Google researchers said they uncovered a Kremlin-backed operation targeting recruits for the Ukrainian military with information-stealing malware for Windows and Android devices.

The malware, spread primarily through posts on Telegram, came from a persona on that platform known as "Civil Defense." Posts on the ​​@civildefense_com_ua telegram channel and the accompanying civildefense[.]com.ua website claimed to provide potential conscripts with free software for finding user-sourced locations of Ukrainian military recruiters. In fact, the software, available for both Windows and Android, installed infostealers. Google tracks the Kremlin-aligned threat group as UNC5812.

Dual espionage and influence campaign

"The ultimate aim of the campaign is to have victims navigate to the UNC5812-controlled 'Civil Defense' website, which advertises several different software programs for different operating systems," Google researchers wrote. "When installed, these programs result in the download of various commodity malware families."

Read full article

Comments

"Remove some entries due to various compliance requirements. They can come back in the future if sufficient documentation is provided."

That two-line comment, submitted by major Linux kernel maintainer Greg Kroah-Hartman, accompanied a patch that removed about a dozen names from the kernle's MAINTAINERS file. "Some entries" notably had either Russian names or .ru email addresses. "Various compliance requirements" was, in this case, sanctions against Russia and Russian companies, stemming from that country's invasion of Ukraine.

This merge did not go unnoticed. Replies on the kernel mailing list asked about this "very vague" patch. Kernel developer James Bottomley wrote that "we" (seemingly speaking for Linux maintainers) had "actual advice" from Linux Foundation counsel. Employees of companies on the Treasury Department's Office of Foreign Assets Control list of Specially Designated Nationals and Blocked Persons (OFAC SDN), or connected to them, will have their collaborations "subject to restrictions," and "cannot be in the MAINTAINERS file." "Sufficient documentation" would mean evidence that someone does not work for an OFAC SDN entity, Bottomley wrote.

Read full article

Comments