Monday09 December 2024
mozgy.in.ua

Gifted to scammers: What happened to the "Reserve+" app's support chat bot on Telegram?

On October 16, the State Special Communications Service reported that an account on the messaging platform Telegram, posing as the support service for the military application "Reserv+", is disseminating messages containing malicious software (malware). This information was later confirmed by the government response team CERT-UA.
Подарили мошенникам. Что случилось с чат-ботом службы поддержки приложения "Резерв+" в Telegram?

This news could serve as yet another warning to citizens about the importance of adhering to cybersecurity rules. However, the Ministry of Defense has indeed implemented technical support for its application through messengers, particularly Telegram.

As a result, social media has sparked an active discussion about whether anyone could hack "Reserve+" or its Telegram chatbot, and who was sending messages with malicious software to Ukrainians.

Although a source familiar with the situation but not authorized to comment confirmed to EП that there was no hack of the "Reserve+" application, this story remains intriguing.

Advertisement:

Technical Support in Telegram

After the updated mobilization law came into effect on May 18, 2024, conscripts were required to update their details within 60 days. This could be done in three ways, one of which was the "Reserve+" application developed by the Ministry of Defense (MoD), allowing users to update their information in the "Oberih" registry online. According to the MoD, by the end of August, over 1.8 million men had taken advantage of this opportunity.

The support service for the application was implemented via chatbots in Viber and Telegram, where users could submit requests regarding errors or inaccuracies in their data. In just the first week, technical support received over 13,000 such requests.

"We decided to reach out to users through channels convenient for them, including Telegram and Viber. We do not publish any sensitive data there – nothing that isn't already available on Facebook or the MoD's website. It’s 100% convenient," explained Kateryna Chernogorenko, Deputy Minister of Defense for Digital Development, Digital Transformation, and Digitization, to Forbes Ukraine.

More than just a messenger: how Telegram has transformed in Ukraine and whether the authorities can ban it?

However, over time, the MoD decided to discontinue the chatbot in Telegram. The link to it disappeared from the application as well. A source familiar with the situation confirmed to EП that the Telegram chatbot was deleted. When this happened and how long it had been operational remains unknown. The MoD ignored relevant questions from EП, stating that the chatbot is currently inactive and that the MoD is not communicating with users of "Reserve+" in Telegram.

The reason for stopping communication through the Telegram bot is also unclear. In September, the National Cybersecurity Coordination Center decided to restrict the use of this messenger in government bodies, military formations, and critical infrastructure facilities. Nonetheless, the choice of messenger during wartime is not only a matter of convenience but also of national security, so developers should carefully consider such decisions.

"Any information you send via Telegram goes to Russia. Data passing through chatbots is accessible to the messenger's Russian operators. It is hard to even imagine how the idea of creating technical support for the MoD's application during wartime in Telegram came about," says Nazar Tokar, head of the Kremlingram project.

Ultimately, even the MoD's decision to remove the Telegram chatbot played a cruel joke on the team.

A vacant space is never truly empty

After the official Telegram chatbot was deleted, its username became available for any other user to claim. CERT-UA informed EП that the name @reserveplusbot was exploited by malicious actors to impersonate the Telegram support bot for the "Reserve+" application.

"When the team decided to leave Telegram, they should have stopped using the chatbot instead of deleting it, keeping the URL under their control. By deleting the bot, they opened the door for anyone to register with that username and use it at their discretion," says Tokar.

It is currently unknown who used the hyperlink to the once-official chatbot to conduct a phishing attack. CERT-UA adds that this is not the first instance of malicious actors utilizing the names of official government accounts for their purposes. A similar incident occurred with the "eEnemy" chatbot.

"Malicious actors created user accounts and chatbots with similar or identical names to confuse people and redirect crucial military information about enemy equipment to fake accounts," the agency states.

Decades of losses do not prevent it from growing. Who funds Telegram?

Moreover, EП is aware that the "Reserve+" team has repeatedly reached out to Telegram representatives about the fake account, but their requests have gone unanswered. The ignoring of official moderation requests in Telegram is not a new occurrence.

Telegram still lacks clear criteria for blocking users, which is why law enforcement agencies from various countries send corresponding requests to the company’s headquarters, making moderation appear selective.

CERT-UA informed EП that on October 16, the account @reserveplusbot was deleted and marked as fake. At the time of publication, there is another chatbot in Telegram named "ReservePlusBot" with the username @ReservePlusRealBot. It remains unclear who created it and to whom it belongs.

Stolen data and victims

Impersonating representatives of "Reserve+", fraudsters sent messages urging recipients to install special software. The email included a file named RESERVPLUS.zip. This archive contained an installer that, upon execution, downloaded the file "install.exe". This file infected the computer with the Meduza Stealer malware.

The file selection in the archive took place between October 10 and 15, while the virus first appeared on forums in the dark web and Telegram channels in June 2023.

Uptycs, a cybersecurity company, assessed Meduza Stealer in 2023. According to their report, this virus can steal personal data from devices, analyze user activity in browsers, and conduct attacks based on the collected information.

For each attack, the malefactors can configure the malware to steal specific data. The fake support account for "Reserve+" was set up to steal files with the following extensions: .txt, .doc, .docx, .pdf, .xls, .xlsx, .log, .db, .sqlite.

"The malware targeted the theft of documents and program service data, including history, settings, and event logs of the program. The virus primarily affected computers running the Windows operating system," explains Trokhym Babych, Deputy Dean of the Faculty of Computer Science at the National University of Kyiv-Mohyla Academy.

The Institute for Cyberwarfare Research (ICWR) added that the malware employs methods to bypass antivirus systems, such as adding its paths to Microsoft Defender's exceptions, complicating its detection.

Telegram, Viber, WhatsApp, Signal – which messengers can be trusted

The question remains as to how hackers determined whom to send messages with the malicious software. One possible option is the use of previously exposed data of Ukrainians available online.

In June, the FBI announced the search for 22-year-old Russian hacker Amin Stigal of Chechen descent. The document from the U.S. District Court in Maryland states that after an attack preceding the large-scale war, hackers, including Stigal, put up for sale the data of 13.5 million users of the Diia.gov.ua website for $80,000. The Ministry of Digital Transformation denied this information, calling the data a compilation from various sources.

The motives of the malicious actors remain unknown. "One theory could be an attempt to undermine citizens' trust in the 'Reserve+' application, which would undoubtedly benefit our enemy," explains Babych.

We cannot rule out attempts to obtain data on conscripted Ukrainians. "The malefactors were likely trying to gain access to sensitive user information that could be used for financial fraud or identity theft. They sought to simplify the infection process by using a well-known communication channel to increase their chances of success," the ICWR explains.

In Conclusion

Currently, it is impossible to assess the damage caused by the