Use of malware to track and target Ukrainian artillery units (2014-2016): Difference between revisions
Jump to navigation
Jump to search
Content added Content deleted
No edit summary |
(minor proofreading) |
||
| Line 6: | Line 6: | ||
|- |
|- |
||
!Suspected actor |
!Suspected actor |
||
|According to analysis |
|According to analysis carried out by the CrowdStrike organization, the attack was attributed to Russian group APT28 (also known as the FANCY BEAR). The group is most probably affiliated with the Russian military intelligence (GRU).<ref name=":0">CrowdStrike Global Intelligence Team, '[https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf USE OF FANCY BEAR ANDROID MALWARE IN TRACKING OF UKRAINIAN FIELD ARTILLERY UNITS]‘ (23 March 2017).</ref> This assumption is supported by findings from other incident investigations, according to which the group has a very specific selection of targets that are usually chosen for collecting intelligence.<ref>Dan McWhorter, '[https://www.mandiant.com/resources/blog/apt28-a-window-into-russias-cyber-espionage-operations APT28 Malware: A Window into Russia's Cyber Espionage Operations?]‘ (Mandiant, 27 October 2014).</ref> |
||
|- |
|- |
||
! scope="row" |Target |
! scope="row" |Target |
||
|Ukrainian artillery forces, operating in areas of eastern Ukraine during war with Russian-backed |
|Ukrainian artillery forces, operating in areas of eastern Ukraine during war with Russian-backed separatist, especially those units which were equipped with D-3O Howitzer cannons.<ref>Catalin Cimpanu, '[https://www.bleepingcomputer.com/news/security/russian-cyber-espionage-group-tracked-ukrainian-military-using-android-malware/#google_vignette Russian Cyber-Espionage Group Tracked Ukrainian Military Using Android Malware]‘ (BleepingComputer, 22 December 2016).</ref> |
||
|- |
|- |
||
! scope="row" |Method |
! scope="row" |Method |
||
|X-Agent malware implanted in application for artillery fire coordination. The original application was developed in 2013 by a Ukrainian officer of the 55<sup>th</sup> Artillery Brigade. Around 9000 artillery personnel have been using the original app named Попр-Д30.apk.<ref name=":0" /> |
|X-Agent malware implanted in application for artillery fire coordination. The original application was developed in 2013 by a Ukrainian officer of the 55<sup>th</sup> Artillery Brigade. Around 9000 artillery personnel have been using the original app named Попр-Д30.apk.<ref name=":0" /> |
||
The APT28 members obtained a copy of the original app and then created version |
The APT28 members obtained a copy of the original app and then created a version which contained the X-Agent malware. By the end of 2014, the malicious app was observed in distribution on Ukrainian military forums for the first time. Posting download links on these forums was the main way of spreading the app.<ref>Adam Meyers, '[https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/ Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units]‘ (CrowdStrike Blog, 22 December 2016)</ref> |
||
Apart from geo-location data, the X-Agent malware was able to collect information like text messages, lists of contacts, media files, chain of command within the unit, unit composition or plans for future operations.<ref>Stephanie J. Seward, '[https://www.moore.army.mil/Infantry/Magazine/issues/2018/Apr-Jun/PDF/7)Seward-Cyber_txt.pdf Cyberwarfare in the Tactical Battlespace: An Intelligence Officer’s Perspective]‘ (n.d.).</ref> <ref>Feike Hacquebord & Fernando Merces, '[https://www.trendmicro.com/en_us/research/15/b/pawn-storm-update-ios-espionage-app-found.html Pawn Storm Update: iOS Espionage App Found]‘ (Trend Micro, 4 February 2015).</ref> |
