Security Experts:

Connect with us

Hi, what are you looking for?



Experts Doubt Russia Used Malware to Track Ukrainian Troops

Experts have cast doubt on a recent report claiming that hackers linked to a Russian military intelligence agency used a piece of Android malware to track Ukrainian artillery units.

Experts have cast doubt on a recent report claiming that hackers linked to a Russian military intelligence agency used a piece of Android malware to track Ukrainian artillery units.

A report published by threat intelligence firm CrowdStrike before Christmas revealed that the Russia-linked cyberespionage group known as Fancy Bear (aka APT28, Pawn Storm, Sofacy, Tsar Team, Strontium and Sednit) modified a legitimate Android app used by the Ukrainian military.

Specifically, researchers found an Android version of X-Agent, a piece of malware known to be used by Fancy Bear, embedded in an app developed by artillery officer Yaroslav Sherstuk to help military personnel reduce the time to fire D-30 howitzers.

According to CrowdStrike, the malicious app, which had been distributed on Ukrainian military forums from late 2014 through 2016, was capable of accessing contact information, SMS messages, call logs and Internet data. The security firm believes these capabilities could have allowed Russia to track Ukrainian troops via the app.

CrowdStrike also pointed to a report claiming that Ukraine had lost many D-30 guns in the past years, and speculated that this cyber operation may have contributed to those losses. Based on its investigation, the company is confident that Fancy Bear is connected to the Russian military, particularly the GRU foreign military intelligence agency.

Sherstuk has called CrowdStrike’s report “delusional” and pointed out that the app is not open source. He says the application has been under his control and he personally oversees the activation of each installation.

Jeffrey Carr, CEO of Taia Global and founder of the Suits and Spooks conference, has analyzed CrowdStrike’s report and, after contacting several other experts, he determined that the security firm’s arguments are flawed.

According to Carr, while X-Agent may be used by Fancy Bear, the malware is not exclusive to the group. The X-Agent source code appears to have been obtained by several entities, including Ukrainian hacktivist Sean Townsend and the security firm ESET.

The X-Agent variant found in the Ukraine military app has also been analyzed by Crysys, the Hungary-based security firm that has investigated several sophisticated pieces of malware, including Duqu. Researchers have found similarities between X-Agent implants described in previous Fancy Bear reports and the version found in the Ukrainian military app, but they pointed out that such similarities can be faked by threat actors.

Another interesting discovery is that the rogue app does not use GPS to obtain the infected device’s exact location, which Carr names “a surprising design flaw for custom-made malware whose alleged objective was to collect and transmit location data on Ukrainian artillery to the GRU.”

While the malware can collect some location data via the base stations used by the infected Android device, Carr believes it’s not enough to track someone, especially given Ukraine’s poor cellular service.

CrowdStrike said it had obtained the information on D-30 howitzer losses from the International Institute for Strategic Studies (IISS), but as VOA pointed out, the loss estimates actually come from a pro-Russia website that published its own interpretation of some IISS reports.

Pavlo Narozhnyy, a technical adviser to Ukraine’s military, told VOA that he doubts the D-30 app can be hacked, and he claimed that none of the app’s users reported any D-30 howitzer losses.

Carr also highlighted that the malware-infected app may have not actually made it onto a single Ukrainian soldier’s Android device, considering that each user needed to contact Sherstuk personally to obtain an activation code.

“Crowdstrike never contacted the app’s developer to inform him about their findings. Had they performed that simple courtesy, they might have learned from Jaroslav Sherstuk how improbable, if not impossible, their theory was,” Carr said. “Instead, they worked inside of their own research bubble, performed no verification of infected applications or tablets used by Ukraine’s artillery corps, and extrapolated an effect of 80% losses based upon a self-proclaimed, pro-Russian propagandist and an imaginary number of infected applications.”

CrowdStrike stands by its findings and is confident that the military app has been hacked by the Fancy Bear group.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.