Fancy Bear APT tracked Ukrainian artillery units with an Android implant

The Russian APT group Fancy Bear used a malware implant on Android devices to track and target Ukrainian artillery units from late 2014 through 2016.

The popular hacking group, known as Fancy Bear, APT 28, Pawn Storm, Sednit or Sofacy, is once again in the headlines. Experts from the cyber security firm CrowdStrike reported the alleged Russian nation-state actor used malware implant on Android devices to track and target Ukrainian artillery units from late 2014 through 2016.

The malicious code was used by spy on target communication and retrieve locational data of the Ukrainian artillery units, this information would have likely been used by pro-Russian separatists fighting in eastern Ukraine to launch attacks against Ukrainian units. Late in the summer of 2016, researchers from CrowdStrike Intelligence began investigating a curious Android Package (APK) named ‘Попр-Д30.apk’ (MD5: 6f7523d3019fa190499f327211e01fcb). The APK contains a number of Russian language artifacts that were military in nature.  Hackers used an implant for a legitimate app, but there is no evidence the application was made available in the Android app store.

“From late 2014 and through 2016, FANCY BEAR X-Agent implant was covertly distributed on Ukrainian military forums within a legitimate Android application developed by Ukrainian artillery officer Yaroslav Sherstuk.” states the report published by Crowdstrike. “The original application enabled artillery forces to more rapidly process targeting data for the Soviet-era D-30 Howitzer employed by Ukrainian artillery forces reducing targeting time from minutes to under 15 seconds. According to Sherstuk’s interviews with the press, over 9000 artillery personnel have been using the application in Ukrainian military.”

“Initial research identified that the filename suggested a relationship to the D-30 122mm towed howitzer, an artillery weapon first manufactured in the Soviet Union in the 1960s but still in use today.” states the report.

If the analysis published by the experts it correct, it means that the Kremlin military strategy made a large use of hacking campaigns to influence internal affairs of foreign governments and to support military operations.

Experts believe the Fancy Bear hacker group operates on behalf of the Russia’s military intelligence agency, GRU. According to the US intelligence, the group was responsible for hacks during the 2016 Presidential Election, its hacking operations aimed to support Donald Trump.

Russia has repeatedly denied hacking accusations.

The malicious code developed by Fancy Bear to track Ukrainian artillery units has many similarities with the one used in the hack of the Democratic National Committee.

Is the malicious implant effective?

According to open source data cited in the report, Ukrainian artillery forces have lost over 50% of their weapons in the 2 years of conflict and over 80% of D-30 howitzers. This represents the highest percentage of loss of any other Ukrainian artillery units.

One aspect very interesting of the story is the implant, an unseen variant of the X-Agent. The use of a malware with its characteristic demonstrates “FANCY BEAR’s expansion in mobile malware development from iOS-capable implants to Android devices”

Further details are available on the CrowdStrike report.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Fancy Bear, Ukrainian artillery units)