The group that hacked the DNC infiltrated Ukrainian artillery units
- 23 December, 2016 06:51
The cyberespionage group blamed for hacking into the U.S. Democratic National Committee (DNC) earlier this year has also infiltrated the Ukrainian military through a trojanized Android application used by its artillery units.
The group, which is known in the security industry under different names, including Fancy Bear, Pawn Storm, and APT28, has been operating for almost a decade. It is believed to be the sole user and likely developer of a Trojan program called Sofacy or X-Agent that has variants for Windows, Android, and iOS.
Fancy Bear has been responsible for many cyberespionage operations around the world over the years, and its selection of targets has frequently reflected Russia's geopolitical interests. Researchers from security firm CrowdStrike believe the group is likely tied to the Russian Military Intelligence Service (GRU).
The company found an Android application package earlier this year that had been trojanized with the Android version of X-Agent. It is a maliciously modified version of an app developed by Yaroslav Sherstuk, an officer in Ukraine's 55th Artillery Brigade, to help artillery forces more quickly process targeting data for the Soviet-made D-30 howitzer.
Sherstuk previously estimated in media interviews that up to 9,000 Ukrainian artillery personnel have used his application and that it helped reduce the D-30 targeting time from minutes to under 15 seconds, according to CrowdStrike.
Sherstuk's app has never been distributed through Google Play, meaning its users likely installed it manually after obtaining it from various sources. And with users in the habit of installing apps from alternative sources, Fancy Bear probably didn't have much trouble distributing a trojanized version of the app.
"Successful deployment of the FANCY BEAR malware within this application may have facilitated reconnaissance against Ukrainian troops," the CrowdStrike researchers said Thursday in a blog post. "The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them."