‘Five Eyes’ nations release technical details of Sandworm malware ‘Infamous Chisel’ | CyberScoop<\/title> <meta name=\"description\" content=\"Russia is pivoting from disruptive cyberattacks to more targeted operations aimed at giving it an advantage on the Ukrainian battlefield.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/sandworm-ukraine-infamous-chisel\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"'Five Eyes' nations release technical details of Sandworm malware 'Infamous Chisel'\"> <meta property=\"og:description\" content=\"Russia is pivoting from disruptive cyberattacks to more targeted operations aimed at giving it an advantage on the Ukrainian battlefield.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/sandworm-ukraine-infamous-chisel\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2023-08-31T17:06:13+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/five-eyes-nations-release-technical-details-of-sandworm-malware-infamous-chisel-1.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Christian Vasquez\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@chrismvasq\">  <link rel=\"dns-prefetch\" href=\"\/\/cdn.parsely.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-0\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1693337792g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-4\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1693327649g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1693525727g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=7af46db108fbc62fdcc9\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/76765\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.3.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=76765\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsandworm-ukraine-infamous-chisel%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsandworm-ukraine-infamous-chisel%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-76765 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/sandworm-ukraine-infamous-chisel\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.703389830508\">\n<div class=\"single-article__header-content\" readability=\"29.676258992806\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/geopolitics\/\"> <span>Geopolitics<\/span> <\/a> <\/li>\n<\/ul>\n<p> Russia is pivoting from disruptive cyberattacks to more targeted operations aimed at giving it an advantage on the Ukrainian battlefield. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/five-eyes-nations-release-technical-details-of-sandworm-malware-infamous-chisel.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/five-eyes-nations-release-technical-details-of-sandworm-malware-infamous-chisel-1.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/five-eyes-nations-release-technical-details-of-sandworm-malware-infamous-chisel-1.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/five-eyes-nations-release-technical-details-of-sandworm-malware-infamous-chisel-1.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/five-eyes-nations-release-technical-details-of-sandworm-malware-infamous-chisel-1.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/five-eyes-nations-release-technical-details-of-sandworm-malware-infamous-chisel-1.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/five-eyes-nations-release-technical-details-of-sandworm-malware-infamous-chisel-1.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/five-eyes-nations-release-technical-details-of-sandworm-malware-infamous-chisel-1.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/five-eyes-nations-release-technical-details-of-sandworm-malware-infamous-chisel-1.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/five-eyes-nations-release-technical-details-of-sandworm-malware-infamous-chisel-1.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/five-eyes-nations-release-technical-details-of-sandworm-malware-infamous-chisel-1.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> A Russian police officer guards the Red Square near the Kremlin, June 24, 2023, in Moscow, Russia. (Photo by Contributor\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"28.760163882761\"><body readability=\"59.635975008221\"><\/p>\n<p>The U.S. government and its allies on Thursday released a technical breakdown of malware used by the infamous Russian hacking group Sandworm on the battlefield in Ukraine, offering one of the most detailed analyses to date of malicious software used by the Kremlin in military cyber operations against Kyiv. <\/p>\n<p>The <a href=\"https:\/\/www.cisa.gov\/news-events\/analysis-reports\/ar23-243a\">joint alert<\/a> by the Cybersecurity and Infrastructure Security Agency, the National Security Agency, the FBI, and agencies in the Five Eyes intelligence partnership \u2014 made up of the United States, the United Kingdom, New Zealand, Canada, and Australia \u2014 provides a detailed analysis of malware dubbed \u201cInfamous Chisel,\u201d which the Sandworm hacking group deployed against Android devices belonging to Ukrainian service members in a bid to collect battlefield intelligence. <\/p>\n<p>Use of the malware <a href=\"http:\/\/cyberscoop.com\/black-hat-russia-china-ukraine\/\">has been described by Ukrainian officials<\/a> as a shift in Russia\u2019s use of cyber operations against Ukraine, from disruptive attacks to more targeted collection to help on the battlefield. Sandworm operates from within the Russian Main Intelligence Directorate, or GRU, and is perhaps best known for the cyber attacks against Ukraine\u2019s grid in 2015 and 2016 that disrupted power in the middle of winter.<\/p>\n<p>Infamous Chisel targets Android devices through a collection of components that ensures persistent access over the Tor network while also collecting information. The malware exfiltrates data that matches a predefined list of extensions like .jpeg and .txt, among others. Additionally, the malware looks for system information, scans the local network for active hosts and open ports, as well as looks for specific Ukrainian military applications. Those military applications were not detailed in the report.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Ukraine\u2019s security services first attributed the campaign to Russia in <a href=\"https:\/\/ssu.gov.ua\/en\/novyny\/sbu-exposes-russian-intelligence-attempts-to-penetrate-armed-forces-planning-operations-system\">an August report<\/a>. The report noted that Russia took tablets used by Ukrainian soldiers for use in further penetrating their defenses.<\/p>\n<p>While Sandworm is widely known for the sophisticated malware used in its attacks on the Ukrainian grid and the more recent NotPetya malware, Infamous Chisel is described by Five Eyes cybersecurity agencies as \u201clow to medium sophistication\u201d and appeared to give little thought to avoiding detection, the report notes.<\/p>\n<p>\u201cThe searching of specific files and directory paths that relate to military applications and exfiltration of this data reinforces the intention to gain access to these networks. Although the components lack basic obfuscation or stealth techniques to disguise activity, the actor may have deemed this not necessary, since many Android devices do not have a host-based detection system,\u201d the report reads, meaning there are few ways to monitor the Android devices for malicious behavior.<\/p>\n<p>Even so, the alert warns that the apparently lax concealment methods does not mean that the malware isn\u2019t dangerous. The information gleamed from exfiltration could give Russia an advantage on the battlefield at a time when Ukraine is on the counteroffensive against Russian positions.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\">\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/sandworm-ukraine-infamous-chisel\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>‘Five Eyes’ nations release technical details of Sandworm malware ‘Infamous<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[452,293,302,270,880,288,354],"tags":[454,299,306,276,881,294,358],"class_list":["post-1641","post","type-post","status-publish","format-standard","hentry","category-cybersecurity-and-infrastructure-security-agency-cisa","category-department-of-homeland-security-dhs","category-geopolitics","category-russia","category-sandworm","category-threats","category-ukraine","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-department-of-homeland-security-dhs","tag-geopolitics","tag-russia","tag-sandworm","tag-threats","tag-ukraine"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-homeland-security-dhs\/\" rel=\"category tag\">Department of Homeland Security (DHS)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/russia\/\" rel=\"category tag\">Russia<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sandworm\/\" rel=\"category tag\">Sandworm<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ukraine\/\" rel=\"category tag\">Ukraine<\/a>","tag_info":"Ukraine","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1641","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=1641"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1641\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=1641"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=1641"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=1641"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":1641,"date":"2023-08-31T17:06:13","date_gmt":"2023-08-31T17:06:13","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=76765"},"modified":"2023-08-31T17:06:13","modified_gmt":"2023-08-31T17:06:13","slug":"five-eyes-nations-release-technical-details-of-sandworm-malware-infamous-chisel","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/08\/31\/five-eyes-nations-release-technical-details-of-sandworm-malware-infamous-chisel\/","title":{"rendered":"\u2018Five Eyes\u2019 nations release technical details of Sandworm malware \u2018Infamous Chisel\u2019"},"content":{"rendered":"