Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Russia Used Android Malware to Track Ukrainian Troops: Report

The Russia-linked cyberespionage group known as Fancy Bear has tracked Ukrainian artillery forces by planting a piece of Android malware in a legitimate military application, threat intelligence firm CrowdStrike reported on Thursday.

The Russia-linked cyberespionage group known as Fancy Bear has tracked Ukrainian artillery forces by planting a piece of Android malware in a legitimate military application, threat intelligence firm CrowdStrike reported on Thursday.

Fancy Bear is also known as APT28, Pawn Storm, Sofacy, Tsar Team, Strontium and Sednit. The group is believed to be responsible for many high-profile attacks, including recent operations aimed at the U.S. Democratic Party, government organizations in Turkey and Germany, and the World Anti-Doping Agency (WADA).

CrowdStrike believes Fancy Bear is likely tied to GRU, the foreign military intelligence agency of Russia’s Armed Forces, and the company’s recent findings reinforce this theory.

This summer, the company’s analysts came across an Android application package (APK) file named “Попр-Д30.apk.” The file contained Russian-language artifacts and its name referenced the D-30, a Russian-made 122 mm towed howitzer that first entered service in the 1960s.

The D-30 is still used by the Ukrainian military and, in 2013, artillery officer Yaroslav Sherstuk created an Android app designed to help personnel reduce the time to fire the gun from minutes to under 15 seconds. According to its developer, the application has roughly 9,000 users.

According to CrowdStrike, Fancy Bear took the legitimate Android app and bundled it with an Android variant of X-Agent, a piece of malware that has been used by the threat actor in attacks aimed at high-value targets, including the Democratic National Committee (DNC).

Advertisement. Scroll to continue reading.

The malicious version of the app was distributed on Ukrainian military forums from late 2014 through 2016. Experts believe the legitimate program had been mainly distributed through social media, not via the Google Play store.

The Android variant of the X-Agent malware appears to be designed for strategic purposes as it does not cause any damage to the infected device and it does not interfere with the operation of the original app. X-Agent is capable of accessing contact information, SMS messages, call logs and Internet data.

“CrowdStrike Intelligence assesses a tool such as this has the potential ability to map out a unit’s composition and hierarchy, determine their plans, and even triangulate their approximate location. This type of strategic analysis can enable the identification of zones in which troops are operating and help prioritize assets within those zones for future targeting,” CrowdStrike wrote in its report.

“Additionally, a study provided by the International Institute of Strategic Studies determined that the weapons platform bearing the highest losses between 2013 and 2016 was the D-30 towed howitzer. It is possible that the deployment of this malware infected application may have contributed to the high-loss nature of this platform,” the report adds.

The threat intelligence firm pointed out that the purpose of the malicious D-30 app further strengthens its belief that Fancy Bear is likely affiliated with Russia’s GRU agency.

Related: Russian Cyberspies Use “Komplex” Trojan to Target OS X Systems

Related: Two APTs Used Same Zero-Day to Target Individuals in Europe

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.