Google’s Threat Analysis Group team sheds light on the tactics deployed to target Ukrainians in the conflict between the country and Russia, highlighting in particular the development of a fake application called CyberAzov. As the researchers explain in a blog post, this app poses as a tool that allows a user to send Ddos-like attacks to Russian websites and services.
Distributed on a site in the colors of the Azov regiment, a Ukrainian regiment engaged in combat and frequently highlighted in the conflict, by one camp as by the other, this application promises to simplify the launching of Ddos attacks against the sites of the Russian government and invites opponents of the invasion of Ukraine to download it. The site also offers the possibility of making donations to support the project, in particular on a cryptocurrency wallet address. For the moment, this one does not display any transaction.
Fortunately, few downloads
But we must be wary of appearances: as revealed by the Google TAG team, the application’s functionalities are quite different. According to the researchers, the app’s functionality to launch DDoS attacks is flawed: “The app is being distributed under the guise of performing denial of service (DoS) attacks against a set of Russian websites. However, the “DoS” only consists of a single GET request to the target website, which is not enough to be effective” indicates the Google TAG blog post on the subject. Worse: according to The Verge, the application contains malicious software, detected by several antivirus software as Trojan-type malware.
Good news, however: the application was only distributed on a dedicated website, the link of which circulated on several messaging systems and in discussion groups. The application was therefore not offered on the official Android Google Play Store and the researchers estimate that the number of downloads remained minimal.
For Google TAG researchers, the authors of this application are linked to the Turla group, a group of cyberattackers suspected of working directly on behalf of the Russian intelligence services. Turla is a group that has been active since 2008 and whose activity is mainly focused on spying on targets within governmental or strategic organizations. According to Google TAG, the developers of Turla were inspired by a genuine initiative to prepare and distribute their booby-trapped application. In March 2022, the Stop War application offered its users to participate in the conflict by bombarding Russian sites with requests to put them offline. “Based on our analysis, we believe that the StopWar app was developed by pro-Ukrainian developers and was the inspiration on which Turla developers based their fake CyberAzov DoS app,” write Google analysts TAG .