Ukrainian military fighting Russian-backed insurgents in eastern Ukraine have been compromised as a result of a Trojanised targeting app, running on their Android smartphones, that they were encouraged by their own commanders to side-load for use in the field.
The malware was used, either by Russian military intelligence or by the rebels, to track Ukrainian artillery deployments, exposing them to highly targeted counter-attacks. According to some reports, more than half of Ukraine’s artillery has been captured or destroyed during the two or so years that the war has raged.
The app was developed in Ukraine to help crews manning Soviet-era D-30 howitzers reduce the amount of time it took to target the out-dated artillery from minutes to seconds.
That is the claim of CrowdStrike co-founder Dmitri Alperovitch, who has linked the malware found on the Android smartphones of Ukrainian military personnel with the same ‘Fancy Bear’ group of hackers that, he claims, were behind attacks on the US Democratic National Committee.
A legitimate app to help crews reduce targeting time from minutes to seconds had been developed by the Ukrainian military and showed off on Ukrainian television by Yaroslav Sherstuk, an officer of the 55th Artillery Brigade.
However, because the app wasn’t available for download via the usual channels, Alperovitch claims that hackers linked to the Russian military downloaded the app, Trojanised it and re-uploaded it to bulletin boards.
“Late in the summer of 2016, CrowdStrike Intelligence analysts began investigating a curious Android Package (APK) named ‘Попр-Д30.apk’ (MD5: 6f7523d3019fa190499f327211e01fcb) which contained a number of Russian language artifacts that were military in nature,” claimed Adam Meyers, vice president for intelligence at CrowdStrike in a research note released today.
He continued: “Initial research identified that the filename suggested a relationship to the D-30 122mm towed howitzer, an artillery weapon first manufactured in the Soviet Union in the 1960s, but still in use today.
“In-depth reverse engineering revealed the APK contained an Android variant of X-Agent, the command and control protocol was closely linked to observed Windows variants of X-Agent, and utilised a cryptographic algorithm called RC4 with a very similar 50 byte base key.”
X-Agent is a cross platform remote access toolkit that runs on Windows and Apple’s iOS and MacOS operating system, as well as Android.
“Also known as Sofacy, X-Agent has been tracked by the security community for almost a decade, CrowdStrike associates the use of X-Agent with an actor we call Fancy Bear,” he added.
“Successful deployment of the Fancy Bear malware within this application may have facilitated reconnaissance against Ukrainian troops. The ability of this malware to retrieve communications and gross-locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them.”
CrowdStrike, which linked the Fancy Bear group with the attack on the US Democratic National Committee, believes that the group is affiliated with Russian military intelligence, and works closely with Russian military forces operating in Eastern Ukraine and its border regions in Russia.