Russia’s ‘Sandworm’ Hackers Also Targeted Android Phones

The Russian state-sponsored hackers known as Sandworm have launched some of the most aggressive and disruptive cyberattacks in history: intrusions that planted malware inside US electric utilities in 2014, operations that triggered blackouts in Ukraine—not once, but twice—and ultimately NotPetya, the most costly cyberattack ever. But according to Google, several of Sandworm’s quieter operations have gone unnoticed in recent years.

At the CyberwarCon conference in Arlington, Virginia today, Google security researchers Neel Mehta and Billy Leonard described a series of new details about Sandworm’s activities since 2017 that ranged from its role in targeting the French election to its attempt to disrupt the last Winter Olympics to—perhaps the most unlikely new example of Sandworm’s tactics—attempting to infect large numbers of Android phones with rogue apps. They even tried to compromise Android developers, in an attempt to taint their legitimate apps with malware.

The Google researchers say they wanted to call attention to the overlooked operations of Sandworm, a group that they argue hasn’t gotten as much mainstream attention as the linked Russian hacking group known as APT28 or Fancy Bear, despite the enormous scale of Sandworm’s damage in attacks like NotPetya and earlier operations in Ukraine. (Both APT28 and Sandworm are widely believed to be part of Russia’s military intelligence agency, the GRU.) “Sandworm has been just as effective for a long period of time, and caused significant damage on the CNA front,” Leonard told WIRED ahead of his CyberwarCon talk. CNA refers to a computer network attack, the sort of disruptive hacking distinguished from mere espionage or cybercrime. “But they’ve still had these long-running campaigns that have gone under the radar.”

Google’s investigation into Sandworm’s Android targeting began in late 2017, around the same time when, according to threat intelligence firm FireEye, the hacker group appears to have begun its campaign to disrupt the 2018 winter games in Pyeongchang, South Korea. Leonard and Mehta now say that in December 2017, they found that Sandworm’s hackers were also creating malicious versions of Korean-language Android apps—such as transit schedule, media, and finance software—adding their own malicious “wrapper” around those legitimate apps and uploading versions of them to the Google Play Store.

Google quickly removed those malicious apps from Play, but soon found that the same malicious code had been added two months earlier to a version of a Ukrainian mail app Ukr.net—which had also been uploaded to Google’s app store. “That had been their first foray into Android malware,” says Leonard. “As in the past, Sandworm was using Ukraine as a testing ground, a proving ground for new activities.”

Leonard and Mehta say that even including that earlier Ukrainian effort, Sandworm’s malicious apps infected fewer than 1,000 phones in total. They also aren’t sure what the malware was intended to do; the malicious code they saw was only a downloader, capable of serving as a “beachhead” for other malware components with unknown functionality. The ultimate goal could have ranged from espionage—hacking and leaking information, as the GRU has carried out against other Olympics-related targets like the Worldwide Anti-Doping Agency—to a data-destroying attack like the Olympic Destroyer malware that hit Pyeongchang.

In October and November 2018, Google says it saw Sandworm try another, somewhat more sophisticated attempt at compromising Android devices. This time the hackers went after Android developers, largely in Ukraine, using phishing emails and attachments laced with malware designed to exploit known Microsoft Office vulnerabilities and plant a common hacking framework known as Powershell Empire. In one case, Sandworm successfully compromised the developer of a Ukrainian history app, and used that access to push out a malicious update that resembled the Android malware Google had seen the year before. Google says no phones were infected this time, because it caught the change before it reached Google Play.

Mehta notes that aside from a new focus on Android and its developers, that software supply chain attack represents relatively fresh evidence that Sandworm remains fixated on Ukraine. “It keeps coming back to Ukraine, over and over again, and that’s a consistent theme here,” Mehta says.

Google’s researchers note also that several elements of Sandworm’s Android malware shares some characteristics with that used by Hacking Team, a hacker-for-hire firm. But they suspect that those Hacking Team features may have been a false flag added by Sandworm to throw off investigators, given that the Olympic Destroyer malware that the GRU deployed around the same time included an unprecedented level of misdirection pointing to both North Korea and China. “Most likely this is an attempt to confuse attribution, much like the code overlaps we saw in the Olympic Destroyer malware,” Leonard adds.

Android aside, the Google researchers point to other new details of Sandworm’s activities, some of which have been partially described by other security firms in recent years. They confirm, for instance, FireEye’s finding that Sandworm targeted the French elections in 2017, an operation that leaked 9 gigabytes of emails from the campaign of then-presidential candidate Emmanuel Macron. Some security firms have previously claimed that the other GRU hacking team, APT28, was responsible for that operation, while FireEye has pointed to a phishing message in the leaked Macron emails that linked to a known Sandworm domain.

illustration of a building and hands typing on a laptop

Google now says that both claims are correct: Both APT28 and Sandworm targeted Macron. Based on its visibility into email infrastructure, Google says that APT28 targeted the Macron campaign for weeks in the spring of 2017 before Sandworm took over on April 14, sending its own phishing emails as well as malicious attachments—some of which, according to Google, successfully compromised the campaign’s emails, which were leaked just ahead of the May 2017 election. (The Google accounts involved in that French election hacking helped the company later identify Sandworm as the culprit behind its Android malware, although Google declined to explain in more detail how it made that connection.)

Google says that it also tracked one of the more mysterious campaigns in Sandworm’s history, one that targeted Russians in the spring and summer of 2018. Those victims included Russian automotive-selling businesses, as well as real estate and finance firms. The domestic hacking remains a puzzling contradiction, given Sandworm’s widely acknowledged pedigree as a GRU team; Google declined to speculate on the motivations.

But it also pointed to more expected—and ongoing—operations that continue to target Sandworm’s usual victim: Ukraine. Starting in late 2018 and well into today, the researchers say Sandworm has compromised Ukrainian websites related to religious organizations, government, sports, and media, and caused them to redirect to phishing pages.

The goal of that indiscriminate credential harvesting campaign is a mystery, for now. But given Sandworm’s history of massive disruption—in Ukraine and elsewhere—it remains a threat worth watching.


When you buy something using the retail links in our stories, we may earn a small affiliate commission. Read more about how this works.


More Great WIRED Stories

Read More