In December 2016, CrowdStrike, Inc. published a report outlining how malware written by FancyBear (also known as APT28) – the same Russian hacking group that is thought to be responsible for the cyber attacks on the DNC – infected a Ukrainian artillery application, allowing for the geolocation and subsequent destruction of Ukrainian D-30 Howitzer artillery sites. The report asserts that the malware implant, commonly known as X-Agent, was written and distributed by FancyBear, and concludes that the group was able to distribute the implant via an Android application used by Ukrainian artillery officers for the purpose of collecting location data for targeted military strikes, which resulted in a loss of more than 80% of the UA’s D-30 Howitzer arsenal in the Russian-Ukrainian conflict from 2014 to 2016. [CrowdStrike has since revised their estimate of Ukrainian military losses to 15-20% of their Howitzer arsenal.]
|A D-30 Howitzer|
These findings have since been challenged by the Ukrainian Army and other experts. In an effort to gain an objective opinion, Focal Point was asked to provide a technical analysis of the malware to document its details and capabilities.
Focal Point acquired a sample of the infected application, POPRD30.apk, last month and conducted a full-scale malware analysis. This application was designed to assist in atmospheric calculations to allow for greater accuracy for D-30 Howitzer artillery strikes. According to the original report, with this application in the hands of every Ukrainian artillery officer, Russia was able to use the implanted malware to gather location data on Ukrainian positions.
Focal Point’s analysis is partially in agreement with the initial report – that the location data collected by the malware is not reliable enough to accurately pinpoint a target with any degree of certainty due to the fact that it collects referential positioning data from nearby cell towers, rather than more precise GPS data. The location data is simply too coarse to support a targeted air strike.
However, Focal Point has raised questions about the attribution to the FancyBear threat actor. X-Agent has been “in the wild” since 2012, is relatively easy to obtain, and has been well-documented, including in our report below. Further, ESET was able to obtain the source code for a report in 2016 . With the implant’s known availability, any number of threat actors, in addition to FancyBear, could have been in possession of the implant during the Russian-Ukrainian conflict from 2014-2016.
Focal Point’s report concludes that, while it’s likely that the malware can be attributed to a Russian-affiliated actor, there is simply not enough public evidence to link that malware to FancyBear in particular. And, because of the malware’s tenuous collection of imprecise referential positioning data, it is likely that the malware was only used for traditional espionage and information gathering, not precise military strikes. Lastly, since it is not known how many devices were infected, and which ones were infected, there is no way to substantiate any claim that ties X-Agent to Russian strikes on Ukrainian Artillery.
Focal Point’s full technical report can be downloaded in its entirety below.