“Russian hackers determined Ukrainian artillery via Android malware”

Security firm CrowdStrike has discovered malware in a Ukrainian Android application. It attributes the malware to a hacker group allegedly associated with the Russian military. The hackers injected a legitimate artillery targeting app with malware.

CrowdStrike refers to the group as the “fancy bear,” which it also associated with the hacks on the US Democratic Party. He allegedly used the X-Agent malware to identify Ukrainian artillery positions between 2014 and 2016. Fancy bear is the only group to use this malware variant so far. This was present in an application called ‘Попр-Д30.apk’, which an officer of the Ukrainian army originally developed.

With the legitimate application, it is possible to reduce the time required to target certain old artillery models from minutes to seconds. The security company does not say what the app does exactly, but it seems to be some kind of calculation tool. CrowdStrike writes that the application has about nine thousand users and was distributed on Ukrainian military forums. By providing the legitimate version with the X-Agent malware, it was possible for the fancy bear group to pinpoint artillery positions. CrowdStrike writes that it “deems this a possibility.” The malicious version of the app was not distributed via Google’s Play Store, it probably was also distributed via forums.

Public information suggests that Ukrainian armed forces lost about 50 percent of their weapons in a two-year period. In doing so, they lost 80 percent of the artillery models associated with the app. This percentage is higher than any other model, according to CrowdStrike. The company’s findings would support the earlier conclusion that the fancy bear group has ties to the Russian military.