Menu
The group that hacked the DNC infiltrated Ukrainian artillery units

The group that hacked the DNC infiltrated Ukrainian artillery units

The group distributed a trojanized version of an Android app used by Ukrainian artillery personnel

The cyberespionage group blamed for hacking into the U.S. Democratic National Committee (DNC) earlier this year has also infiltrated the Ukrainian military through a trojanized Android application used by its artillery units.

The group, which is known in the security industry under different names, including Fancy Bear, Pawn Storm, and APT28, has been operating for almost a decade. It is believed to be the sole user and likely developer of a Trojan program called Sofacy or X-Agent that has variants for Windows, Android, and iOS.

Fancy Bear has been responsible for many cyberespionage operations around the world over the years, and its selection of targets has frequently reflected Russia's geopolitical interests. Researchers from security firm CrowdStrike believe the group is likely tied to the Russian Military Intelligence Service (GRU).

The company found an Android application package earlier this year that had been trojanized with the Android version of X-Agent. It is a maliciously modified version of an app developed by Yaroslav Sherstuk, an officer in Ukraine's 55th Artillery Brigade, to help artillery forces more quickly process targeting data for the Soviet-made D-30 howitzer.

Sherstuk previously estimated in media interviews that up to 9,000 Ukrainian artillery personnel have used his application and that it helped reduce the D-30 targeting time from minutes to under 15 seconds, according to CrowdStrike. 

Sherstuk's app has never been distributed through Google Play, meaning its users likely installed it manually after obtaining it from various sources. And with users in the habit of installing apps from alternative sources, Fancy Bear probably didn't have much trouble distributing a trojanized version of the app.

"Successful deployment of the FANCY BEAR malware within this application may have facilitated reconnaissance against Ukrainian troops," the CrowdStrike researchers said Thursday in a blog post. "The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them."


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

Ingram Micro launches Showcase 2018 in Christchurch

Ingram Micro launches Showcase 2018 in Christchurch

Ingram Micro kickstarted Showcase 2018 in Christchurch, hosting more than 40 vendors at Horncastle Arena. Under the banner of Leading the Way, the event demonstrated what’s new, what’s next and how it can be used to improve business and everyday life.

Ingram Micro launches Showcase 2018 in Christchurch
Data breach notification laws in NZ: How can partners prepare?

Data breach notification laws in NZ: How can partners prepare?

This exclusive Reseller News Roundtable outlined the responsibilities facing security partners today, assessing risk while evaluating the role of the vendor in providing added layers of protection.

Data breach notification laws in NZ: How can partners prepare?
Show Comments