Russia-Linked DNC Hackers Used Android Malware to Track Ukrainian Military – Report

Rafia Shaikh
Russia cyber war NSA Territorial Dispute
US and UK prepare to push back against Russia as they blame the country for a coordinated campaign targeting internet infrastructure

The hacking group allegedly linked to Russia used malware on Android phones to track Ukrainian artillery units and then target them, a new report released earlier today revealed. The same group was previously linked to the DNC hacks during the US presidential election.

The report, issued by cybersecurity firm CrowdStrike, said the hackers were able to access communications and geolocations of the targeted devices. This means the Ukranian artillery could be fired on and destroyed based on their location.

Before the US election, the same security company had established the connection between hacks on the US political offices and Russia-linked hacking group, way before the US intelligence agencies' assessment. The firm had "deployed this technology on every system within DNC's corporate network and were able to watch everything that the adversaries were doing while we were working on a full remediation plan to remove them from the network," Dmitri Alperovitch, CTO of Crowdstrike had said earlier in the year.

Following the electronic trail, the firm then recognized the distinctive handiwork of Cozy Bear and Fancy Bear - two Russian hacking groups, also known as APT 29 and APT 28, respectively. Some analysts have connected the hacking groups to the FSB, the KGB successor (more on this connection here).

Russia used the malware to track movements of artillery units - report

The Android malware was deployed by Fancy Bear inside a legitimate application used by the Ukrainian forces. The trojan was distributed through online military forums. The Ukrainian officer who designed it said the app reduced firing times from minutes to seconds. However, it appears that the Android app was infected with a trojan. Fancy Bear hid the X-Agent malware inside this app that could access phone communications, location data and contacts.

The app was designed for use with the D-30 122mm towed howitzer, a 1960s Soviet-made artillery weapon still in use. CrowdStrike said that "open source reporting indicates that Ukrainian artillery forces have lost over 50% of their weapons in the 2 years of conflict and over 80% of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine’s arsenal." This higher than average loss suggests that data gained from the Android malware was used to target the artillery.

The report said the following about the X-Agent malware:

X-Agent is a cross platform remote access toolkit, variants have been identified for various Windows operating systems, Apple’s iOS, and likely the MacOS. Also known as Sofacy, X-Agent has been tracked by the security community for almost a decade, CrowdStrike associates the use of X-Agent with an actor we call FANCY BEAR. This actor to date is the exclusive operator of the malware, and has continuously developed the platform for ongoing operations which CrowdStrike assesses is likely tied to Russian Military Intelligence (GRU). The source code to this malware has not been observed in the public domain and appears to have been developed uniquely by FANCY BEAR.

In the summer of this year, CrowdStrike started investigating the Android version of this malware, "which contained a number of Russian language artifacts that were military in nature". The trojan was covertly distributed from late 2014 through 2016 by Fancy Bear. In a war that broke out in Spring 2014, Russia gave military backing to separatists fighting against Ukrainian forces in Eastern Ukraine.

The collection of such tactical artillery force positioning intelligence by FANCY BEAR further supports CrowdStrike’s previous assessments that FANCY BEAR is likely affiliated with the Russian military intelligence (GRU).

"A tool such as this has the potential ability to map out a unit's composition and hierarchy, determine their plans, and even triangulate their approximate location," the report added [PDF].

Today's report adds to the concerns that Russia is deploying cyber attacks as a tool of war. So far, at least three governments have accused Russia of deploying cyber attacks, with the UK calling it "increasingly aggressive" in cyberspace and the US intelligence agencies believing that Russia intervened in the election to help Donald Trump win. Russia has repeatedly denied these allegations, and Trump too has dismissed the US intelligence assessment.

However, the new allegations fuel suspicions that Russia has been using these hacking groups as part of its foreign policy. But, these links are yet to be proved to the public since even the security firm itself uses "likely" every time it associates the groups to Russia. CrowdStrike's Alperovitch has, however, promised to go live on January 4 to talk about why the security firm believes Fancy Bear is linked to the Russian Military Intelligence, GRU.

The report concluded that the Ukrainian hack "extends Russian cyber-capabilities to the frontlines of the battlefield".

Share this story