Malware allegedly used by a Russian group to hack into the Democratic National Committee was found on the cellphones of Ukrainian soldiers manning artillery across the war-torn country in 2014, according to cybersecurity firm Crowdstrike.
Newly disclosed digital forensic evidence suggests that the Russian hacking group — accused of meddling in the U.S. presidential election — may be involved in a complex, multidimensional cyber-espionage operation that is helping armed pro-Russia separatists track the movement of Ukrainian forces.
If accurate, Crowdstrike’s findings effectively illustrate the expected expansion of warfare’s traditional battlefield — in which cyberspace is becoming a fundamental domain for both intelligence gathering operations and disruption. The DNC called upon the California-based company to clean up a major intrusion this summer, and it was traced to Russian hackers.
On Thursday, Crowdstrike published a report that further connects Russian military intelligence services, or GRU, to the mysterious Fancy Bear group — otherwise known as APT28. The unique malware in question, dubbed X-Agent, has been similarly used by both GRU and Fancy Bear to infiltrate electronic devices, allowing the attackers to potentially steal personal data, record audio, make screenshots and send them to a remote command-and-control server.
TrendMicro, another private cybersecurity firm also based in the U.S., first linked X-Agent to Russian intelligence after reviewing online signatures in the aftermath of Operation Pawn Storm — a broad-based phishing email scheme that targeted foreign military, government, defense industry and the media figures with spyware.
Since about 2013, Ukrainian artillery soldiers have been using an Android-based mobile phone app to help them aim weaponry. The app was originally developed by a fellow Ukrainian infantryman named Yaroslav Sherstuk and spread through private, noncommercial download channels. But over time, the app also found its way onto VK, a Facebook-style Russian site.
According to Crowdstrike, APT28 developed a malware-laden version of Sherstuk’s app and began covertly advertising it online sometime after 2013. It remains unclear just how many Ukrainian soldiers actually downloaded the cloned, malicious smartphone app.
“On 21 December 2014 the malicious variant of the Android application was first observed in limited public distribution on a Russian language, Ukrainian military forum. A late 2014 public release would place the development timeframe for this implant sometime between late-April 2013 and early December 2014,” Crowdstrike writes in its report.
Crowdstrike believes that pro-Russian fighters — assisted by a malware covered battlefield — were able to scrap information pertaining to the position of specific Ukrainian artillery units.
Between July 9 and Sept. 5 2014, open source investigative group Bellingcat reported that Russian forces launched more than 120 artillery strikes on Ukrainian soldiers positioned at the border of Crimea, a contested war zone. In just 5 months, by some estimates, Ukrainian forces lost more than 80 percent of their deployed D-30 Howitzers.
“We have only seen [X-Agent] used by FANCY BEAR. The source code for it has never been found on any public or underground forum,” Crowdstrike CTO and co-founder Dimitri Alperovitch told DefenseOne.