FANCY BEAR Targets Ukrainian Howitzers

Just in case you’re one of the people out there who still doesn’t believe in “the cyber” — it appears that the Russian military served malicious cell-phone apps to the Ukrainian army that allowed them to track a particular artillery cannon.

The legitimate version of the Android app helped its operator use the 1960’s-era former Soviet howitzer. The trojanized version of this application did just the same, except it also phoned home to Russian military intelligence with its location. In addition to giving the Russian army valuable information about troop movements in general, it also led to the destruction of 80% of the cannons in question over two years.

The cited article goes into depth about how certain it is that a hacking group, referred to as FANCY BEAR, are nearly certainly responsible for the attack. The exploit has fingerprints that are not widely known outside of the security research community, and the use of the exploit against the Ukrainian army pretty much ties FANCY BEAR to the Russian military.

This is also the same exploit that was used against the Democratic National Committee in the United States. Attribution is one of the hardest parts of white-hat hacking — attackers don’t want to be found and will leave misleading clues when they can — but the use of the same proprietary malware in these two attacks is pretty convincing evidence that Russian military intelligence has also hacked into US political parties and NGOs.

(Banner image by Vitaly Kuzmin, CC-BY-SA 3.0.)

74 thoughts on “FANCY BEAR Targets Ukrainian Howitzers

    1. It sounds like it’s a user manual as an android app, not that it actually interfaces with the canon. I have heard of malware like this being used to locate secure US government facilities, by recording where phones are powered off and turned back on during the day, indicating areas where people are prohibited from having them.

    2. According to another site where i read this, “Попр-Д30.apk” was developed by an Officer from the Ukrainian military, and makes it possible to aim ‘certain old artillery’ in ‘mere seconds rather then a few minutes’

      “CrowdStrike” (the security company that discovered the malware) didn’t mention what the app exactly does, but at the least its some sort of calculation aid, dont count on it connecting over WIFI/BLE though :P

      Some more details cuz why not:
      – Application had about 9000 users and was spread on Ukrainian military fora
      – A version with malware has been around since 2014 on same fora
      – “X-Agent-malware” (?)
      – The ‘80% of cannons in question’ is roughly 50% of the entire Ukrainian military arsenal
      – Screenshots: http://i.imgur.com/ZDWSjxv.png

      1. Not using a phone app for military op is kind of a common sense thing.
        You could easily write a program on a TI 84 that does the same thing without all the security risks that come with a phone app.

        1. “You could easily write a program on a TI 84” Only if you were in possession of a full set of tables for that gun. It’s not that the program itself is all that complex it’s knowing all the parameters for the artillery piece in question, and that is not a trivial task to acquire that data

          1. *face palm*
            Don’t just read the post, understand the post.
            They developed an app, so they have the information, they just didn’t use it in a secure fashion.

          2. Someone had the dataset, but apparently they wrote the app with some feature that had it phone home; that was the reason they used that platform. What I was questioning was the broad statement that “You could easily write a program on a TI 84.” While the program itself is relatively simple, creating a program for this application is not without a great deal of information that is not readily available.

          3. You know back in the day they fired these thing with nothing more than a slide rule.
            Besides the parameters for it and even a simple GUI could easily fit inside the flash rom of a TI 84 or similar calculator.
            If they want to be secure about an android app then use a device with no cell modem and have it only work with specially signed apps.
            They made a very stupid an obvious mistake here if this story is for real.
            The security protocol failure is so ridiculously obvious I question the validity of the story.

          4. @DV82XL
            Informal english is tough for non-native speakers, so pls let me help: the “you” in “you could easily write” does not mean you in particular, or some random person. He’s not saying someone–eg one of us–should write a better app. He’s saying that *the app creators* could have easily used a different platform. Your post is thus a non sequitur.

          5. I see no point in arguing small semantics especially if the original source of confusion was a caused by sloppy prose. No I am not a native English speaker, but I submit that the orginal argument was not presented clearly and I make no apologies for misinterpreting it.

        2. Most of us are dealing with less…immediately serious…security problems; but this is why your friendly local IT department thinks that “BYOD” is horrible; and doesn’t really care if you like your shiny personal widget more than our boring beige one.

    3. yep, kinda cool app that delivers all calculations to artillery, mortars or even tanks, especially useful if it’s an old piece of equipment without modern aiming devices. with cheap 100$ android tablet you can shoot over horizon with things that wasn’t supposed to do so or just get higher accuracy for longer distance say 20km instead of 15, etc.

