• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

LapDogs: China-nexus hackers Hijack 1,000+ SOHO devices for espionage

 | 

Taking over millions of developers exploiting an Open VSX Registry flaw

 | 

OneClik APT campaign targets energy sector with stealthy backdoors

 | 

APT42 impersonates cyber professionals to phish Israeli academics and journalists

 | 

Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

 | 

Cisco fixed critical ISE flaws allowing Root-level remote code execution

 | 

U.S. CISA adds AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities catalog

 | 

CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices

 | 

Hackers deploy fake SonicWall VPN App to steal corporate credentials

 | 

Mainline Health Systems data breach impacted over 100,000 individuals

 | 

Disrupting the operations of cryptocurrency mining botnets

 | 

Prometei botnet activity has surged since March 2025

 | 

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • APT
  • Cyber warfare
  • Intelligence
  • Mobile
  • Fancy Bear APT tracked Ukrainian artillery units with an Android implant

Fancy Bear APT tracked Ukrainian artillery units with an Android implant

Pierluigi Paganini December 22, 2016

The Russian APT group Fancy Bear used a malware implant on Android devices to track and target Ukrainian artillery units from late 2014 through 2016.

The popular hacking group, known as Fancy Bear, APT 28, Pawn Storm, Sednit or Sofacy, is once again in the headlines. Experts from the cyber security firm CrowdStrike reported the alleged Russian nation-state actor used malware implant on Android devices to track and target Ukrainian artillery units from late 2014 through 2016.

The malicious code was used by spy on target communication and retrieve locational data of the Ukrainian artillery units, this information would have likely been used by pro-Russian separatists fighting in eastern Ukraine to launch attacks against Ukrainian units. Late in the summer of 2016, researchers from CrowdStrike Intelligence began investigating a curious Android Package (APK) named ‘Попр-Д30.apk’ (MD5: 6f7523d3019fa190499f327211e01fcb). The APK contains a number of Russian language artifacts that were military in nature.  Hackers used an implant for a legitimate app, but there is no evidence the application was made available in the Android app store.

“From late 2014 and through 2016, FANCY BEAR X-Agent implant was covertly distributed on Ukrainian military forums within a legitimate Android application developed by Ukrainian artillery officer Yaroslav Sherstuk.” states the report published by Crowdstrike. “The original application enabled artillery forces to more rapidly process targeting data for the Soviet-era D-30 Howitzer employed by Ukrainian artillery forces reducing targeting time from minutes to under 15 seconds. According to Sherstuk’s interviews with the press, over 9000 artillery personnel have been using the application in Ukrainian military.”

Ukrainian artillery units app track

“Initial research identified that the filename suggested a relationship to the D-30 122mm towed howitzer, an artillery weapon first manufactured in the Soviet Union in the 1960s but still in use today.” states the report.

If the analysis published by the experts it correct, it means that the Kremlin military strategy made a large use of hacking campaigns to influence internal affairs of foreign governments and to support military operations.

Experts believe the Fancy Bear hacker group operates on behalf of the Russia’s military intelligence agency, GRU. According to the US intelligence, the group was responsible for hacks during the 2016 Presidential Election, its hacking operations aimed to support Donald Trump.

Russia has repeatedly denied hacking accusations.

The malicious code developed by Fancy Bear to track Ukrainian artillery units has many similarities with the one used in the hack of the Democratic National Committee.

Is the malicious implant effective?

According to open source data cited in the report, Ukrainian artillery forces have lost over 50% of their weapons in the 2 years of conflict and over 80% of D-30 howitzers. This represents the highest percentage of loss of any other Ukrainian artillery units.

One aspect very interesting of the story is the implant, an unseen variant of the X-Agent. The use of a malware with its characteristic demonstrates “FANCY BEAR’s expansion in mobile malware development from iOS-capable implants to Android devices”

Further details are available on the CrowdStrike report.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Fancy Bear, Ukrainian artillery units)


facebook linkedin twitter

APT COZY BEAR FANCY BEAR malware Russian hackers Sofacy Group state-sponsor hackers Ukraine Ukrainian artillery units

you might also like

Pierluigi Paganini June 28, 2025
LapDogs: China-nexus hackers Hijack 1,000+ SOHO devices for espionage
Read more
Pierluigi Paganini June 27, 2025
OneClik APT campaign targets energy sector with stealthy backdoors
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    LapDogs: China-nexus hackers Hijack 1,000+ SOHO devices for espionage

    Malware / June 28, 2025

    Taking over millions of developers exploiting an Open VSX Registry flaw

    Hacking / June 27, 2025

    OneClik APT campaign targets energy sector with stealthy backdoors

    Hacking / June 27, 2025

    APT42 impersonates cyber professionals to phish Israeli academics and journalists

    APT / June 27, 2025

    Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

    Cyber Crime / June 26, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT