Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime

Report: Russian Hackers Targeting Ukrainian Soldiers on Apps

Russian Hackers Using Open-Source Malware on Popular Messaging Apps, Report Says
Report: Russian Hackers Targeting Ukrainian Soldiers on Apps
Russian hackers are targeting Ukrainian military users of popular chat apps. (Image: Shutterstock)

Russian hackers are increasingly targeting messenger apps popular among Ukrainian warfighters with malware as part of an effort "to identify priority targets" for physical attacks, according to Kyiv's primary cyber incident response team.

See Also: Panel | Cyberattacks Are Increasing — And Cyber Insurance Rates Are Skyrocketing

Ukraine's Computer Emergency Response Team said messenger apps such as WhatsApp and Telegram are among the main channels used by the Russian hacking group tracked as UAC-0184 to deploy open-source malware against Ukrainian soldiers. The April report says hackers send malware disguised as videos from the frontlines of the Russian war - among a variety of other tactics - to gain access to data that belongs to Ukrainian military personnel.

The Ukrainian cyber authority said Russian hackers use commercial programs and open-source utilities, including Sigtop and Tusc, to carry out their attacks against soldiers on messaging apps. Both these utilities are frequently used to steal data from the Signal platform.

Once inside, the report says, UAC-0184 uses open-source malware such as HijackLoader and Ghostpulse to steal and upload data from messenger platforms such as Signal, which it says is used by many Ukrainian military members. The cyber agency provided no further details about the targeted attacks but warned soldiers that posting identifying information online or in messaging platforms could compromise their safety and increase the vulnerability of the Ukrainian military.

The warning comes amid growing concerns over Russia's hacking capabilities. On Wednesday, the Google-owned threat intelligence firm Mandiant described the Kremlin's preeminent cyber sabotage unit as "one of the widest and high-severity cyber threats globally."

Sandworm, a specialized cyber division within Russia's military intelligence service that is tracked as APT44, is a "flexible instrument of power capable of servicing Russia's wide-ranging national interests and ambitions, including efforts to undermine democratic processes globally," the report says (see: The Global Menace of the Russian Sandworm Hacking Team).

Russia-linked hacking groups have taken credit for cyberattacks targeting Ukraine's energy, communications and critical infrastructure sectors long before the Kremlin's deadly invasion in 2022. But experts say Russian cybercriminals and hacking groups have since stepped up their attacks as part of an effort to gain a greater military advantage as the war enters its third year.

Russia was also described as the most significant source of global cybercrime in a World Cybercrime Index published in April in the journal Plos One (see: Russia Tops Global Cybercrime Index, New Study Reveals).

About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.