Hackers believed to be working for the Russian military were able to track the position of Ukrainian fighters thanks to a booby-trapped Android app originally used to improve the aim and accuracy of Ukraine’s own artillery units, according to a new report.
CrowdStrike, the security firm that also accused Russia of being behind the hack on the Democratic National Committee earlier this year, found that the same group was behind a more daring, and potentially deadly, hacking operation in Ukraine. The hackers, who are known as Fancy Bear or APT28, altered a legitimate app used by Ukrainian troops called Попр-Д30 (an abbreviation of Поправки-Д30, which translates to Correction-D30), slipping their own malware inside of it, according to CrowdStrike, which released its findings on Thursday.
The Android app was reportedly created by Yaroslav Sherstuk, an officer of the 55th Artillery Brigade in Ukraine. Fancy Bear trojanized the app with an Android version of X-Agent, a type of malware exclusively used by Fancy Bear in the past. For two years, as Ukrainian fighters relied on the app for their daily operations, the Russians were secretly turning the app against them, according to CrowdStrike.
A screenshot of the app used by Ukrainian artillery fighters. Image: CrowdStrike
This operation, which sounds like something out of a sci-fi war story, is likely a sign of things to come and shows how any connected technology used by a military can be compromised and used against it.
“If [the Russians] knew the enemy was using some Android app to facilitate targeting—hell ya go trojan that app and inject malware that can allow geolocation,” Patrick Wardle, a former hacker at the NSA and now the director of research at security firm Synack, told Motherboard in an online chat. “This is what military/nation-state hacking in time of war looks like.”
“It’s incredible, from a technical point of view, that hackers and hacking can so drastically influence the outcome of military engagements,” Wardle said. “If this is all true, I mean, it would have been a huge, huge advantage for the Russians to be able to geolocate the Ukrainian artillery units...basically in real-time, via an infected Android app. Crazy.”
”It would have been a huge, huge advantage for the Russians to be able to geolocate the Ukrainian artillery units.”
Up to 9,000 Ukrainian soldiers used the app to more quickly process targeting data when using the Soviet-era cannon D-30 Howitzer. For soldiers to trust a custom-made Android app, which was apparently distributed on “military forums” for critical war operations, was potentially a fatal mistake.
“*If* 9,000 Ukrainian artillery personnel have downloaded an Android app—infected or not—for targeting, then this is a *colossal* OPSEC fail,” Thomas Rid, a professor in the Department of War Studies at King's College London, tweeted.
If CrowdStrike is right in linking the X-Agent malware within Попр-Д30 to Fancy Bear, this suggests the group is working directly with the Russian government and its military intelligence agency GRU.
"This cannot be a hands-off group or a bunch of criminals, they need to be in close communication with the Russian military," CrowdStrike co-founder Dmitri Alperovitch told Reuters.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.