      1. Now what would be really cool, and secure, is a custom piece of hardware/firmware running on a microcontroller or something. Small batch of 9000 for all of the howitzers, shouldn’t even be all that expensive. And keeping it offline — priceless.

        1. Be careful where you go from here. (or dont build this in the US)

          one of the projects i was following was a GPS tracking and guidance system for model rocketry.

          as soon as it looked like it was going to work the creator got a visit from ‘guys in suits’ and all the info was scrubbed from the web..

          through the grapevine i hear they threatened the poor kid with weapons export violations since his source was posted on github .. just all around no good.

          be very careful if you talk about aiming/guidance systems on the web, especially if you’re posting any kind of code.

      1. It’s hilarious to me, that guy was on coast to coast AM years before he was so famous with all the nut jobs out there and he was a nut job himself way back then with all his lizard people stuff… Entertaining, but that’s what it was. Entertainment. But get a whistle loud enough and the rats will all line up, just ask the pied piper….

        AM radio created a monster, it just took the right kind of jerk / con man to take advantage of that monsters mental disabilities and steer it right into mainstream. Talk about low hanging fruit.

          1. It’s often ‘not considered a word’ or ‘obsolete’ the use of ‘seldomly’, but I like it and I only got it in my mind from reading books and some well respected classic writers used it so I feel it’s allowable.

      1. it’s bluetooth!!

        that’s why ya gotta change the foil in ya hat ecery day, otherwise the alien control signals build up!

        Chariots of the gods man!

        They practically own South America…

  1. If you emit ANY RF while on your firing post, you can be targeted (radio direction and finding). Germans targeted Americans on the Anzio beachhead by using 455 kHz local oscillator emissions, until Americans smarted up. So, this is quite old hat.

        1. It would likely either keep a log of its location and send when the device allowed it to, or it would bypass the devices settings entirely and send it out. (yes the latter does emit RF but its bypassing what the user told the device to do, so the hack would still be necessary)

        2. Another possibility is that because these are consumer based devices, there is likely RF on those frequencies coming from all over the place, and differentiating would be near impossible.

        3. Jeroen was not implying that there were no RF emissions, simply that ‘locating’ those RF emissions was not required. One would not need to track a transmitter, when the transmitter is relaying it’s physical location in near real time.

  2. Seeing that anything any other country does is done by the US 50 times worse at a minimum I think it’s time for every non-US nation to start reviewing the tie-in of their weapons to such shenanigans.

  3. You know what’s odd? All this sowing of panic will of course lead to people being suspicious of their computers and checking them a lot. And seeing we all know now that the NSA/CIA hacked the entire planet that would lead to discovery of their stuff you would think.
    But I suppose the ‘virus detectors’ are all actually the spyware working to infect everybody, as Anonymous already showed in various cases.
    And that you constantly hear claims they found Russian stuff instead of the inevitable US/UK/DE stuff should tell you something.

    But that leaves Kaspersky, who you would hope don’t have their viruskllers infected by the US, you would hope… But I guess they don’t have their stuff get used by those scared as shit of Russia.

  4. As always, Ukrainians blaming everything on All Migty Russians.
    Most likely cause as it has been written on multiple thematic websites is that the issue of non-mobile towing artilery. Usualy the position has to be changed every few shots, othervise the contr-artilery fire is imminent, with high casualties.
    American and Russian militaries are using Acoustic/Radar artilery position location devices that can locate firing gun after 1-2 shots. There is no question that Russian backed rebels have few of those around and with help of Russian advisors (volonteers and what not) systems like this “1L259M Zoopark-1/-1M” and a ready 20-30km capable artillery battery can wreck havoc on those lazy artillery men.

    1. Yeah, radar location based on the shell trajectory is most likely. It is in someone’s interest to spread FUD to hide the real source of the positioning info. Your point about not changing the position after firing is very valid also.

  5. This is the first time I ever felt strongly enough about the content (dislike) to create an account/give my email etc just to say so. Please don’t let the political hysteria and geopolitics crap come here as well. This is a site I visit just to see people making cool stuff. Now you’ve got “the hacker community loves alexa!” (implicitly, “ignore privacy concerns and big brother loves you”) and “look how russia hacked the ukrainians” (implicitly, “look how militaristic russia is”). Stop it – of course it’s your site, but keep the content relatively messaging/politics-free would be my suggestion if you don’t want to tick readers off.

        1. Ah yes, the classic “if they have a different opinion, they must be a troll” thinking. Oh, but wait, what if I am a PAID troll. No, wait, there must be a better explanation… THEY HACKED MY MIND. *mindblown* Those clever Russian hackers always one step ahead.

