Android Malware Helped Russian Hackers Track Ukrainian Military

Russian hackers have been actively tracking Ukrainian artillery units using a malware implant on Android devices.

That is the claim made by cyber security specialists Crowdstrike, which said that the Russian hacker known as Fancy Bear or APT 28, is closely associated with the GRU, Russia’s military intelligence agency.

This is the group that is responsible for hacking the US’ Democratic National Committee (DNC), and the hacking of the systems belonging to the World Anti-Doping Agency (WADA) in 2015.

Deadly Malware

Crowdstrike said that the Fancy Bear hackers had developed an implant commonly called X-Agent, which it has been tracking for some time. “X-Agent is a cross platform remote access toolkit, variants have been identified for various Windows operating systems, Apple’s iOS, and likely the MacOS,” said the security firm.

Crowdstrike said that in the summer of this year its intelligence analysts began investigating a curious Android Package which contained a number of Russian language artifacts that were military in nature, specifically related to the D-30 122mm towed howitzer, an artillery weapon first manufactured in the Soviet Union in the 1960s and still in use today.

Crowdstrike then reverse engineered the Android Package and discovered it contained an Android variant of X-Agent. It found the Android Package was linked to a legitimate Android application which was initially developed domestically within Ukraine by an officer of the 55th Artillery Brigade.

This application is reported to be used by 9,000 Ukrainian artillery personnel as it reduces the time it takes to fire the D-30 from minutes to seconds.

“From late 2014 and through 2016, Fancy Bear X-Agent implant was covertly distributed on Ukrainian military forums within a legitimate Android application developed by Ukrainian artillery officer Yaroslav Sherstuk,” said Crowdstrike.

And it said that this implant successfully allowed for reconnaissance against Ukrainian troops.

“The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them,” said Crowdstrike. “Open source reporting indicates that Ukrainian artillery forces have lost over 50 percent of their weapons in the 2 years of conflict and over 80 percent of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine’s arsenal.”

Russian Aggression

Ukraine has been fighting pro-Russian separatists in eastern Ukraine, after Russian forces invaded and annexed Crimea in 2014.

The region then held a highly controversial referendum in which it voted to leave Ukraine and join Russia.

Earlier this week Ukraine said that it had begun an investigation after a suspected cyber attack at the weekend left the northern part of Kiev without power. All fingers point to Russia because of previous attacks on power grids.

In December 2015 an attack left parts of western Ukraine, including regional capital Ivano-Frankivsk, without power for almost six hours.

Do you know all about security in 2016? Try our quiz!