Skip to content
RUSSIA STATE HACKING

Kremlin-backed hackers have new Windows and Android malware to foist on Ukrainian foes

"Civil Defense" pushes hybrid espionage/influence campaign targeting recruits.

Dan Goodin | 17
Credit: Getty Images
Credit: Getty Images
Story text

Google researchers said they uncovered a Kremlin-backed operation targeting recruits for the Ukrainian military with information-stealing malware for Windows and Android devices.

The malware, spread primarily through posts on Telegram, came from a persona on that platform known as "Civil Defense." Posts on the ​​@civildefense_com_ua telegram channel and the accompanying civildefense[.]com.ua website claimed to provide potential conscripts with free software for finding user-sourced locations of Ukrainian military recruiters. In fact, the software, available for both Windows and Android, installed infostealers. Google tracks the Kremlin-aligned threat group as UNC5812.

Dual espionage and influence campaign

"The ultimate aim of the campaign is to have victims navigate to the UNC5812-controlled 'Civil Defense' website, which advertises several different software programs for different operating systems," Google researchers wrote. "When installed, these programs result in the download of various commodity malware families."

The Android versions used social engineering to trick users into turning off Play Protect, a Google service that automatically scans devices for malware, whether from Play or third-party sources. During installation, the app also provided reassurances that the scary system privileges being requested were necessary to protect the safety of users.

Images justifying why permissions and bypassing of Play Protect are necessary.
Images justifying why permissions and bypassing of Play Protect are necessary. Credit: Google

An FAQ on the website also contained a "strained" justification for the Android app not being available in Play, but rather only as a side-load downloaded from the site. The justification is designed to preempt common security advice that Android users steer clear of sideloaded apps and obtain apps solely from Play.

The campaigns for Windows and Android relied on off-the-shelf infostealers. The Android infostealer is a variant of CraxsRat, a package that implements many backdoor functionalities typically found in Android backdoors.

The Windows malware, meanwhile, used a custom version of Pronsis Loader, which was discovered last month by security firm Trustwave, to install PureStealer, available for sale online for $150 a month or $699 for a lifetime license.

The Civil Defense website also advertises support for macOS and iOS, but versions for those platforms weren't available at the time of analysis.

The Google researchers wrote:

To drive potential victims towards these actor-controlled resources, we assess that UNC5812 is likely purchasing promoted posts in legitimate, established Ukrainian-language Telegram channels.

  • On September 18th 2024, a legitimate channel with over 80,000 subscribers dedicated to missile alerts was observed promoting the "Civil Defense" Telegram channel and website to its subscribers.
  • An additional Ukrainian-language news channel promoting Civil Defense’s posts as recently as October 8th, indicating the campaign is probably still actively seeking new Ukrainian-language communities for targeted engagement.
  • Channels where "Civil Defense" posts have been promoted advertise the ability to reach out to their administrations for sponsorship opportunities. We suspect this is the likely vector that UNC5812 is using to approach the respective legitimate channels to increase the operation’s reach.

The researchers said that UNC5812's focus isn't limited to espionage and info stealing. It also includes influence activity to undermine Ukraine's efforts to recruit new military enlistees and to mobilize its troops.

The UNC5812 Telegram channel actively solicits visitors and subscribers to upload videos of "unfair actions from territorial recruitment centers" in what the researchers assess is intended "to reinforce UNC5812's anti-mobilization narratives and discredit the Ukrainian military." The site also carries Ukrainian-language imagery and content, including a news section listing purported cases of unjust mobilization practices.

"Anti-mobilization content cross-posted to the group's website and Telegram channel appears to be sourced from wider pro-Russian social media ecosystems," the researchers wrote. "In at least one instance, a video shared by UNC5812 appeared a day later on a social media account belonging to the Russian Embassy in South Africa."

The UNC5812 operation is only one of many focusing on pro-Russian support of the country's invasion of neighboring Ukraine. Last week, Amazon reported that it caught APT29, a known threat group backed by Russia's Foreign Intelligence Service (SVR), sending malicious emails disguised as coming from Amazon or Microsoft aimed at stealing credentials from Russian adversaries. APT29 is also tracked under the names Cozy Bear, the Dukes, Cloaked Ursa, Dark Halo, BlueBravo, and Midnight Blizzard.

Amazon said APT29 used malicious emails disguised to appear as if they were sent from Amazon or Microsoft in an attempt to compromise targeted devices. Amazon said it seized domains from the group that were designed to appear as belonging to the cloud service provider. The emails were delivered to targets associated with Ukrainian government agencies, enterprises, and militaries. The campaign was first detected by Ukraine’s computer emergency response team.

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
17 Comments