DNC breach further linked to Russia through Ukrainian artillery hack

The firm that first linked the Democratic National Committee (DNC) breach to the Fancy Bear hacking group has found evidence that the group also hacked Ukrainian field artillery units, bolstering its confidence that Fancy Bear is controlled by Russia. 

Crowdstrike, which the DNC hired to investigate and remediate the breach, found a variant of the “X-Agent” malware infecting targeted software used by Ukrainian weapon systems in that nation’s conflict against Russian separatists. Fancy Bear regularly uses — and likely developed — the malware.

Crowdstrike believes the link provides more evidence that Fancy Bear is actually Russian intelligence. 

The new variant of X-Agent, targeting the Android platform, was distributed on Ukrainian military forums via a doctored version of a Ukrainian artillery targeting program, “Попр-Д30.apk”. Попр-Д30.apk uses cellphones to improve the efficiency of Ukraine’s D-30 artillery units, first manufactured in the 1960s.

{mosads}Crowdstrike believes it is used for surveillance rather than to damage systems.

According to a report released Thursday, the Android X-Agent can track troop locations and pilfer text messages, call logs and contact lists. 

The variant has not been found on the Android App store. 

Crowdstrike connected this version of X-Agent to its predecessors through a similar command-and-control structure to the Windows variant of the malware. It also used a “very similar” 50-byte encryption key. 

“The GRU is used for both tactical intelligence collection in the battlefield in support of Russian military operations and also strategic active measures or psychological warfare overseas,” Crowdstrike co-founder Dmitri Alperovitch told The Washington Post, referring to Russia’s largest foreign intelligence agency.  

“The fact that they would be tracking and helping the Russian military kill Ukrainian army personnel in eastern Ukraine and also intervening in the U.S. election is quite chilling.”