Use of malware to track and target Ukrainian artillery units (2014-2016)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Data The malicious application was first observed in late 2014 and since then distributed until 2016.[1]
Suspected actor According to the analysis carried out by the CrowdStrike organization, the attack was attributed to the Russian group APT28 (also known as the FANCY BEAR). The group is most probably affiliated with the Russian military intelligence (GRU).[2] This assumption is supported by findings from other incident investigations, according to which the group has a very specific selection of targets that are usually chosen for collecting intelligence.[3]
Target Ukrainian artillery forces, operating in areas of eastern Ukraine during the armed conflict with the Russian-backed separatists, especially those units which were equipped with D-3O Howitzer cannons.[4]
Method X-Agent malware implanted in an application for artillery fire coordination. The original application was developed in 2013 by a Ukrainian officer of the 55th Artillery Brigade. Around 9,000 artillery personnel have been using the original app named Попр-Д30.apk.[2]

The APT28 members obtained a copy of the original app and then created a version which contained the X-Agent malware. By the end of 2014, the malicious app was observed in distribution on Ukrainian military forums for the first time. Posting download links on these forums was the main way of spreading the app.[5] Apart from geo-location data, the X-Agent malware was able to collect information like text messages, lists of contacts, media files, chain of command within the unit, unit composition or plans for future operations.[6] [7]

Purpose Most probably tracking the Ukrainian artillery units equipped with D-30 Howitzer guns, in order to make the combat activity of the Russian-backed separatists more effective.[8]
Result According to the latest information, Ukrainian forces lost around 20 per cent of their pre-war D-30 Howitzer guns arsenal in combat operations during the two years following the beginning of the armed conflict in 2014.[8] However, when it comes to total numbers, Ukraine lost around 50 per cent of all its artillery weapons during the given period.[9]

The application most probably could not provide all the necessary information. For that reason, Russian-backed separatist units had to also use unmanned aerial vehicles (UAV) to localize exact positions of Ukrainian artillery.[10] On the other hand, the data obtained from the app might have been used to conduct more frequent attacks against Ukrainian forces with a higher precision.[11]

Aftermath Officials of the Ukrainian army denied CrowdStrike’s report and alleged artillery losses. In addition, they also stated that the destroyed artillery systems have nothing to do with the distribution of the malicious application among the artillery personnel.[12]
Analyzed in Scenario 10: Cyber weapons

Scenario 13: Armed conflict

Scenario 22: Methods of warfare

Collected by: Josef Novotný

  1. Pierluigi Paganini, 'FANCY BEAR APT TRACKED UKRAINIAN ARTILLERY UNITS WITH AN ANDROID IMPLANT‘ (Security Affairs, 22 December 2022).
  2. 2.0 2.1 CrowdStrike Global Intelligence Team, 'USE OF FANCY BEAR ANDROID MALWARE IN TRACKING OF UKRAINIAN FIELD ARTILLERY UNITS‘ (23 March 2017).
  3. Dan McWhorter, 'APT28 Malware: A Window into Russia's Cyber Espionage Operations?‘ (Mandiant, 27 October 2014).
  4. Catalin Cimpanu, 'Russian Cyber-Espionage Group Tracked Ukrainian Military Using Android Malware‘ (BleepingComputer, 22 December 2016).
  5. Adam Meyers, 'Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units‘ (CrowdStrike Blog, 22 December 2016)
  6. Stephanie J. Seward, 'Cyberwarfare in the Tactical Battlespace: An Intelligence Officer’s Perspective‘ (n.d.).
  7. Feike Hacquebord & Fernando Merces, 'Pawn Storm Update: iOS Espionage App Found‘ (Trend Micro, 4 February 2015).
  8. 8.0 8.1 Pratim Datta, Ph.D., 'Cyberruse at the Cybergates: Technology, People and Processes‘ (ISACA, 30 October 2021).
  9. Balaji, 'Ukrainian Artillery Tracked Using Android Malware implant By Russian Hackers‘ (GBHackers On Security, 2016)
  10. Wiktor Sędkowski, 'Welcome to Cyberwar‘ (Warsaw Institute, 17 December 2020).
  11. Patrick Tucker, 'DNC Hackers Linked to Russian Activity Against Ukraine Two Years Ago‘ (Defense One, 21 December 2016).
  12. 'Defense ministry denies reports of alleged artillery losses because of Russian hackers' break into software‘ (Interfax-Ukraine, 6 January 2017).