Ukraine’s security services have foiled an attempt by Russian state-backed hackers to compromise the combat data exchange system of the Armed Forces of Ukraine.

The Security Service of Ukraine (SSU) has attributed the attacks to Sandworm, a threat actor linked to military unit 74455, a cyberespionage unit of Russia's military intelligence service.

The group is believed to be behind the December 2015 Ukraine power grid cyberattack, the 2017 cyberattacks on Ukraine using the NotPetya malware, various interference efforts in the 2017 French presidential election, and the cyberattack on the 2018 Winter Olympics opening ceremony. Since the beginning of Russia’s invasion of Ukraine in February 2022, the team has launched multiple attacks against Ukrainian entities using destructive malware and ransomware.

According to a technical report released by the SSU, in the recent attacks, the group attempted to infect Ukraine’s military network with nearly ten variants of custom malware ranging from Android remote access trojans and Mirai variants to backdoors designed to collect data from Ukraine's Starlink satellite connections. The agency noted that Russia’s preparation for this attack was “long and thorough.”

The goal of the operation was to gather intelligence on the Ukrainian military's operations, technical provisions and movements. This was intended to achieve by capturing tablets used by the Ukrainian military on the battlefield. Through these tablets the threat actor wanted to gain access to other connected devices and infect them with malware.

Last week, the Computer Emergency Response Team of Ukraine (CERT-UA) warned of a new information-stealing campaign targeting Ukraine’s government entities with the MerlinAgent malware.