The Russia-linked cyberespionage group known as Fancy Bear has tracked Ukrainian artillery forces by planting a piece of Android malware in a legitimate military application, threat intelligence firm CrowdStrike reported on Thursday.
Fancy Bear is also known as APT28, Pawn Storm, Sofacy, Tsar Team, Strontium and Sednit. The group is believed to be responsible for many high-profile attacks, including recent operations aimed at the U.S. Democratic Party, government organisations in Turkey and Germany, and the World Anti-Doping Agency (WADA).
CrowdStrike believes Fancy Bear is likely tied to GRU, the foreign military intelligence agency of Russia’s Armed Forces, and the company’s recent findings reinforce this theory.
This summer, the company’s analysts came across an Android application package (APK) file named “Попр-Д30.apk.” The file contained Russian-language artefacts and its name referenced the D-30, a Russian-made 122 mm towed howitzer that first entered service in the 1960s.
The D-30 is still used by the Ukrainian military and, in 2013, artillery officer Yaroslav Sherstuk created an Android app designed to help personnel reduce the time to fire the gun from minutes to under 15 seconds. According to its developer, the application has roughly 9,000 users.
According to CrowdStrike, Fancy Bear took the legitimate Android app and bundled it with an Android variant of X-Agent, a piece of malware that has been used by the threat actor in attacks aimed at high-value targets, including the Democratic National Committee (DNC).
The malicious version of the app was distributed on Ukrainian military forums from late 2014 through 2016. Experts believe the legitimate program had been mainly distributed through social media, not via the Google Play store.
The Android variant of the X-Agent malware appears to be designed for strategic purposes as it does not cause any damage to the infected device and it does not interfere with the operation of the original app. X-Agent is capable of accessing contact information, SMS messages, call logs and Internet data.
“CrowdStrike Intelligence assesses a tool such as this has the potential ability to map out a unit’s composition and hierarchy, determine their plans, and even triangulate their approximate location. This type of strategic analysis can enable the identification of zones in which troops are operating and help prioritise assets within those zones for future targeting,” CrowdStrike wrote in its report.
“Additionally, a study provided by the International Institute of Strategic Studies determined that the weapons platform bearing the highest losses between 2013 and 2016 was the D-30 towed howitzer. It is possible that the deployment of this malware infected application may have contributed to the high-loss nature of this platform,” the report adds.
The threat intelligence firm pointed out that the purpose of the malicious D-30 app further strengthens its belief that Fancy Bear is likely affiliated with Russia’s GRU agency.