Fancy Bear Tracks Ukraine Troop Movements via Trojanized App

Written by

The Fancy Bear APT group has deployed malware within a widely-used military application that may have facilitated Russian reconnaissance against Ukrainian troops.

According to an analysis by CrowdStrike, Fancy Bear is likely state-sponsored, and tied to Russian Military Intelligence (GRU). Its unique hallmark is the use of a remote access toolkit (RAT) known as X-Agent; where X-Agent is spotted, Fancy Bear has been, according to CrowdStrike.

The group, which CrowdStrike has also linked to the targeted intrusions at the Democratic National Committee (DNC) and other political organizations in the lead-up to the US elections, has apparently infiltrated an Android app for the D-30 122mm towed Howitzer, an artillery weapon first manufactured in the Soviet Union in the 1960s but still in use today.

The Android application was initially developed within Ukraine by an officer of the 55th Artillery Brigade named Yaroslav Sherstuk. Sherstuk has said publicly that the application, which reduces the targeting and firing time for the D-30 Howitzer from minutes to under 15 seconds, has some 9,000 users.

According to CrowdStrike, in-depth reverse engineering revealed that from late 2014 and through 2016, a trojanized version of the app has been distributed among Ukraine military, containing the Fancy Bear X-Agent implant. Fancy Bear is using its malware to retrieve communications and gross locational data from infected devices, in order to identify the general location of Ukrainian artillery forces and engage them, the firm added.

Further, it seems to be working: “Open-source reporting indicates that Ukrainian artillery forces have lost over 50% of their weapons in the two years of conflict and over 80% of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine’s arsenal,” said Adam Meyers, vice president of intelligence at CrowdStrike, in an analysis.

“This previously unseen variant of X-Agent represents Fancy Bear’s expansion in mobile malware development from iOS-capable implants to Android devices, and reveals one more component of the broad-spectrum approach to cyber-operations taken by Russia-based actors in the war in Ukraine,” Meyers noted. “The collection of such tactical artillery force positioning intelligence further supports CrowdStrike’s previous assessments that Fancy Bear is likely affiliated with the Russian military intelligence (GRU), and works closely with Russian military forces operating in Eastern Ukraine and its border regions in Russia.”

Photo © Drop of Light/ 

What’s hot on Infosecurity Magazine?