install firewalls and detected that the abnormal SS7 commands spoofing their nodes were in fact originating from Russia.
Figure 8: HiddenArt
SS7 Attack Technqiue. (Source: ENEA)
On 12 December 2023, Kyivstar, Ukraine’s largest mobile
operator, announced on Facebook
that it had suffered a destructive cyberattack. The attack reportedly
left 24 million Kyivstar subscribers in Ukraine and abroad without voice and
data connectivity on mobile and fixed line networks for two days. PrivatBank,
Ukraine’s largest bank, was also impacted by the KyivStar attack, it stated on Facebook that its Point-of-Sale (PoS) systems, ATMs, and other PrivatBank
self-service terminals had lost connection.
The attack was attributed to the GRU-linked threat group Sandworm
by Ukraine’s security service (SBU). Sandworm reportedly
attempted to infiltrate Kyivstar’s network in March 2023 or earlier, and managed
to gain access at least as early as May 2023, and likely gained full control of
the network by November 2023 before wiping the network in December 2023. The SBU officials noted that the level of access
Sandworm managed to gain may have enabled the theft of personal information,
understand the locations of phones, or intercept SMS messages. After that, the
Sandworm operators wiped “almost everything,” including thousands of virtual
servers and workstations, according to the SBU.
It was not until 20 December 2023 that Kyivstar had managed
to restore all of its services in Ukraine. The attack is
said to have costed its parent company, Netherlands-based Veon, almost 100
million USD. According to the SBU, the destructive hack did not impact the
communication systems of the Ukrainian armed forces, which reportedly do not
rely on KyivStar. The incident was, however, “one of the highest-impact disruptive
cyberattacks” on the country since the start of the war, Ukrainian officials
said.
Based on the case studies outlined above, several assessments about Russia’s campaigns against mobile users can be made. Due to the
development of custom mobile-malware and exploits for Android and iOS, it
appears there may be dedicated mobile-focused experts within the GRU, FSB, and
SVR.
From the OSINT case studies of publicly disclosed Russian
mobile malware campaigns, it appears the GRU are the biggest users, followed by
the SVR. Because the first mobile malware linked to Turla was only disclosed in
2022, it appears the FSB is either highly advanced at stealthily deploying
spyware or is less likely to use mobile attacks. Due to sophisticated mobile malware often being highly
targeted, researchers (like myself) that have to rely on OSINT, are often missing
the bigger picture and insights that intelligence agencies or technology
companies like Apple and Google have. This is just my assessment based on available evidence.
The first notable observation following the research was that the Russian GRU’s mobile campaigns
are highly focused on Ukraine and are used foremost to gain an advantage on the
battlefield. The was evident with Fancy Bear’s campaign against Ukrainian
artillery units and a new GRU Android malware appeared following Russia’s
invasion of Ukraine in February 2022. It is also interesting that the emergence
of Infamous Chisel in 2023 overlapped with Sandworm gaining access to the Kyivstar
mobile operator’s network also in 2023.
Interestingly, in the case of UAC-0210 shared by CERT-UA, the
adversary borrowed code from Hydra, a malware developed by cybercriminals, for
cyber-espionage purposes. While this attack could well have been conducted by a
financially motivated criminal looking to make money selling access to
sensitive military data, the behaviour of borrowing code from cybercriminals is
a well-known tactic used by Sandworm’s operators, who were observed last year by Google using Rhadamanthys, an infostealer malware also sold
by cybercriminals, to target energy sector organisations in Eastern Europe.
Lookout’s discovery of STC’s Monokle malware further highlights the Kremlin’s
use of Russian private contractors for offensive cyber operations. This aligns with other types
of more exotic capabilities that the Kremlin outsources the development of
capabilities to, such as the creation of industrial control system (ICS)
malware by NTC
Vulkan for the GRU or specific network protocol targeting tools by SyTech for the FSB.
The targeting of Russian and Belarusian dissidents by Pegasus
spyware was also interesting, as it highlights the proliferation of such spying
capabilities from commercial surveillance vendors. The likelihood of NSO Group
selling directly to the Russian government, with full knowledge, however, is low
due to their numerous past statements and Israel’s strained relationship with Russia. The Russian intelligence services distrust
NSO Group, for being an Israeli mercenary spyware company, that could offer knowledge of
Russia’s spying operations to the Israeli government and their allies. Some researchers have speculated that an unknown third
country could have carried out the attack on Russia's behest to
obscure attribution.
Overall, organisations repeatedly targeted by Russia, such
as those in Ukraine or countries that share a border with Ukraine or Russia,
need to be aware of these less common but significant mobile threats.
Individual government officials, diplomats, dissidents, and executives must take
necessary precautions to mitigate the risk of such attacks.