Apart from geo-location data, the X-Agent malware was able to collect information like text messages, lists of contacts, media files, chain of command within the unit, unit composition or plans for future operations.<ref>Stephanie J. Seward, '[https://www.moore.army.mil/Infantry/Magazine/issues/2018/Apr-Jun/PDF/7)Seward-Cyber_txt.pdf Cyberwarfare in the Tactical Battlespace: An Intelligence Officer’s Perspective]‘ (n.d.).</ref> <ref>Feike Hacquebord & Fernando Merces, '[https://www.trendmicro.com/en_us/research/15/b/pawn-storm-update-ios-espionage-app-found.html Pawn Storm Update: iOS Espionage App Found]‘ (Trend Micro, 4 February 2015).</ref> |
||
|- |
|- |
||
| Line 20: | Line 20: | ||
|- |
|- |
||
!Result |
!Result |
||
|According to the latest information, Ukrainian forces lost around 20 |
|According to the latest information, Ukrainian forces lost around 20 per cent of their pre-war D-30 Howitzer guns arsenal in combat operations during the two years following the beginning of the war in 2014.<ref name=":1" /> However, when it comes to total numbers, Ukraine lost around 50 per cent of all its artillery weapons during the given period.<ref>Balaji, '[https://gbhackers.com/ukrainian-artillery-tracked-using-android-malware-implant-russian-hackers/amp/ Ukrainian Artillery Tracked Using Android Malware implant By Russian Hackers]‘ (GBHackers On Security, 2016)</ref> |
||
The application most probably could not provide all the necessary information. For that reason, Russian-backed separatist units had to use unmanned aerial vehicles (UAV) to localize exact positions of Ukrainian artillery.<ref>Wiktor Sędkowski, '[https://warsawinstitute.org/welcome-to-cyberwar/ Welcome to Cyberwar]‘ (Warsaw Institute, 17 December 2020).</ref> On the other hand, the data |
The application most probably could not provide all the necessary information. For that reason, Russian-backed separatist units had to use unmanned aerial vehicles (UAV) to localize exact positions of Ukrainian artillery.<ref>Wiktor Sędkowski, '[https://warsawinstitute.org/welcome-to-cyberwar/ Welcome to Cyberwar]‘ (Warsaw Institute, 17 December 2020).</ref> On the other hand, the data obtained from the app might have been used to conduct more frequent attacks against Ukrainian forces with a higher precision.<ref>Patrick Tucker, '[https://www.defenseone.com/technology/2016/12/dnc-hackers-linked-russian-hacks-ukraine-two-years-ago/134098/ DNC Hackers Linked to Russian Activity Against Ukraine Two Years Ago]‘ (Defense One, 21 December 2016).</ref> |
||
|- |
|- |
||
!Aftermath |
!Aftermath |
||
|Officials of the Ukrainian army denied CrowdStrike’s report and alleged artillery losses. In addition, they also stated that destroyed artillery |
|Officials of the Ukrainian army denied CrowdStrike’s report and alleged artillery losses. In addition, they also stated that the destroyed artillery systems have nothing to do with distribution of the malicious application among artillery personnel.<ref>'[https://en.interfax.com.ua/news/general/395186.html Defense ministry denies reports of alleged artillery losses because of Russian hackers' break into software]‘ (Interfax-Ukraine, 6 January 2017).</ref> |
||
|- |
|- |
||
!Analyzed in |
!Analyzed in |
||
|Scenario 10: Cyber weapons |
|[[Scenario 10: Legal review of cyber weapons|Scenario 10: Cyber weapons]] |
||
Scenario 13: Armed conflict |
[[Scenario 13: Cyber operations as a trigger of the law of armed conflict|Scenario 13: Armed conflict]] |
||
|} |
|} |
||
Collected by: <!--[[People#|]]--> |
Collected by: <!--[[People#Research assitants|]]--> |
||
[[Category: |
[[Category:Example]] |
||
[[Category:2014]] |
|||
<references /> |
<references /> |
||
Revision as of 07:59, 12 November 2023
| Data | The malicious application was first observed in late 2014 and since then distributed until 2016.[1] |
|---|---|
| Suspected actor | According to analysis carried out by the CrowdStrike organization, the attack was attributed to Russian group APT28 (also known as the FANCY BEAR). The group is most probably affiliated with the Russian military intelligence (GRU).[2] This assumption is supported by findings from other incident investigations, according to which the group has a very specific selection of targets that are usually chosen for collecting intelligence.[3] |
