Russian Hackers Weaponize Cloudflare to Target Ukrainian Military with Fake Army+ App

Russian Hackers Weaponize Cloudflare to Target Ukrainian Military with Fake Army+ App

Russian Hackers Target Ukrainian Military with Fake Army+ App Campaign

The Computer Emergency Response Team of Ukraine (CERT-UA) has identified a sophisticated cyber attack targeting military personnel through a fraudulent version of Army+, a legitimate paperless military application launched by Ukraine’s Ministry of Defence in August 2024.

The threat actor, tracked as UAC-0125 and linked to Russian military intelligence unit GRU (also known as APT44/Sandworm), is exploiting Cloudflare Workers to distribute malware-infected versions of the Army+ application.

Technical Analysis:
– The malware, distributed as a Windows executable, is created using Nullsoft Scriptable Install System (NSIS)
– Upon execution, it deploys a PowerShell script that:
– Installs OpenSSH
– Generates RSA cryptographic keys
– Adds public keys to “authorized_keys”
– Transmits private keys to attacker servers via TOR network
– Enables unauthorized remote access to infected systems

Broader Threat Landscape:
Recent data shows significant increases in Cloudflare service abuse:
– 198% rise in Cloudflare Pages phishing attacks (460 in 2023 to 1,370 in mid-2024)
– 104% increase in Cloudflare Workers attacks (2,447 in 2023 to 4,999 in 2024)

In response, the European Council has imposed sanctions on:
– GRU Unit 29155
– Russian disinformation networks including Doppelganger
– Key individuals involved in cyber operations and influence campaigns

This campaign represents an ongoing effort to compromise Ukrainian military infrastructure through sophisticated cyber warfare techniques.

Share This Article