Posted on November 22, 2019 at 2:31 PM
Google has discovered that Sandworm, Russia’s state-sponsored hackers, are launching some of the most dangerous cyberattacks in history. In recent years, most of the Sandworm’s attacks have not been noticed. But they have carried out a lot of cyberattacks, particularly in Ukraine.
In 2014, the operation was fingered for the malware attack on United States Electric Utilities. And recently, they infiltrated the Ukraine Government’s electricity utility, which triggered blackouts.
Some surprising discoveries on Sandworm
Billy Leonard and Neel Mahta, Google’s security researchers, have been researching the activities of these hacker syndicates since 2017. The Sandworms were involved in the disruption of the Winter Olympics. They also targeted the French election but were unsuccessful.
But it seems the attackers have changed their target modes. They are no longer after political and governmental attacks. Recently, they tried to use rouge apps to infect thousands of Android phones. They even went as far as compromising android developers to infiltrate the app.
Attackers influence continues to grow
According to the researchers, these groups of people were formerly not given serious attention. But their recent activities and operations have drawn serious concerns. The researchers argued that their activities are quite devastating, yet they have not received serious attention like the other Russian hacking group called Fancy Bear or APT28.
Ironically, both the Sandworms and APT28 are believed to be part of the GRU, Russia’s military intelligence division.
During the CyberwarCon Talk, Leonard explained to WIRED that for so many years, Sandworm has been very effective in their operations. They have been doing this through a computer network attack (CNA). This sort of hacking is quite different from cybercrime or espionage. The nature of Sandworm’s hacking campaign makes it difficult to track. They have had an exhaustive campaign that largely remains unnoticed, Leonard said.
Google still investigating Sandworm’s operations
Google began its investigation on the attack on android phones by Sandworm two years ago. According to FireEye, this was the same period Sandworm made its move to disrupt the 2018 winter Olympics in South Korea.
Mehta and Leonard also pointed out that their research revealed that the hackers were into another mission. They said the hackers were developing malicious versions of the android apps in the Korean language. These apps are in areas of finance, media, and transit schedule. They wanted to add their malware known as the wrapper, to those apps and offer them for downloads on Google Playstore.
When Google noticed these malicious apps, it got rid of them. But it later discovered that the same malware was already planted on the Ukrainian mail app. Leonard pointed out that it shows that Ukraine was the hackers testing the ground before launching their attackers elsewhere.
Ukraine used as a testing ground
Mehta and Leonard revealed that the hackers were able to infiltrate about 1000 apps, including those from Ukraine. The researchers are not yet sure of the damage the malware was designed to execute. But the malware code they saw was programmed to download other malware programs. Leonard explained that the goal of the hackers could be the destruction of data or espionage.
Barely a year ago, Google said Sandworm has another attempt to compromise Android devices. Google reiterated that this time, the attack was more complex and sophisticated than previous attempts by hackers. Sandworm decided to go to the main source this time.
The attackers used malware-laced email attachments in a bid to compromise android developers. They intended to plant the Powershell empire, a popular hacking platform, to exploit any vulnerabilities in Microsoft Office. However, they failed in that attempt.
But, once again, they succeeded in Ukraine by compromising the history app in Ukraine. Google says the hackers did not infiltrate any phone this time. They could have infected phones if Google didn’t notice the malware on time.
Google pointed out that it tracked a campaign that targeted Russians in 2018. This was a new one, as the internet giant described. The researchers said this attack was a mysterious one because the attackers were from the same country.
The victims of the attack included finance firms, real estate firms, and Russia’s automobile sellers. It’s still puzzling why the Sandworms could launch an attack on Russians, given that Sandworm is part of the Russian Government’s GRU team. But Google did not comment further on its speculations concerning Sandworm’s motives.