Fancy Bear, the hacker group previously linked to the Russian Military Intelligence (GRU), is believed to have deployed malware on Android devices to track and target Ukrainian artillery units over the past two years. According to security researchers at CrowdStrike, Fancy Bear hackers used a customised malware between 2014 and 2016 to intercept communications, location data and more from the Ukrainian unit.
Fancy Bear has also previously been linked to having been responsible for conducting the cyberattacks against the Democratic Party during the 2016 US presidential elections. According to security researchers, Fancy Bear, aka APT 28 and Sofacy, among others, is the "exclusive operator" of this particular strain of malware. Researchers noted that the threat actors have "uniquely" developed this malware and updated it over the years for specific cyberattacks.
"This cannot be a hands-off group or a bunch of criminals, they need to be in close communication with the Russian military," CrowdStrike co-founder Dmitri Alperovitch told Reuters.
Researchers uncovered that the hacker group altered a legitimate app, which was used by the Ukrainian troops for their day-to-day operations and developed by one of their officers, by infecting it with their customised malware. The Android app was developed by Yaroslav Sherstuk, an officer of the 55th Artillery Brigade in Ukraine. According to researchers, an estimated 9,000 artillery personnel are believed to have used the original app.
CrowdStrike researchers believe that Fancy Bear's malware may have "facilitated reconnaissance against Ukrainian troops". The malware's ability to intercept and collect communications and location data from infected Android devices likely makes it effective in helping identify the general location and activities of the Ukrainian forces.
The newly uncovered X-Agent variant in Fancy Bear's unique malware is believed to be indicative of the hacker group's evolution and expansion into mobile malware development. Researchers noted that malware's capabilities also reflect the group's skill in creating and implanting malware into iOS and Android devices.
CrowdStrike concluded, "Open source reporting indicates that Ukrainian artillery forces have lost over 50% of their weapons in the 2 years of conflict and over 80% of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine's arsenal.
"The collection of such tactical artillery force positioning intelligence by FANCY BEAR further supports CrowdStrike's previous assessments that FANCY BEAR is likely affiliated with the Russian military intelligence (GRU), and works closely with Russian military forces operating in Eastern Ukraine and its border regions in Russia.