Ukraine busts SIM farms targeting soldiers with spyware

Infrastructure that enabled two pro-Russia Ukraine residents to break into soldiers' devices and deploy spyware has been dismantled by the Security Service of Ukraine (SSU).

Thousands of mobile numbers and Telegram accounts were being run by what Ukrainian authorities are calling bot farms, which look an awful lot like SIM farms from the images they shared, and abused by Russian intelligence services.

In Zhytomyr, a city situated west of the country's capital Kyiv, a woman is said to have been under direct orders from Russia to operate the technology that supported more than 600 registered mobile numbers used for attacks on Ukraine's armed forces.

The farm was controlled using "specialized software" and sent phishing SMS messages to Ukrainian soldiers' devices containing links that when followed would lead to the deployment of spyware.

The revelation follows an earlier call from the country's computer emergency response team (CERT-UA) about soldiers' phones being targeted for spying campaigns.

It said soldiers were being targeted using a variety of social engineering tactics such as being sent a video of combat events and friend requests on social media platforms. The alert also briefly alluded to the use of dating sites.

If spyware was installed on a soldier's device, that would theoretically afford the controller access to data and communications being sent to and from the infected device, as well as potential tracking capabilities across the battlefield. The SSU didn't go into specific use cases, however.

The infrastructure, operated by an as-yet-unidentified woman paid in cryptocurrency for her troubles, was also used to spread pro-Kremlin propaganda seemingly from genuine Ukrainian citizens.

Separately, a 30-year-old resident of Dnipro was operating on a much grander scale, but seemingly not under direct orders from Russia.

The man was running a similar operation, but through nigh-on 15,000 social media accounts using SIM cards registered to Ukrainian mobile network operators. He was selling access to these accounts on dark web forums, so anyone could feasibly benefit, but his main customers were members of Russian intelligence, the SSU said.

• Ukrainian cops collar Kyiv programmer believed to be Conti, LockBit linchpin
• Crooks crack customer info at tracking device vendor Tile, issue 'extortion' demands
• Ransomware crew may have exploited Windows make-me-admin bug as a zero-day
• China's FortiGate attacks more extensive than first thought

According to what was shared by the SSU, only the Dnipro man has been detained. The woman has merely been notified that she is under suspicion of violating Article 361.5 of the Criminal Code of Ukraine – essentially the country's equivalent of the Computer Misuse Act. Investigations remain ongoing.

While the SSU was handling these alleged Kremlin facilitators, Kyiv police announced the nabbing of yet another suspected LockBit linchpin in Ukraine's capital.

The unidentified 28-year-old is believed to have played an important role in both the Conti and LockBit gangs over the years, using his programming skills to build the encryption payloads for two of the most prolific ransomware gangs to ever exist.

Under instruction from the Dutch Politie, local police cuffed the man in April in connection to two major attacks in the Netherlands and Belgium specifically. However, if his role was as integral as the police say, he may be partly responsible for hundreds more incidents.

The alleged cybercriminal joins two generations of suspected LockBit affiliates in the clink after a father-son duo was arrested in February, around the same time Operation Cronos tried its hardest to bring down LockBit.

The org that international cops have claimed is led by suspect Dmitry Khoroshev still lives on today, but at a more limited capacity, according to the UK's National Crime Agency, which leads Operation Cronos. ®