The malware, from a group dubbed Fancy Bear, was hidden within legitimate software from a Ukrainian artillery officer and used by Ukrainian forces, CrowdStrike said in its report (PDF). It was distributed through online military forums. The app was supposed to help with artillery targeting operations, but included malware called X-Agent that could access phone communications, rough location data and contacts.
“A tool such as this has the potential ability to map out a unit’s composition and hierarchy, determine their plans, and even triangulate their approximate location,” the report said. “This type of strategic analysis can enable the identification of zones in which troops are operating and help prioritize assets within those zones for future targeting.” The infected app was distributed from 2014 through 2016, CrowdStrike said.
Such malware would be a new example of the blurred lines between military war and cyberwar. The conflict between Russia and Ukraine over territory in eastern Ukraine and Crimea is particularly heated: Ukraine accused Russia of blocking governmental communications in 2014, and computer attacks in 2015 took down three Ukrainian power stations, according to security firm iSight. Again Ukraine laid the blame on Russia.
In the case of Fancy Bear, the software “reveals one more component of the broad spectrum approach to cyber operations taken by Russia-based actors in the war in Ukraine,” CrowdStrike said. The tactical information the app provided “supports CrowdStrike’s previous assessments that Fancy Bear is likely affiliated with the Russian military intelligence (GRU), and works closely with Russian military forces operating in Eastern Ukraine and its border regions in Russia,” the report said.
The Ukrainian and Russian governments didn’t immediately respond to a request for comment.