Cyberwarfare just got a new battlefield: the Ukrainian army’s pockets!
As Kyiv and Moscow engage in renewed hostilities and fire dozens of missiles every day across the border, the cyber realm is heating up too. Attackers posing as legitimate sources lured Ukrainian military personnel into downloading malware-laden fake military apps, aiming to steal authentication credentials and GPS coordinates from soldiers’ phones—a move that could have endangered lives on the battlefield.
The Ukrainian Computer Emergency Response Team (CERT-UA), in collaboration with key military units, identified and neutralized two cyberattacks designed to infiltrate mobile devices of military servicemen. The attackers distributed fraudulent links disguised as legitimate apps for critical military systems, including the AI-based GRISELDA system and the military tracking system known as “Eyes.”
Weaponized Apps as Attack Vectors
Hackers have evolved, shifting from targeting networks to exploiting the very devices soldiers carry. In this case, attackers used Signal, a secure end-to-end encrypted messaging app, to distribute links mimicking the official websites of Ukrainian military systems. Once clicked, these links triggered downloads of malware, posing as mobile applications for GRISELDA and Eyes.
GRISELDA is an artificial intelligence-based system for information processing which the Ukraine uses to process battlefield information at lightning speed. The malicious link in this case led users to a fake website offering a supposed mobile version of the GRISELDA app, which in reality does not exist. What soldiers actually downloaded was HYDRA—a backdoor malware designed to steal data and remotely access the infected device. The malware could exfiltrate everything from authentication tokens to keystrokes.
Meanwhile, the Eyes system, a tool used for military tracking, became another target. Hackers modified its legitimate software, embedding malicious code capable of stealing login credentials and device GPS coordinates. This added another layer of danger—GPS location tracking could be used to identify and target soldiers in real time.
Why Mobile Devices Are Key Targets
Mobile devices are central to modern warfare, enabling soldiers to communicate and access mission-critical systems. State hackers recognize this and are focusing their attacks on smartphones, knowing that compromising a device can give them access to far more sensitive military information.
These devices are often used for accessing specialized military systems, which makes them a prime target for cyber espionage. Stealing GPS data or login credentials from these devices could allow attackers to track troop movements or even intercept classified communications. In a battlefield scenario, this could lead to devastating consequences, putting soldiers’ lives directly at risk.
Coordinated Response Mitigates Threats
CERT-UA worked closely with military unit A0334 and a joint response team from the Ministry of Defense and Armed Forces to investigate the cyberattacks. Their prompt identification and analysis of the attacks significantly reduced the probability of any long-term damage. They also enlisted the help of the private sector, including Google Cloud and Cloudflare, in neutralizing the cyber threats.
The ability to detect and respond to cyberattacks in real time was critical. CERT-UA and its partners moved swiftly, keeping the potential consequences of the attacks to a minimum.
The Role of AI and Malware in Cyberwarfare
The AI-powered GRISELDA system was a key target for hackers. AI systems like GRISELDA help military units process vast amounts of data quickly, making them essential tools in modern combat scenarios. But the same features that make these systems valuable also make them highly attractive targets for attackers.
In this case, the HYDRA backdoor malware served as the attack tool of choice. Once installed, HYDRA granted attackers access to session data, keystrokes, and more. The malware even allowed for the capture of HTTP cookies—small pieces of data used to maintain authentication between a user and a website—further exposing sensitive military data to theft.
For the Eyes tracking system, the attack was more subtle. Hackers modified the legitimate program by embedding a third-party Java class that enabled the app to steal GPS coordinates and login information. This small change could have been catastrophic had it gone undetected, potentially giving adversaries insight into troop movements.
Strengthening Mobile Device Security
The incident showcases the critical importance of mobile device security for military personnel. Soldiers rely on their phones for everything from communication to navigation, and even a single compromised device could lead to disastrous consequences.
To combat this, militaries must adopt comprehensive security measures tailored to mobile devices. This includes regular software updates, use of encryption, and restricting the installation of apps to trusted sources only. CERT-UA’s swift response is a strong example of the need for real-time detection and rapid action when a cyber threat is identified.
Military units should also be vigilant about phishing attacks, as this incident shows how social engineering tactics can be used to trick personnel into installing malware. By distributing malicious links through Signal, a commonly trusted secure messenger, the attackers played on the trust soldiers have in their communication tools.
Cyber Defense Lessons from Ukraine
Ukraine’s experience in countering these cyberattacks offers valuable lessons for other nations and their military organizations. Close cooperation between military cybersecurity teams, cloud infrastructure providers like Google Cloud, and private sector cybersecurity specialists proved to be an effective defense mechanism. This partnership ensured the timely mitigation of cyber threats and the safeguarding of sensitive military systems.
As warfare increasingly moves into the digital realm, military units worldwide must bolster their cybersecurity capabilities. The threat landscape is evolving rapidly, and cyberattacks targeting mobile devices are becoming more sophisticated. Nations can no longer afford to treat cybersecurity as an afterthought.
The threat is real—and it’s in the palm of your hand.
