Security Experts:

Experts Doubt Russia Used Malware to Track Ukrainian Troops

Experts have cast doubt on a recent report claiming that hackers linked to a Russian military intelligence agency used a piece of Android malware to track Ukrainian artillery units.

A report published by threat intelligence firm CrowdStrike before Christmas revealed that the Russia-linked cyberespionage group known as Fancy Bear (aka APT28, Pawn Storm, Sofacy, Tsar Team, Strontium and Sednit) modified a legitimate Android app used by the Ukrainian military.

Specifically, researchers found an Android version of X-Agent, a piece of malware known to be used by Fancy Bear, embedded in an app developed by artillery officer Yaroslav Sherstuk to help military personnel reduce the time to fire D-30 howitzers.

According to CrowdStrike, the malicious app, which had been distributed on Ukrainian military forums from late 2014 through 2016, was capable of accessing contact information, SMS messages, call logs and Internet data. The security firm believes these capabilities could have allowed Russia to track Ukrainian troops via the app.

CrowdStrike also pointed to a report claiming that Ukraine had lost many D-30 guns in the past years, and speculated that this cyber operation may have contributed to those losses. Based on its investigation, the company is confident that Fancy Bear is connected to the Russian military, particularly the GRU foreign military intelligence agency.

Sherstuk has called CrowdStrike’s report “delusional” and pointed out that the app is not open source. He says the application has been under his control and he personally oversees the activation of each installation.

Jeffrey Carr, CEO of Taia Global and founder of the Suits and Spooks conference, has analyzed CrowdStrike’s report and, after contacting several other experts, he determined that the security firm’s arguments are flawed.

According to Carr, while X-Agent may be used by Fancy Bear, the malware is not exclusive to the group. The X-Agent source code appears to have been obtained by several entities, including Ukrainian hacktivist Sean Townsend and the security firm ESET.

The X-Agent variant found in the Ukraine military app has also been analyzed by Crysys, the Hungary-based security firm that has investigated several sophisticated pieces of malware, including Duqu. Researchers have found similarities between X-Agent implants described in previous Fancy Bear reports and the version found in the Ukrainian military app, but they pointed out that such similarities can be faked by threat actors.

Another interesting discovery is that the rogue app does not use GPS to obtain the infected device’s exact location, which Carr names “a surprising design flaw for custom-made malware whose alleged objective was to collect and transmit location data on Ukrainian artillery to the GRU.”

While the malware can collect some location data via the base stations used by the infected Android device, Carr believes it’s not enough to track someone, especially given Ukraine’s poor cellular service.

CrowdStrike said it had obtained the information on D-30 howitzer losses from the International Institute for Strategic Studies (IISS), but as VOA pointed out, the loss estimates actually come from a pro-Russia website that published its own interpretation of some IISS reports.

Pavlo Narozhnyy, a technical adviser to Ukraine’s military, told VOA that he doubts the D-30 app can be hacked, and he claimed that none of the app’s users reported any D-30 howitzer losses.

Carr also highlighted that the malware-infected app may have not actually made it onto a single Ukrainian soldier’s Android device, considering that each user needed to contact Sherstuk personally to obtain an activation code.

“Crowdstrike never contacted the app’s developer to inform him about their findings. Had they performed that simple courtesy, they might have learned from Jaroslav Sherstuk how improbable, if not impossible, their theory was,” Carr said. “Instead, they worked inside of their own research bubble, performed no verification of infected applications or tablets used by Ukraine’s artillery corps, and extrapolated an effect of 80% losses based upon a self-proclaimed, pro-Russian propagandist and an imaginary number of infected applications.”

CrowdStrike stands by its findings and is confident that the military app has been hacked by the Fancy Bear group.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.