For those searching for stronger evidence of Russia’s connection to the hack of the Democratic National Committee, the tale of an infected Ukrainian Android app used for cellphones or tablets may help, according to a cybersecurity firm.
A report released Thursday by CrowdStrike describes how a widely used application developed by a Ukrainian artillery officer to more quickly conduct strikes may have become the means by which the Russian government gained intelligence such as the whereabouts of Ukraine’s military forces.
The app, developed in 2013 by self-taught programmer Yaroslav Sherstuk and distributed over social media, was ultimately hijacked by the Fancy Bear hacking group – believed to be affiliated with the Russian military intelligence agency, the GRU. In 2014, Fancy Bear created a malicious variation of the Android application for download and posted it on a Ukrainian military forum.
By some reports, an estimated 9,000 gunners in the Ukrainian military installed the application on Android tablets or cellphones as conflict erupted in eastern Ukraine that pit government forces against Russia-backed rebels in April 2014.
Officers who used the infected application on the battlefield provided the Russian hackers with their general location as well as potentially valuable intelligence, such as access to their contacts, text messages, call logs and internet data, the report states.
The malicious software known as X-Agent, which was used to help turn the clash with Ukrainian forces to Russia’s advantage, is the same malicious software that was used to hack the DNC, said Dmitri Alperovitch, co-founder and chief technology officer of CrowdStrike. His company was hired to investigate the DNC hack and over the summer publicly attributed it to Fancy Bear.
Alperovitch said the Ukrainian example demonstrates an even stronger connection between Fancy Bear operators and the Russian military.
“For them to use this on the battlefield they need a closely integrated connection,” Alperovitch said. “It’s exactly the mission of the GRU. … We think this is very convincing evidence that links the two (Fancy Bear and the GRU) together.”
But CrowdStrike’s findings were met with skepticism in Ukraine.
Sherstuk, who created the app, said he wasn’t speaking to reporters when reached by telephone. In a series of Facebook posts, he dismissed the CrowdStrike story as “rotten information.” Nevertheless, he urged soldiers to only download updated versions of the app directly from him.
“Delete earlier versions of the program,” he wrote Thursday.
Victor Romanchuk, a Ukrainian programmer who said he was familiar with the app, suggested it wouldn’t make a very good spy tool. The program is often used on specially ordered tablet computers with no internet connection, said Romanchuk, making them of limited use to an enemy seeking real-time information on troop movements in the field.
Russia’s Ministry of Defense did not immediately return a message seeking comment, but Russia’s leadership has repeatedly rejected allegations that the Russian military is involved in Ukraine – despite a large body of evidence to the contrary .
Russian officials have also denied the Obama administration’s accusation that the highest levels of the Russian government were involved in trying to influence the U.S. presidential election. U.S. intelligence agencies concluded that Russia’s goal was to help Donald Trump win – an assessment the president-elect has dismissed as ridiculous.
President Barack Obama has ordered intelligence officials to conduct a broad review of the election-season cyberattacks.