Khanate
SENIOR MEMBER
- Joined
- Sep 16, 2016
- Messages
- 2,926
- Reaction score
- 7
- Country
- Location
Russian Android malware tracked Ukrainian military
Catalin Cimpanu | December 22, 2016
D-30 Howitzer gun battery
A cyber-espionage group linked to the Russian military has developed Android malware which it used to infect the smartphones of Ukrainian soldiers and track Ukrainian field artillery units, according to a report released today by Crowdstrike.
The report comes from the same security firm that discovered the "alleged" Russian hack of the Democratic National Committee (DNC) servers in April 2016.
According to CrowdStrike, the group behind the Android malware that targeted Ukrainian military forces is named Fancy Bear, one of the two groups involved in the DNC hack, albeit the other group, named Cozy Bear, was far more active.
Group has ties to Russia's military
Based on multiple reports from several security firms across the globe, the Fancy Bear group appears to have ties to the Russian military intelligence service GRU.
The Fancy Bear group is also identified under several other names in different cyber-espionage reports. Across time, the group has been referenced to as Strontium, APT28, Sednit, Pawn Storm, but most of the time has been named Sofacy.
Sofacy is also the name of its primary espionage tool, a remote access toolkit (RAT), also known as X-Agent.
The Sofacy (X-Agent) malware is unique because it was developed by the Fancy Bear group, and only deployed in its cyber-espionage operations, and nowhere else.
Crowdstrike finds Android version of the group's native malware
Until know, security firms that have analyzed the group's activity have found Windows, Mac OS X, and iOS variants of this RAT.
According to Crowdstrike, things changed over the summer when Crowdstrike analysts discovered an Android app that contained a new breed of malware which employed the classic X-Agent communications protocol, seen only in the original Sofacy (X-Agent) malware.
After taking a deeper look at the Android app, researchers discovered that this was a clone after an application created by an officer of the Ukrainian military, the 55th Artillery Brigade, named Yaroslav Sherstuk.
Speaking to Sherstuk, Crowdstrike learned that he created the app in order to automate some mathematical computations needed to calibrate D-30 Howitzer cannons used by the Ukrainian artillery.
The officer said he created the app in 2014 and distributed to other officers of the Ukrainian military, but without hosting it on the Google Play Store. He estimated the app's initial userbase at around 9,000 installations.
Попр-Д30 Android app (Source: Crowdstrike)
As the conflict in eastern Ukraine evolved towards a military engagement, somewhere along the way, Fancy Bears operators took a copy of this app, injected it with their malware, and spread it online by posting links to the infected version on various Ukrainian military forums.
It appears that before Crowdstrike found the app, several Ukrainian military forces might have installed the application, with dire consequences.
Ukrainian army lost 80% of its D-30 Howitzer guns
According to independent reports, Ukrainian forces lost 50% of all their artillery weapons in the last two years, since the war started in 2014. Most conspicuous is that Ukraine lost 80% of its arsenal of D-30 Howitzer guns.
The Sofacy malware's Android variant has the ability to spy on its victims by transmitting geo-location data back to the Fancy Bears servers.
While Crowdstrike hasn't discovered smartphones belonging to Ukrainian artillery personnel infected with the Sofacy malware, drawing the line between the existence of this malware and the rebels' efficiency at destroying D-30 guns is a conclusion at which many third-party observers would reach.
Furthermore, this is one of the few cases when cyber-espionage groups were found to operate on a live battlefield, instead of lurking in the shadows and collecting data from foreign businesses and politicians.
Source: Bleeping Computer / Reuters / CrowdStrike (Report)
—————
Key details from the CrowdStrike report:
Comment: Cyberspace has become the fifth dimension of war. Proceed accordingly, Pakistan.
Catalin Cimpanu | December 22, 2016
- Malware is attributed to Fancy Bear, a group with ties to the Russian military intelligence service GRU
- Ukrainian forces lost 50% of all their artillery weapons in the last two years
- Ukraine lost 80% of its arsenal of D-30 Howitzer guns
D-30 Howitzer gun battery
A cyber-espionage group linked to the Russian military has developed Android malware which it used to infect the smartphones of Ukrainian soldiers and track Ukrainian field artillery units, according to a report released today by Crowdstrike.
The report comes from the same security firm that discovered the "alleged" Russian hack of the Democratic National Committee (DNC) servers in April 2016.
According to CrowdStrike, the group behind the Android malware that targeted Ukrainian military forces is named Fancy Bear, one of the two groups involved in the DNC hack, albeit the other group, named Cozy Bear, was far more active.
Group has ties to Russia's military
Based on multiple reports from several security firms across the globe, the Fancy Bear group appears to have ties to the Russian military intelligence service GRU.
