The Russian hacking crew controversially linked to hacks against the Democrat Party during the US election allegedly used Android malware to track Ukrainian artillery units from late 2014 until 2016, according to new research.
Threat intelligence firm CrowdStrike reckons that mobile malware was used to harvest communications and some locational data from infected devices. The operation provided intelligence in order to direct strikes against the artillery ranged against pro-Russian separatists fighting in eastern Ukraine.
The mobile malware used in the op is a variant of a remote access tool used against the Democratic National Committee, according to CrowdStrike. X-Agent, the cross platform remote access toolkit in play in both ops, was developed by the "Fancy Bear" hacking group and used exclusively by them, according to the report.
This and other similarities have allowed CrowdStrike to link the Ukrainian hacking operation to Fancy Bear (APT 28), a hacking crew linked by US intelligence to GRU, Russia's military intelligence agency. The filename "Попр-Д30.apk" of a malicious Android app used to carry out the spying is linked to a legitimate application which was initially developed domestically within Ukraine by an officer of the 55th Artillery Brigade, according to CrowdStrike. The legitimate app provided a targeting guide to using the D-30 122mm towed howitzer, a Soviet-era artillery piece that’s still in service.
This is not something you’re going to find in regular app stores. More than 9,000 artillery personnel in the Ukrainian military used the application, according to the report. Fancy Bear’s X-Agent implant was covertly distributed on Ukrainian military forums within a legitimate Android application, according to CrowdStrike, which says the whole hacking pop bears the hallmarks of a military operation.
Successful deployment of the Fancy Bear malware within this application may have facilitated reconnaissance against Ukrainian troops. The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them.
"This cannot be a hands-off group or a bunch of criminals, they need to be in close communication with the Russian military," CrowdStrike co-founder Dmitri Alperovitch told Reuters. ®