Posted on July 20, 2022 at 8:35 PM

Russian Threat Group Releases Fake DDoS App To Infect Pro-Ukrainian Hacktivists

Google’s Threat Analysis Group (TAG) has revealed that Russian-sponsored hackers are still launching serious attacks against Ukraine organizations. The war in Ukraine has now been fully extended to cyberspace as hacktivists have taken it upon themselves to launch cyberattacks on organizations.

In a recent report on cyber activity in the region, Billy Leonard, Google TAG security engineer, stated that the threat actors that are part of the Turla Russian APR group have been spotted distributing their first Android malware.

Russian-Backed Hackers Are Tricking Pro-Ukrainian Hacktivists

Russian-backed hackers are using a malicious Android app to trick Ukrainian and international volunteers into a distributed denial of service (DDoS) attack.

Russia’s war with Ukraine is not only physical but online as well. Ukraine has been resisting both growth and in cyberspace, as Russia keeps bombarding organizations in the region with a series of malware and DDoS attacks.

The collection of hackers and technologists have organized under a quasi-hacktivist organization called the IT army to help Ukraine defend its cyber territory. They have launched several persistent cyberattacks against Russian websites.

In a smart move, the Russian government tried to turn around the efforts of these volunteers to unmask Ukrainian hackers but ultimately failed.

The Russian-Backed Hackers Are Testing Boundaries

Head of Google’s Threat Analysis Group, Shane Huntley, while commenting on the development, stated that the Russian hackers are testing the boundaries again and are exploring different things. He added that the Russian hackers are always keeping the security team on its toes with new and interesting methods to gain a foothold.

Huntley added that in recent times, the Russian threat groups have carried out several types of attacks, including supply chain and other forms of attacks. But this time they are now using fake apps. They are not known to sit on one particular attack path for a long time, so it’s not a surprise to see them using a new strategy to gain ground, Huntley reiterated.

They are trying different methods, and not all approaches work. But there is innovation in the ways and manners they are looking to experiment with different things to gain attack advantage. The attackers are seriously dedicated to fighting the cyber battle for Russia and they are well funded to continue their activities. Several of the trial and error procedures cost money, but they are not bothered if one of their efforts yields a positive outcome and gives them an undue attacking advantage.

The App Was Designed By the Russian-backed Turla Group

In the report, Google researchers stated that the app was designed by the Russian-linked Turla hacking group, in partnership with several other threat groups. Huntley stated that the operation was attributed to Turla due to the security team’s research on the group.

The Google team stated that it has been tracking the group for a long time and have a sound record of its past activities and infrastructure. The Google team stated that the threat group used several evasive tactics to cover their tracks and avoid being noticed. But because they have been continuously monitored, it was not very difficult for the Google team to track the hacking method to Turla. The Russian agency in Washington D.C. has not responded to requests for comments on the situation.

The Fake App Was Designed To Spoof Azov Regiment

Reports revealed that the threat actors camouflaged as a “community of free people around the world who are fighting Russia’s aggression”. However, the app they launched was malware that could have infected the systems of other genuine Ukrainian hacktivists.

The hackers called the malicious app CyberAzov, which references the Azov Battalion or Regiment. To ensure that they appear genuine, the hackers hosted the app on cyberazoz.com, a domain designed to look like the Azov Regiment domain.

Motherboard contacted the email addresses displayed on the malicious website but did not receive a response.

The app didn’t launch an attack but was designed to find out the identity of those that would launch an attack against Russian companies and organizations.

Huntley stated that with the app, the threat actors can find out where an attack comes from and work out what their infrastructure looks like. This way, they can find out the location of the attackers and discover their attacking method.

The app was designed to neutralize the ongoing attacks launched by Ukrainian supporters against Russia in the ongoing war and cyber war. Google stated that the fake app was not hosted on Play Store.