2016-12-24

Malware used to hack Democratic National Committee servers during the 2016 elections was also used to hack an artillery-targeting app in Ukraine, and might have caused Ukrainian military losses to pro-Russian forces, according to a report released this week by CrowdStrike, a cybersecurity company.

“Ukraine’s artillery men were targeted by the same hackers, that we call Fancy Bear, that targeted DNC, but this time they were targeting cellphones (belonging to the Ukrainian artillery men) to try to understand their location so that the Russian artillery forces can actually target them in the open battle,” Dmitri Alperovitch, CrowdStrike’s co-founder and chief technology officer, told the PBS NewsHour.

CrowdStrike said an application that allowed the Ukrainian military to better pinpoint targets was distributed to units operating Soviet-era D-30 howitzers. The app was infected by Russian hackers affiliated with the GRU, the Russian military’s intelligence agency, CrowdStrike added.

CrowdStrike says that Ukrainian forces suffered larger-than-average losses after the malware infected the artillery officers’ cellphones.

“It was the same variant of the same malicious code that we had seen at the DNC,” Alperovitch said.

He told NBC News that this proved “it wasn’t a 400-pound guy in his bed” who hacked the DNC — a reference to earlier speculation by U.S. President-elect Donald Trump — but Russian intelligence agencies.

US intelligence

The firm’s conclusions match those of the U.S. intelligence community, which also has blamed Russia for the DNC attack.

However, there are fresh doubts concerning the evidence Crowdstrike used in determining that the Ukrainian military was hacked.

Yaroslav Sherstyuk, the creator of the app that CrowdStrike says was hacked by the GRU, called the CrowdStrike report “delusional” in a Facebook post.

And Pavlo Narozhnyy, a technical adviser to Ukraine’s military, told VOA the app could theoretically have been reverse engineered and hacked, but he stressed that if such hacking had taken place, it would have been spotted.

Narozhnyy stated on Facebook that he outfitted Ukraine’s armed forces with nearly 300 tablets that carried the allegedly hacked software, and some of those tablets were sent to units with D-30 howitzers.

He told VOA that contacts in the Ukrainian military units that used the app reported no losses of D-30 howitzers, which contradicts large battlefield losses referenced in the CrowdStrike report.

“I personally know hundreds of gunmen in the war zone. None of them told me of D-30 losses caused by hacking or any other reason,” Narozhnyy stressed to the VOA.

CrowdStrike told VOA its information on those losses came from what it described as an analysis from the International Institute for Strategic Studies (IISS), a London-based think tank.

“We cited the public, third-party reference source that was quoted,” VOA was told.

But the source referenced in the CrowdStrike report on its website is not the site of the actual IISS, but an article on The Saker, a site that presents a largely pro-Russian version of events in Syria and Ukraine.

Russian blogger

The article is an English translation from a post first published by Boris Rozhin, a popular Russian blogger, who covers Russian military operations under the moniker “Colonel Cassad” from Russian-annexed Crimea.

Rozhin calls his popular blog “the Bullhorn of totalitarian propaganda” and supports pro-Russian separatists in Ukraine, Global Voices reported.

Global Voices is a volunteer online site of citizen media reporters who advocate for free speech.

It is Rozhin’s blog that suggests, based on his interpretation of what he said were two separate IISS reports, that Ukrainian forces suffered losses of about 50 percent of their military hardware between 2013 and 2016.

His posting provides a table, based on what he said was data from the IISS reports, that shows Ukraine had 369 D-30 howitzers in 2013 and 75 in 2016. It included links to Rozhin said were the original IISS studies uploaded to a Russian torrent site dedicated to pushing pirated software and movies.

Although the source of the information listed by CrowdStrike is not the actual website of IISS, CrowdStrike defended its findings.

“It is indisputable that the app has been hacked with FANCY BEAR malware — we have published the indicators related to it and they have been confirmed by others in the cybersecurity community,” CrowdStrike told VOA in an email.

Narozhnyy, technical adviser to Ukraine’s military, told VOA he’d like to see more proof for this statement.

In Forbes, Patrick Wardle, ex-NSA staffer and head of research at security firm Synack, said that the malware beaconed back to the U.S. — more an indicator of irony than anything else. The Android spyware was not particularly sophisticated, much like the hack of the DNC, he added. Both were effective, however.

“There are a lot strings in the clear, makes it super easy to analyze,” Wardle told Forbes. “If it’s on your phone, you are done, it grabs pretty much everything. Kind of perfect for Russian hackers to infect the opposing forces with.”

Show more