          Is it really so much to ask for a politics free tech related news? Doesn’t matter who its pointed against, I would prefer not to see it here.

          1. I was actually called out for being a Kremlin, you know?
            All this time I was endorsing Russia for no cost but not I could actually get PAID for it?!?!
            SIGN ME UP!

    1. “but keep the content relatively messaging/politics-free would be my suggestion if you don’t want to tick readers off.”

      but keep the content relatively messaging/politics-free would be my suggestion if you don’t want to tick russians off.

      Theres, I fix it for you Ivan.

    2. > “the hacker community loves alexa!” (implicitly, “ignore privacy concerns and big brother loves you”)

      That is the complete opposite of how I read that article: to me it looked like “hackers are the ones who care about crypto, put tape over their webcams and nuke their cookies because they understand the privacy concerns, so it’s weird that a lot of them seem to like these always-listening devices that report to big companies what you are talking about”.

      Also you don’t need to cite a neat but specific software hack to demonstrate how militaristic Russia is, you could look at the fact that they keep invading neighbouring countries…

      1. Well, they had to beat off all those civilized and well-mannered Westerners and Easterners. You know, like the Vikings in the 10th century, Mongols in 14th-16th, Poles in 16th-17th century, Tatars until 19th, Swedes until 19th, Napoleon in 19th, Turks until 20th, Germans twice in the 20th, etc, etc. Surely nobody ever attacked Russia. As we can see, they have nothing to fear … Meanwhile, America was attacked exactly once, in 1941. And USA has the biggest military budget in the world by far. Go figure. Ah, maybe it is for attacking other countries? That is plausible: since 1999 they attacked Yugoslavia, Iraq, Afghanistan, Libya, Syria, and participated in many other lower intensity campaigns, like Yemen, drug wars in Latin America, etc.

        USA would do well to save it’s money, pay off it’s debts, and help it’s own people. Wars will not help anyone in the long run, and they are just wrong from the moral standpoint. Sure you could beat up someone who is weaker than you – but should you do it?

      2. I don’t want to get into a flame war, so I’ll just state my two objections to articles like this.

        1) I come here for tech news and cool stuff – if I want misinformation there are a lot of well established options.
        2) Criticism of Russian militarism is usually made without any attempt at objectivity and balance. I get irritated by individual articles like this because it occurs in the context of widespread not-so-subtle attempts to control public opinion and establish hypocrisy as the norm.

      3. ‘keep invading’…
        They only went into Ukraine and into the part with mostly ethnic Russian people. Then they backed Syria at request of its leader, so that’s not invading.
        So tell me who they ‘keep invading’ exactly? The minds of people like you?

        Meanwhile the US/UK invades or attacks at the minimum 2 or 3 countries each year, but typically more than that.

        1. I’m from the Ukraine and I can confirm this.
          You see, with the help of the Ukrainian church there is this Russophobic culture
          afoot. They brainwash the youth into hating the Russians. Also, promoting disrespectful
          slang to refer to them as. I.e. “Muscovites” Or Moskal, as the Ukies would say. This means
          evil Russian, It’s the equivalent of saying Americunt. You don’t do that.

          The Ukrainian hatred towards Russians, I believe had to do with Nazi Germany’s occupation
          of the western portion of the country, which then managed to
          brainwash a significant population. My great-grand father actually served the Germans, shoveling coal into trains. And the years before of the Austrian-Hungarian which
          also ruled western portions of Ukraine too.

  6. I know pretty much nothing about malware attribution, etc., but this whole thing seems very poorly justified. “How do we know it’s Russians? Cuz they used X-Agent! How do we know it’s relevant? Cuz X-Agent is only used by Russians!” With this sort of circular reasoning, it might just as well be lizard people, as far as I’m concerned.
    Also, love their killer commie robots. Can’t wait to see other inflammatory ethnic stereotypes exploited in further reports.

    1. The hacks are also clearly ‘out-of-the-box’ stuff since it uses stuff that had become obsolete already. Which would be odd if it was from such master government hackers as we are pushed to believe.

  7. There have been tons of posts on military/geopolitical subjects, yet for some reason it’s always Russia-related stuff that brings that indignant angry-posters out of the woodwork.

  8. Oh God, I’ve just read the full report. It’s utter rubbish. Zero useful technical information. No information on the number of copies distributed: the most specific piece of information stated that this software — or rather, its uninfected version — was used “at least once”. Well, gee, thanks, that’s very valuable! No solid analysis of the impact (or solid analysis of anything, for that matter), but lots of wink-wink, nudge-nudge. If all the evidence against eeevul Russian hackers is this convincing, they can feel safe.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s