A malicious remote access toolkit recently found in an app used by Ukrainian military forces is an Android version of the same proprietary malware that helped hackers steal files from the Democratic National Committee, researchers from CrowdStrike have reported.
According to CrowdStrike, which investigated the DNC hack, the malware is inextricably linked to the Russian APT group Fancy Bear, and may have allowed Russians intelligence forces to track the movements of Ukrainian artillery units during the ongoing military conflict in Eastern Ukraine. Adam Meyers, VP of intelligence at CrowdStrike, told SC Media in an interview that the malware's obvious military purpose “supports the overall assertion that Fancy Bear is tied to the GRU,” Russia's military intelligence agency, thus providing even more evidence that the highest levels of Russian government authorized the DNC hack and meddled in the 2016 U.S. presidential election.
The CrowdStrike report states that the spyware “implant,” dubbed X-Agent or Sofacy, was secretly embedded into an otherwise legitimate Android application that was used by Ukrainian artillery troops to simplify targeting data for the D-30 towed howitzer. Created by a member of Ukraine's 55th Artillery Brigade, this legit app reduces the howitzer's targeting time from minutes to under 15 seconds and according to its creator has been used by at least 9,000 Ukrainian artillery personnel.
Launched around April 2013, the app was originally promoted on social media and distributed via the software developer's own web page. But sometime between then and December 2014, the malicious variant of the Android application was made available on a Russian-language Ukrainian military forum that fraudulently claimed to be associated with the app developers, the report continues. CrowdStrike suspects that Russian intelligence became aware of the app and introduced a malicious version online in order to infect Ukraine's artillery forces.
Following the 2014 revolution that ousted Ukraine's then-president Viktor Yanukovych, Russian forces staged a military intervention and annexed Crimea from Ukraine in March 2014. Ukraine continues to battle pro-Russian forces in the nation's Donbass region, where separatists have received assistance from the Russian military.
Discovered in August, the Android malware allows attackers to gain access to an infected device's contacts, SMS text messages, call logs and Internet data. But it also has the potential give adversaries the ability to perform advance reconnaissance on infected military units, including determining their composition, hierarchy, plans and general location, the report stated.
"They've integrated [a] cyber element to traditional war fighting tactics,” said Meyers.
Interestingly, statistics suggest that pro-Russian separatists have been especially successful in their skirmishes with Ukrainian units using D-30 howitzers, the very weapon the sabotaged Android app was designed to improve. “Open source reporting indicates that Ukrainian artillery forces have lost over 50 percent of their weapons in the two years of conflict [with Russia] and over 80 percent of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine's arsenal,” the report states. "It is possible that the deployment of this malware-infected application may have contributed to the high-loss nature of this platform."
The Sofacy Android app represents a significant step forward in Fancy Bear's mobile malware efforts. CrowdStrike also discovered indications that the APT developed Sofacy applications for the iOS environment, specifically targeting jailbroken Apple mobile devices, as early as 2015.
Fancy Bear is also known as APT 28, Sednit, Strontium, Sofacy and Pawn Storm.