FANCY BEAR / X-Agent compromise of Ukrainian artillery system

[Grey Havoc]

Via Roman Alymov over at Tank-net: https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/

•From late 2014 and through 2016, FANCY BEAR X-Agent implant was covertly distributed on Ukrainian military forums within a legitimate Android application developed by Ukrainian artillery officer Yaroslav Sherstuk.

•The original application enabled artillery forces to more rapidly process targeting data for the Soviet-era D-30 Howitzer employed by Ukrainian artillery forces reducing targeting time from minutes to under 15 seconds. According to Sherstuk’s interviews with the press, over 9000 artillery personnel have been using the application in Ukrainian military.

•Successful deployment of the FANCY BEAR malware within this application may have facilitated reconnaissance against Ukrainian troops. The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them.

•Open source reporting indicates that Ukrainian artillery forces have lost over 50% of their weapons in the 2 years of conflict and over 80% of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine’s arsenal.

•This previously unseen variant of X-Agent represents FANCY BEAR’s expansion in mobile malware development from iOS-capable implants to Android devices, and reveals one more component of the broad spectrum approach to cyber operations taken by Russia-based actors in the war in Ukraine.

•The collection of such tactical artillery force positioning intelligence by FANCY BEAR further supports CrowdStrike’s previous assessments that FANCY BEAR is likely affiliated with the Russian military intelligence (GRU), and works closely with Russian military forces operating in Eastern Ukraine and its border regions in Russia.

If correct, OUCH.

 

[TomS]

If correct, OUCH.

This is why militaries need to build their own secure app repositories, only use apps tested and deployed within those secure repositories, and use them only on locked-down devices issued for the purpose. It sounds as though this artillery app was disseminated via forums (vulnerable to intrusion) and sideloaded onto users' personal phones. That's a recipe for malicious intervention.

BYOD is OK for the private sector (barely) but it has no purpose in military organizations.

 

[ouroboros]

Reports were an arty guy built up a ballistics computer app from tables plus other useful tools for the D-30, and that later versions were military issued but the original was forum distributed, and most of the losses occurred during that period. That brutal 15 seconds to detection for counter battery purposes from the trojaned app beaconing is unreal.

 

[Gridlock]

You could get especially tricky with this if you were able to force the devices to use GLONASS alone. Think - blue on blue.

 

[Hobbes]

That brutal 15 seconds to detection for counter battery purposes from the trojaned app beaconing is unreal.

That's not what the original post said, though.