HACKERS linked to the Russian authorities supporting rebels in eastern Ukraine have used Android malware to track Ukrainian artillery in the field.
The malware, embedded in a Trojanised version of a targeting app distributed to military forces manning Soviet-era howitzers, was used to track the artillery crews, enabling them to be accurately targeted by rebels.
According to some reports, the Ukrainian artillery forces have lost more than half of their weaponry in the two or so years that the conflict has been raging, including more than four-fifths of the D-30 howitzers that the app - and its Trojanised twin - were developed for.
That is the claim of CrowdStrike co-founder Dmitri Alperovitch, who has linked the malware found on the Android smartphones of Ukrainian military personnel with the same ‘Fancy Bear' group of hackers that, he claims, were behind attacks on the US Democratic National Committee.
A legitimate app to help crews reduce targeting time from minutes to seconds had been developed by the Ukrainian military and showed off on Ukrainian television by Yaroslav Sherstuk, an officer of the 55th Artillery Brigade.
However, because the app wasn't available for download via the usual channels, Alperovitch claims that hackers linked to the Russian military downloaded the app, Trojanised it and re-uploaded it to bulletin boards.
"Late in the summer of 2016, CrowdStrike Intelligence analysts began investigating a curious Android Package (APK) named ‘Попр-Д30.apk' (MD5: 6f7523d3019fa190499f327211e01fcb) which contained a number of Russian language artifacts that were military in nature," claimed Adam Meyers, vice president for intelligence at CrowdStrike in a research note released today.
He continued: "Initial research identified that the filename suggested a relationship to the D-30 122mm towed howitzer, an artillery weapon first manufactured in the Soviet Union in the 1960s, but still in use today.
"In-depth reverse engineering revealed the APK contained an Android variant of X-Agent, the command and control protocol was closely linked to observed Windows variants of X-Agent, and utilised a cryptographic algorithm called RC4 with a very similar 50 byte base key."
X-Agent is a cross platform remote access toolkit that runs on Windows and Apple's iOS and MacOS operating system, as well as Android.
"Also known as Sofacy, X-Agent has been tracked by the security community for almost a decade, CrowdStrike associates the use of X-Agent with an actor we call Fancy Bear," he added.
"Successful deployment of the Fancy Bear malware within this application may have facilitated reconnaissance against Ukrainian troops. The ability of this malware to retrieve communications and gross-locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them."
CrowdStrike, which linked the Fancy Bear group with the attack on the US Democratic National Committee, believes that the group is affiliated with Russian military intelligence, and works closely with Russian military forces operating in Eastern Ukraine and its border regions in Russia. µ
Chipmaker is reportedly struggling to keep up with 7nm demand
Another fine mesh they've got you into
Some alone time with HP's lighest ever business laptop
Sadly it's not a portal off this fubar planet