Fancy Bear tracking Ukrainian artillery units By Will Wisser Posted on February 23, 2017 2 min read 0 695 The blood-shedding military conflict in the East Ukrainian Donbas region is assuming new hybrid characteristics. The Ukrainian army has been confronted with a deadly tandem of Russia-backed rebels and Russian regular military forces since 2014. According to a recent investigation by CrowdStrike, the theater of war here turns out to be an explosive mix of a real-world battlefield and cyber warfare. A group of threat actors referred to as Fancy Bear, which is likely affiliated with Russia’s Main Intelligence Agency (GRU), has reportedly created a trojanized Android application, subsequently contaminating Ukrainian soldiers’ smartphones with it to accurately determine the location of Ukrainian field artillery units. 122 mm D-30 howitzer The Fancy Bear group has also operated under such aliases as Sofacy, Strontium, Sednit, and APT28. As per investigative reports, the cybercrime ring in question is the one that pulled off a series of attacks against the U.S. Democratic National Committee in June 2016. The breaches were carried out through the use of a cross-platform remote access toolkit called X-Agent. Originally, the X-Agent RAT could be deployed on different editions of the Windows operating system, as well as Mac OS X and iOS. However, details of the recent evidence of its engagement in the war conflict in Eastern Ukraine proves that the use cases have expanded to Android. The source code of X-Agent hasn’t been circulating beyond the campaigns of Fancy Bear, which proves the attribution of these attacks exclusively to the Russian intelligence and the associated cybercrime group. The Fancy Bear group has ties to Russian intelligence The legitimate prototype of the malware was originally developed in 2014 by Yaroslav Sherstuk, an officer of the 55th Artillery Brigade of the Ukrainian Armed Forces. Called “Попр-Д30.apk”, this Android application was intended to facilitate the process of calibrating the 122 mm D-30 towed howitzer. According to Mr. Sherstuk, the app reduced the howitzer targeting time from minutes to less than 15 seconds. This, obviously, gave Ukrainian artillerists a significant advantage over the adversary. The application was never distributed in the open – instead, it was exchanged between officers or could be downloaded from Ukrainian military forums. The user base reached about 9,000 over the 2014-2016 time span. In a stealthy move, Fancy Bear crooks were able to get a copy of Попр-Д30 and rebuild it. They injected the Android variant of X-Agent into the app and posted the booby-trapped installer on dedicated Ukrainian military forums. As some unsuspecting Ukrainian officers ended up installing the rogue application on their Android devices, Russian threat actors could obtain their geolocation data and intercept communications. It’s within the realms of possibility that this cyber espionage caused the Ukrainian Army to lose 80% of its D-30 howitzers since 2014, which significantly exceeds the number of other artillery units destroyed over the last two years of conflict. The original ‘Попр-Д30’ app for Android These disconcerting statistics, however, appear to be far-fetched. Crowdstike’s Adam Meyers, the author of the report under consideration, may have used a questionably trustworthy resource to obtain information on the whopping 80% losses of the Ukrainian artillery units over Fancy Bear’s interference. The website being referenced is run by a pro-Russian investigative reporter who goes by the handle “Colonel Cassad”. The quantitative facet of the research is based on data provided in The Military Balance annual reports for 2013 and 2016 released by the International Institute for Strategic Studies (IISS). Although the figures on Ukrainian 122 mm D-30 towed howitzers for 2013 and 2016 are accurate (369 and 75, respectively), the decrease by 80% can be attributed to an inventory as of 2014 that discovered out-of-order artillery units. Furthermore, we at MySpybot were unable to spot any Ukrainian military forums distributing the malicious .apk of the Попр-Д30 app. We sent an official inquiry to Mr. Meyers for commentary on this discrepancy. In particular, we asked him to provide the specific online resource hosting the rogue .apk file. Unfortunately, we never received anything in response. So it makes sense to conclude that the above-mentioned stats are ungrounded and blown out of proportion. This reconnaissance operation by the Fancy Bear group demonstrates how digital code can have real-life consequences. Obviously, the tactics of hybrid war have no limits, covering the military, political and cyber facets of warfare. Crypto ransomware poses another noteworthy aspect of Russian misdemeanor on the international cyber threats arena. For instance, one of the recent ransomware strains appends victims’ encrypted files with the “.VOZMEZD IE_ZA_DNR” suffix. This string is a transliterated Russian phrase meaning “Revenge for DPR”, where DPR stands for the self-proclaimed Donetsk People’s Republic, a butcherly terrorist organization operating in East Ukraine. This indicator of compromise suggests that the threat actors behind these attacks are either Russians or tech-savvy Russia-backed terrorists. This online extortion campaign certainly doesn’t affect people’s lives as badly as Fancy Bear’s felonies. But it explicitly demonstrates the hostility of one particular country toward the rest of the world.