The Fancy Bear group is also identified under several other names in different cyber-espionage reports. Across time, the group has been referenced to as Strontium, APT28, Sednit, Pawn Storm, but most of the time has been named Sofacy.
Sofacy is also the name of its primary espionage tool, a remote access toolkit (RAT), also known as X-Agent.
The Sofacy (X-Agent) malware is unique because it was developed by the Fancy Bear group, and only deployed in its cyber-espionage operations, and nowhere else.
Crowdstrike finds Android version of the group's native malware
Until know, security firms that have analyzed the group's activity have found Windows, Mac OS X, and iOS variants of this RAT.
According to Crowdstrike, things changed over the summer when Crowdstrike analysts discovered an Android app that contained a new breed of malware which employed the classic X-Agent communications protocol, seen only in the original Sofacy (X-Agent) malware.
After taking a deeper look at the Android app, researchers discovered that this was a clone after an application created by an officer of the Ukrainian military, the 55th Artillery Brigade, named Yaroslav Sherstuk.
Speaking to Sherstuk, Crowdstrike learned that he created the app in order to automate some mathematical computations needed to calibrate D-30 Howitzer cannons used by the Ukrainian artillery.
The officer said he created the app in 2014 and distributed to other officers of the Ukrainian military, but without hosting it on the Google Play Store. He estimated the app's initial userbase at around 9,000 installations.
Попр-Д30 Android app (Source: Crowdstrike)
As the conflict in eastern Ukraine evolved towards a military engagement, somewhere along the way, Fancy Bears operators took a copy of this app, injected it with their malware, and spread it online by posting links to the infected version on various Ukrainian military forums.
It appears that before Crowdstrike found the app, several Ukrainian military forces might have installed the application, with dire consequences.
Ukrainian army lost 80% of its D-30 Howitzer guns
According to independent reports, Ukrainian forces lost 50% of all their artillery weapons in the last two years, since the war started in 2014. Most conspicuous is that Ukraine lost 80% of its arsenal of D-30 Howitzer guns.
The Sofacy malware's Android variant has the ability to spy on its victims by transmitting geo-location data back to the Fancy Bears servers.
While Crowdstrike hasn't discovered smartphones belonging to Ukrainian artillery personnel infected with the Sofacy malware, drawing the line between the existence of this malware and the rebels' efficiency at destroying D-30 guns is a conclusion at which many third-party observers would reach.
Furthermore, this is one of the few cases when cyber-espionage groups were found to operate on a live battlefield, instead of lurking in the shadows and collecting data from foreign businesses and politicians.
Source: Bleeping Computer / Reuters / CrowdStrike (Report)
—————
Key details from the CrowdStrike report:
- The original application, Попр-Д30.apk, was initially developed domestically within Ukraine by a member of the 55th Artillery Brigade.
- The promotion of the program was limited to social media, and the distribution was controlled from the author’s main page, «Програмное обеспечение современного боя» (translation: "Modern combat software"). As an additional control measure, the program was only activated for use after the developer was contacted and issued a code to the individual downloading the application.
- CrowdStrike Intelligence assesses that the application likely came to the attention of Russia based adversaries around this time frame as a result of ongoing Russian reconnaissance associated with the revolution in Ukraine. Actors with a nexus to Russia regularly monitor social media sites in order to better understand or formulate operations against their targets.
- CrowdStrike Intelligence assesses that the likely role of this malware is strategic in nature. The capability of the malware includes gaining access to contacts, Short Message Service (SMS) text messages, call logs, and internet data, and FANCY BEAR would likely leverage this information for its intelligence and planning value.
- CrowdStrike Intelligence assesses that the distribution of the malicious application targeted the very artillery units for which the benign application was developed—brigades operating in eastern Ukraine on the frontlines of the conflict with Russian-backed separatist forces during the early stages of the conflict in late-2014. The malicious application targets some of the front line forces pivotal in Ukrainian defense on the eastern front. This would likely be a high priority for Russian adversary malware developers seeking to turn the tide of the conflict in their favor.
- CrowdStrike Intelligence assesses a tool such as this has the potential ability to map out a unit’s composition and hierarchy, determine their plans, and even triangulate their approximate location. This type of strategic analysis can enable the identification of zones in which troops are operating and help prioritize assets within those zones for future targeting.
- Additionally, a study provided by the International Institute of Strategic Studies determined that the weapons platform bearing the highest losses between 2013 and 2016 was the D-30 towed howitzer.11 It is possible that the deployment of this malware infected application may have contributed to the high-loss nature of this platform.
Comment: Cyberspace has become the fifth dimension of war. Proceed accordingly, Pakistan.
Last edited:
