Russia released a Ukrainian app for hacking Russia that was actually malware
Photo: Paula Bronstein/Getty Images
Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
Russian government hackers tried to trick Ukrainian and international volunteers into using a malicious Android app disguised as an app to launch Distributed Denial of Service (DDoS) attacks against Russian websites, according to new research published by Google on Tuesday.
Since the beginning of the Russian invasion, Ukraine has resisted not only on the ground, but also online. A loose collective of technologists and hackers have organized themselves under an umbrella quasi-hacktivist organization called the IT Armyand they have launched constant and sustained cyber attacks against Russian websites.
The Russian government tried to reverse this voluntary effort to expose Ukrainian hackers, in a clever but ultimately unsuccessful effort.
“This is interesting and new, and [Russian government hackers] like testing the limits again, and trying to explore different things. The Russian groups are definitely keeping us on our toes, Shane Huntley, the head of Google’s Threat Analysis Group research team, told Motherboard in a phone call.
Huntley said that in recent years Russian hackers have done hacks and leaks, supply chain hacks and now fake apps. “There’s this constant evolution of them not sitting on a particular path of attack but actually trying different things and evolving their techniques and seeing what works. Not all of their attempts work and not all of their approaches do, but there is significant innovation in the ways and things they try, and it almost looks like experimental thinking to me.”
Do you have information about the activities of Ukrainian or Russian hacker groups? We would love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email [email protected]
Google researchers wrote in the report that the app was created by the hacker group known as Turla, which several cybersecurity companies believe works for the Kremlin. Huntley said they were able to attribute this operation to Turla because they have been tracking the group for a long time and have good visibility into their infrastructure and connected it to this app.
The Russian Embassy in Washington DC did not respond to a request for comment.
The hackers posed as a “community of free people around the world fighting Russia’s aggression” – much like the IT army. But the app they developed was actually malware. The hackers called it CyberAzov, referring to the Azov regiment or battalion, a far-right group it has become part of the National Guard of Ukraine. To add more credibility to the list, they hosted the app on a domain that “spoofed” the Azov regiment: cyberazov[.]com.
The motherboard contacted the email address displayed on the malicious website, but received no response.
The app did not actually DDoS anything, but was designed to survey and find out who would want to use such an app to attack Russian websites, according to Huntely.
“Now that they have an app that they control, and they see where it came from, they can actually figure out what the infrastructure looks like, and figure out where the people who are potentially doing this type of attack are,” Huntley said.
Google said the fake app was not hosted on the Play Store and that the number of installs “was minimal.”
Nevertheless, it was a clever attempt to trick ignorant Ukrainians or people interested in cooperating with Ukrainians into falling into the trap.
“🤮 but smart. I felt like it couldn’t be real,” Marina Krotofil, a cybersecurity expert of Ukrainian origin, told Motherboard. “Making it makes perfect sense, it would be stupid not to. Everyone knows that the IT Cyber Army does DDoS on predetermined IPs, so many would believe. But it smells fake from a mile away.”
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.