Russia (Sandworm): At the CyberwarCon security conference last week, security researchers from Google’s security team released details of activities carried out by Sandworm in recent years. These recent activities by the group responsible for the Ukraine blackouts included targeting the French election, attacks on the Winter Olympic Games, and an attempt to infect a large number of Android devices with rogue apps by compromising app developers. The researchers were attempting to bring attention to this highly capable group of Russian hackers who have largely gone under the radar even with long-running successful campaigns. According to the researchers, Sandworm began targeting Android in late 2017–around the same time, they began targeting the Winter Olympic Games. Some of their attempts from that time period included creating malicious versions of Korean-language apps including transit schedules, media, and finance software by compromising legitimate applications and uploading them to the Play Store after adding their own “malicious wrapper” to the app. After discovering the apps, Google removed them from the Play Store and then quickly discovered that the same code had been added to a Ukrainian mail app two months earlier. In 2018, the group again targeted Ukraine by going after app developers through phishing emails with malicious attachments.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased