Russian Hackers Target Mobile Devices in New Espionage Wave

by do son ·

Russian hackers
Malicious apps containing Monokle. (Source: Lookout)

Cybersecurity researcher BushidoToken’s latest report reveals a disturbing trend: Russian state-backed hackers are increasingly focusing on mobile devices, exploiting them for espionage, stealing sensitive data, and even gathering intel for military operations. The report exposes the evolving tactics of notorious groups like Fancy Bear (APT28), Cozy Bear (APT29), Turla, and Sandworm, who are now extending their cyberwarfare beyond traditional targets to infiltrate mobile platforms with advanced techniques.

While Russian cyber-operations are typically associated with attacks on government and critical infrastructure networks, the report details how mobile devices have increasingly become a focal point for Russian intelligence services, including the GRU, FSB, and SVR. These agencies are leveraging mobile spyware and exploits to gather sensitive information, particularly from Android and iPhone users, often through highly targeted campaigns.

One of the most notable discoveries discussed in the report is Fancy Bear’s X-Agent for Android, a piece of malware that was originally uncovered by CrowdStrike in 2016. X-Agent was reportedly used to track the locations and communications of Ukrainian military units by disguising itself as a legitimate app to assist artillery operations. The report notes that this malware provided Russian forces with battlefield intelligence, enabling them to better target Ukrainian troops.

Another significant malware identified in the report is Monokle, developed by the Russian contractor Special Technology Centre (STC). Monokle’s capabilities include exfiltrating data from Android devices without root access by exploiting Android’s accessibility services. This spyware has been deployed in highly targeted attacks against a range of individuals, including those in conflict zones like Syria.

The report also highlights a newer piece of Android malware called Infamous Chisel, linked to Sandworm (GRU Unit 74455). This malware, disclosed in a joint report by the UK’s National Cyber Security Centre (NCSC) and allies in August 2023, specifically targets Ukrainian military devices. Infamous Chisel is capable of monitoring network traffic, performing local network scanning, and exfiltrating sensitive data such as GPS coordinates and mobile communications. It is believed that the information gathered by Infamous Chisel has played a crucial role in Russian military operations.

Turla, another prominent Russian threat group associated with the FSB, was also found to have launched its first publicized Android malware campaign in 2022. The group developed a malicious app named CyberAzov, which impersonated a pro-Ukrainian hacking tool but in reality aimed to gain intelligence on Ukrainian cyber operations.

BushidoToken’s report emphasizes the considerable investments that the Russian government has made in mobile-based cyber operations. The extensive use of mobile malware highlights a shift in strategy, targeting individuals for intelligence gathering that goes beyond conventional military or political espionage. This shift underscores the growing need for comprehensive mobile security measures, particularly for governments, militaries, and other high-risk targets.

The report concludes by urging organizations and individuals who are frequent targets of Russian cyber-operations—particularly those in Ukraine, Eastern Europe, and countries that share borders with Russia—to take immediate steps to secure their mobile devices. These include regular software updates, the use of secure communication channels, and increased vigilance against phishing attacks and malicious apps.

Related Posts:

Tags: androidAPT28APT29Cozy BearFancy BeariosMonokleSANDWORMturlaX-Agent