28 December 2016

Russian DNC Hackers Tied to Ukrainian Artillery App Hack


The same family of malware that was used to hack into U.S. Democratic National Committee systems has also been found infecting an Android app used by artillery units defending eastern Ukraine after Russia invaded Crimea in 2014, according to the cybersecurity firm Crowdstrike.

The malware, called X-Agent, is a variant of a type used not only against the DNC but also the World Anti-Doping Agency in support of suspected Russian government disinformation campaigns. Crowdstrike claims to have attributed the attacks to the Russian hacking group known as Fancy Bear.

The DNC intrusion has been attributed by all U.S. intelligence agencies to senior Russian officials (see Obama Suggests Putin Behind Hacks to Influence Vote). President-elect Donald Trump has disputed Russia's involvement, suggesting that another country - or individual - may have perpetrated the hacks.

The Russian government has denied any involvement in the DNC attack.

But Crowdstrike says in a report released Dec. 22 that Fancy Bear - also known as APT28, Pawn Storm, Sednit and Sofacy - has been the "exclusive operator" of the malware. In the case of the DNC hack, however, it says a related Russian group, dubbed Cozy Bear - aka CozyDuke or APT 29 - also participated in the attacks.

X-Agent Malware Evolves

Previously, only variants of the X-Agent malware designed to infect Windows, Apple iOS and Apple OS X systems had been found in the wild (see Fancy Bear's Sloppy Mac Malware).

But from late 2014 through this year, an Android app - named Попр-д30.apk (short for "Correction-D30") - was also infected with a never-before-seen X-agent variant, Crowdstrike says in its report.

The legitimate Android app was developed by Ukrainian artillery officer Yaroslav Sherstuk, a member of the 55th Artillery Brigade. It reduces the time required to process target data for the Soviet-era D-30 howitzer used by Ukrainian forces from minutes to less than 15 seconds, Crowdstrike says. Citing media interviews with Sherstuk, it adds that more than 9,000 artillery personnel now rely on the Android app, which appears to be distributed not via the Google Play app store but via a website maintained by Sherstuk.

By infecting the app, the Russian military may have gained a tactical advantage over Ukrainian troops. "The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them," Crowdstrike notes.

Bolstering that theory, and based on open source reports, Crowdstrike notes that "Ukrainian artillery forces have lost over 50 percent of their weapons in the two years of conflict and over 80 percent of D-30 howitzers," with the howitzers having the highest rate of loss on the battlefield of any piece of Ukrainian artillery.

The operational security expert known as the Grugq says via Twitter that the Crowdstrike report offers "pretty good evidence" tying the unique X-Agent malware family to both the DNC campaign as well as "for tactical military use" against Ukrainian soldiers.

Crowdstrike says the use of the malware against a Ukrainian artillery app bolsters its attribution of related attacks to the Russian military. "The collection of such tactical artillery force positioning intelligence by Fancy Bear further supports CrowdStrike's previous assessments that Fancy Bear is likely affiliated with the Russian military intelligence (GRU), and works closely with Russian military forces operating in Eastern Ukraine and its border regions in Russia," Crowdstrike says in its report.
Signals International Operation

Some security experts say that the Android app-infecting operation appears to be a classic example of an effective signals intelligence operation, referring to the military practice of monitoring, intercepting and interpreting radio and radar signals, as well as digital data, to provide a tactical advantage on the battlefield. Signals intelligence agencies include Russia's GRU, the U.S. National Security Agency, Britain's GCHQ, and the Australian Signals Directorate among many others.

"Op by GRU here a good example of SIGINT-enabled military operations; lethally effective and used without directly revealing capability," says Matt Tait, CEO of U.K. security consultancy Capital Alpha Security, tweeting via his "Pwn All the Things" account. Tait formerly served as an information security specialist for GCHQ as well as Google Project Zero.
Serious OPSEC Fail?

Thomas Rid, a professor of security studies at King's College London, labels Crowdstrike's report "impressive," saying it reinforces existing attribution relating to the DNC hack.

He adds that if the report is fully accurate - and 9,000 Ukrainian artillery personnel downloaded an infected Android app - then it details what is a "colossal" operational security fail on the part of the Ukrainian military.

*If* 9,000 Ukrainian artillery personnel have downloaded an Android app - infected or not - for targeting, then this is a *colossal* OPSEC fail pic.twitter.com/xoA5WhqPFJ

No comments: