Fancy Bear used Android malware to track Ukrainian artillery

Malicious app likely helped Russian forces deal heavy blows in Ukrainian crisis.

David bisson
David Bisson

Fancy Bear used Android malware to track Ukrainian artillery

The Fancy Bear hacking group used a malicious app to track Ukrainian artillery field units, an operation which may have helped Russia forces in a conflict with the country.

American security firm CrowdStrike says that Fancy Bear, the same threat actor who hacked the Democratic National Committee during the 2016 U.S. presidential campaign, based the app on tool named “X-Agent” (also known as “Sofacy”).

As the California-based company explains in a blog post:

“Late in the summer of 2016, CrowdStrike Intelligence analysts began investigating a curious Android Package (APK) named Попр-Д30.apk which contained a number of Russian language artifacts that were military in nature. Initial research identified that the filename suggested a relationship to the D-30 122mm towed howitzer, an artillery weapon first manufactured in the Soviet Union in the 1960s but still in use today. In-depth reverse engineering revealed the APK contained an Android variant of X-Agent, the command and control protocol was closely linked to observed Windows variants of X-Agent, and utilized a cryptographic algorithm called RC4 with a very similar 50 byte base key.”

Malicious app

The APK is a malicious version of an app developed by Yaroslav Sherstuk, a Ukrainian officer of the 55th Artillery Brigade, back in 2013. The app, which had about 9,000 users, is said to reduce the time it takes to fire a D-30 from from minutes to 15 seconds.

Evidence suggests at least one military unit operating in eastern Ukraine used Sherstuk’s app through 2016 in the country’s ongoing conflict with anti-government protesters and Russian forces.

From its investigation, CrowdStrike has found that the malicious version of Sherstuk’s app made its way onto Russian language Ukrainian military forums in December 2014, that is, the early stages of the Russian-Ukrainian conflict. Both sides relied on artillery fighting, with Ukraine’s government relying on the D-30 howitzer.

Sign up to our free newsletter.
Security news, advice, and tips.

But the D-30 has not fared well in these hostilities. Since 2014, Ukrainian artillery forces have lost half of their equipment and over 80 percent of D-30 howitzers.

How did this happen? CrowdStrike writes in a report that Попр-Д30.apk is to blame:

“The X-Agent Android variant does not exhibit a destructive function and does not interfere with the function of the original Попр-Д30.apk application. Therefore, CrowdStrike Intelligence has assessed that the likely role of this malware is strategic in nature. The capability of the malware includes gaining access to contacts, Short Message Service (SMS) text messages, call logs, and internet data, and FANCY BEAR would likely leverage this information for its intelligence and planning value.

“CrowdStrike Intelligence assesses a tool such as this has the potential ability to map out a unit’s composition and hierarchy, determine their plans, and even triangulate their approximate location. This type of strategic analysis can enable the identification of zones in which troops are operating and help prioritize assets within those zones for future targeting.”

The malicious app marks Fancy Bear’s expansion in mobile malware development from iOS to Android. More than that, it illustrates just how far Russia will go to gain in an advantage in its fight with Ukraine.

I hate to say it, but I’d be surprised if the attacks stopped here.

We’ll more than likely hear about other operations from Fancy Bear in this ongoing conflict. Whatever innovations they develop next, variations on these and other digital weapons will no doubt shape hostilities around the world going forward. Such is the ongoing evolution of “cyber-enabled conflict.”

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.