Android Malware Helped Russian Hackers Track Ukrainian Military

Russian hackers have been actively tracking Ukrainian artillery units using a malware implant on Android devices.

That is the claim made by cyber security specialists Crowdstrike, which said that the Russian hacker known as Fancy Bear or APT 28, is closely associated with the GRU, Russia’s military intelligence agency.

This is the group that is responsible for hacking the US’ Democratic National Committee (DNC), and the hacking of the systems belonging to the World Anti-Doping Agency (WADA) in 2015.

Deadly Malware

Crowdstrike said that the Fancy Bear hackers had developed an implant commonly called X-Agent, which it has been tracking for some time. “X-Agent is a cross platform remote access toolkit, variants have been identified for various Windows operating systems, Apple’s iOS, and likely the MacOS,” said the security firm.

Crowdstrike said that in the summer of this year its intelligence analysts began investigating a curious Android Package which contained a number of Russian language artifacts that were military in nature, specifically related to the D-30 122mm towed howitzer, an artillery weapon first manufactured in the Soviet Union in the 1960s and still in use today.

Crowdstrike then reverse engineered the Android Package and discovered it contained an Android variant of X-Agent. It found the Android Package was linked to a legitimate Android application which was initially developed domestically within Ukraine by an officer of the 55th Artillery Brigade.

This application is reported to be used by 9,000 Ukrainian artillery personnel as it reduces the time it takes to fire the D-30 from minutes to seconds.

“From late 2014 and through 2016, Fancy Bear X-Agent implant was covertly distributed on Ukrainian military forums within a legitimate Android application developed by Ukrainian artillery officer Yaroslav Sherstuk,” said Crowdstrike.

And it said that this implant successfully allowed for reconnaissance against Ukrainian troops.

“The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them,” said Crowdstrike. “Open source reporting indicates that Ukrainian artillery forces have lost over 50 percent of their weapons in the 2 years of conflict and over 80 percent of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine’s arsenal.”

Russian Aggression

Ukraine has been fighting pro-Russian separatists in eastern Ukraine, after Russian forces invaded and annexed Crimea in 2014.

The region then held a highly controversial referendum in which it voted to leave Ukraine and join Russia.

Earlier this week Ukraine said that it had begun an investigation after a suspected cyber attack at the weekend left the northern part of Kiev without power. All fingers point to Russia because of previous attacks on power grids.

In December 2015 an attack left parts of western Ukraine, including regional capital Ivano-Frankivsk, without power for almost six hours.

Do you know all about security in 2016? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

3 days ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

3 days ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

3 days ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

3 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

3 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

4 days ago