| Target | Ukrainian artillery forces, operating in areas of eastern Ukraine during war with Russian-backed separatist, especially those units which were equipped with D-3O Howitzer cannons.[4] |
| Method | X-Agent malware implanted in application for artillery fire coordination. The original application was developed in 2013 by a Ukrainian officer of the 55th Artillery Brigade. Around 9000 artillery personnel have been using the original app named Попр-Д30.apk.[2]
The APT28 members obtained a copy of the original app and then created a version which contained the X-Agent malware. By the end of 2014, the malicious app was observed in distribution on Ukrainian military forums for the first time. Posting download links on these forums was the main way of spreading the app.[5] Apart from geo-location data, the X-Agent malware was able to collect information like text messages, lists of contacts, media files, chain of command within the unit, unit composition or plans for future operations.[6] [7] |
| Purpose | Most probably tracking the Ukrainian artillery units, equipped with D-30 Howitzer guns in order to make the combat activity of Russian-backed separatists more effective.[8] |
| Result | According to the latest information, Ukrainian forces lost around 20 per cent of their pre-war D-30 Howitzer guns arsenal in combat operations during the two years following the beginning of the war in 2014.[8] However, when it comes to total numbers, Ukraine lost around 50 per cent of all its artillery weapons during the given period.[9]
The application most probably could not provide all the necessary information. For that reason, Russian-backed separatist units had to use unmanned aerial vehicles (UAV) to localize exact positions of Ukrainian artillery.[10] On the other hand, the data obtained from the app might have been used to conduct more frequent attacks against Ukrainian forces with a higher precision.[11] |
| Aftermath | Officials of the Ukrainian army denied CrowdStrike’s report and alleged artillery losses. In addition, they also stated that the destroyed artillery systems have nothing to do with distribution of the malicious application among artillery personnel.[12] |
| Analyzed in | Scenario 10: Cyber weapons |
Collected by:
- ↑ Pierluigi Paganini, 'FANCY BEAR APT TRACKED UKRAINIAN ARTILLERY UNITS WITH AN ANDROID IMPLANT‘ (Security Affairs, 22 December 2022).
- ↑ 2.0 2.1 CrowdStrike Global Intelligence Team, 'USE OF FANCY BEAR ANDROID MALWARE IN TRACKING OF UKRAINIAN FIELD ARTILLERY UNITS‘ (23 March 2017).
- ↑ Dan McWhorter, 'APT28 Malware: A Window into Russia's Cyber Espionage Operations?‘ (Mandiant, 27 October 2014).
- ↑ Catalin Cimpanu, 'Russian Cyber-Espionage Group Tracked Ukrainian Military Using Android Malware‘ (BleepingComputer, 22 December 2016).
- ↑ Adam Meyers, 'Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units‘ (CrowdStrike Blog, 22 December 2016)
- ↑ Stephanie J. Seward, 'Cyberwarfare in the Tactical Battlespace: An Intelligence Officer’s Perspective‘ (n.d.).
- ↑ Feike Hacquebord & Fernando Merces, 'Pawn Storm Update: iOS Espionage App Found‘ (Trend Micro, 4 February 2015).
- ↑ 8.0 8.1 Pratim Datta, Ph.D., 'Cyberruse at the Cybergates: Technology, People and Processes‘ (ISACA, 30 October 2021).
- ↑ Balaji, 'Ukrainian Artillery Tracked Using Android Malware implant By Russian Hackers‘ (GBHackers On Security, 2016)
- ↑ Wiktor Sędkowski, 'Welcome to Cyberwar‘ (Warsaw Institute, 17 December 2020).
- ↑ Patrick Tucker, 'DNC Hackers Linked to Russian Activity Against Ukraine Two Years Ago‘ (Defense One, 21 December 2016).
- ↑ 'Defense ministry denies reports of alleged artillery losses because of Russian hackers' break into software‘ (Interfax-Ukraine, 6 January 2017).