Russia (Sandworm): At the CyberwarCon security conference last week, security researchers from Google’s security team released details of activities carried out by Sandworm in recent years. These recent activities by the group responsible for the Ukraine blackouts included targeting the French election, attacks on the Winter Olympic Games, and an attempt to infect a large number of Android devices with rogue apps by compromising app developers. The researchers were attempting to bring attention to this highly capable group of Russian hackers who have largely gone under the radar even with long-running successful campaigns. According to the researchers, Sandworm began targeting Android in late 2017–around the same time, they began targeting the Winter Olympic Games. Some of their attempts from that time period included creating malicious versions of Korean-language apps including transit schedules, media, and finance software by compromising legitimate applications and uploading them to the Play Store after adding their own “malicious wrapper” to the app. After discovering the apps, Google removed them from the Play Store and then quickly discovered that the same code had been added to a Ukrainian mail app two months earlier. In 2018, the group again targeted Ukraine by going after app developers through phishing emails with malicious attachments.
The lack of coverage about the activities of highly sophisticated groups like Sandworm poses a serious risk. By allowing them to operate for years without releasing the information on their activities makes it difficult for organizations to compare their own security measures against the group’s tactics to ensure that they are prepared and protected from attacks by groups like Sandworm. More information on the statements made by Google’s Security Team can be found at https://www.wired.com/story/sandworm-android-malware/