A research published by security company CrowdStrike reveals that hackers who are part of Fancy Bear group managed to breach Ukraine’s artillery systems using a compromised Android application.
The report reveals that the malware was used to track artillery units like the Soviet-built D-30 Howitzer between 2014 and 2016. The hacker group, which was linked to the Russian government, is believed to have sent the collected information to Russian military forces, who used the location of Ukraine’s artillery units in support of pro-Russian separatists in eastern Ukraine.
The security firm discovered that Fancy Bear used an Android application infected with X-Agent, a cross-platform remote access toolkit, to reach Android devices that were used for certain features employed by artillery systems in Ukraine. The malware was distributed on Ukrainian military forums, as approximately 9,000 artillery personnel accessing these communities used the legitimate application.
Malware targeting 9,000 devices
Developed by Ukrainian artillery officer Yaroslav Sherstuk, the original application was supposed to reduce targeting time from minutes to less than 15 seconds. Fancy Bear hackers targeted this application with a compromised package called “Попр-Д30.apk” that was used to retrieve communications and location data from an infected device.
This helped the Russian army “identify the general location of Ukrainian artillery forces and engage them,” the report shows, pointing out that “Ukrainian artillery forces have lost over 50% of their weapons in the 2 years of conflict and over 80% of D-30 howitzers.”
The malicious application, however, was mostly distributed via the military forums, and there’s still no evidence that it was published in the Google Play Store. Users had to manually install the compromised APK file.
“This previously unseen variant of X-Agent represents FANCY BEAR’s expansion in mobile malware development from iOS-capable implants to Android devices, and reveals one more component of the broad spectrum approach to cyber operations taken by Russia-based actors in the war in Ukraine,” the security firm notes.
Fancy Bear is one of the Russian hacking groups linked with other attacks, including against the United States. Most recently, the FBI and the CIA blamed Russian hackers for helping Donald Trump defeat Hillary Clinton in the presidential race in the US.