CROWDSTRIKE GLOBAL INTELLIGENCE TEAM

web: WWW.CROWDSTRIKE.COM | twitter: @CROWDSTRIKE

Copyright 2016

U S E O F F A N C Y B E A R A N D R O I D M A L WA R E I N T R A C K I N G O F U K R A I N I A N F I E L D A R T I L L E R Y U N I T S

P U B L I S H E D D E C E M B E R 2 2

K E Y P O I N T S• From late 2014 and through 2016, FANCY BEAR X-Agent implant

was covertly distributed on Ukrainian military forums within a

legitimate Android application developed by Ukrainian artillery

officer Yaroslav Sherstuk.

• The original application enabled artillery forces to more rapidly

process targeting data for the Soviet-era D-30 Howitzer employed

by Ukrainian artillery forces reducing targeting time from

minutes to under 15 seconds. According to Sherstuk’s interviews

with the press, over 9000 artillery personnel have been using

the application in Ukrainian military.

• Successful deployment of the FANCY BEAR malware within

this application may have facilitated reconnaissance against

Ukrainian troops. The ability of this malware to retrieve

communications and gross locational data from an infected

device makes it an attractive way to identify the general location

of Ukrainian artillery forces and engage them.

• Open source reporting indicates that Ukrainian artillery forces

have lost over 50% of their weapons in the 2 years of conflict and

over 80% of D-30 howitzers, the highest percentage of loss of any

other artillery pieces in Ukraine's arsenal.

• This previously unseen variant of X-Agent represents FANCY

BEAR’s expansion in mobile malware development from iOS-

capable implants to Android devices, and reveals one more

component of the broad spectrum approach to cyber operations

taken by Russia-based actors in the war in Ukraine.

• The collection of such tactical artillery force positioning

intelligence by FANCY BEAR further supports CrowdStrike’s

previous assessments that FANCY BEAR is likely affiliated with

the Russian military intelligence (GRU), and works closely with

Russian military forces operating in Eastern Ukraine and its

border regions in Russia.

“O P E N -S O U R C E

R E P O R T I N G I N D I C AT E S L O S S E S O F A L M O S T

5 0 % O F E Q U I P M E N T I N T H E L A S T 2 Y E A R S O F C O N F L I C T A M O N G S T

U K R A I N I A N A R T I L L E R Y F O R C E S A N D O V E R 8 0 %

O F D -3 0 H O W I T Z E R S W E R E L O S T, F A R M O R E

T H A N A N Y O T H E R P I E C E O F U K R A I N I A N A R T I L L E R Y 9 .

”

U S E O F F A N C Y B E A R A N D R O I D M A L WA R E I N T R A C K I N G O F U K R A I N I A N F I E L D A R T I L L E R Y U N I T S

B A C K G R O U N DIn late June and August 2016, CrowdStrike Intelligence provided initial

reporting and technical analysis of a variant of the FANCY BEAR implant

X-Agent that targeted the Android mobile platform2. CrowdStrike

identified this X-Agent variant within a legitimate Android application

named Попр-Д30.apk. This app was developed and used by artillery

troops to simplify targeting data for the D-30 towed howitzer. CrowdStrike

investigation reveals that this app has been utilized in a possible training

or operational role in at least one unit of the Ukrainian military. Therefore,

the implant likely targeted military artillery units operating against pro-

Russian separatists in Eastern Ukraine.

This implant represents further advancements in FANCY BEAR’s

development of mobile malware for targeted intrusions and extends

Russian cyber capabilities to the front lines of the battlefield. This Tipper

builds on CrowdStrike’s previous reporting by providing a timeline

of events, contextual discussion regarding the potential drivers for

development and deployment of the malware, and a description of the

analytical process resulting in targeting assessments. Finally, this Tipper

leverages these assessments, in conjunction with more recently observed

activity by Russia-based adversaries, to determine the potential for any

future activity in the mobile malware threat space.

“C R O W D S T R I K E

I D E N T I F I E D T H I S X- A G E N T VA R I A N T

W I T H I N A L E G I T I M AT E A N D R O I D A P P L I C AT I O N N A M E D ПОПР-Д30.APK. T H I S A P P WA S D E V E L-

O P E D A N D U S E D B Y A R T I L L E R Y T R O O P S T O S I M P L I F Y TA R G E T I N G

D ATA F O R T H E D -3 0 T O W E D H O W I T Z E R

”

Russia offers Ukraine loans and discounts on gas

Referendum on Crimea/Crimean

annexation

Gazprom increases gas prices, Ukraine

skips payment

Intrusions into Ukraine’s

Transportation Sector

Presidential Elections in

Ukraine

DDoS and targeted intrusions in media, financial, & political entities in Ukraine

Malicious App Observed in

Distribution on Forums

Protests reach their peak, gov’t cracks down

violently; agreement reached for elections;

Yanukovich flees to Russia

Armed men appear in unmarked uniforms

in Crimea

DDoS vs. NATO

Pro-Russian forces begin

seizing government resources in

Eastern Ukraine

Intrusion against Ukraine’s Central

Election Commission

Malaysia Air Flight MH17 destroyed by pro-Russian

Separatists

Minsk I Ceasefire

Signed

Video depicting use of Попр-Д30

application in eastern Ukraine

Earliest public reporting on

the Android App developed by the Ukrainian soldier

CyberBerkut Emerges

J A N F E B M A R A P R M AY JUNE JULY A UG SE P T OC T NO V DE C J A N F E B M A R A P R M AY JUNE JULY A UG SE P T OC T NO V DE C

ПОПР -Д3 0 D E V E L O P E D

2 0 F E B - 1 3 A P R

Ukraine’s Parliament convenes and plans to lay

foundation for EU Association Agreement

UKR Pres. Yanukovych does

about face on planned EU agree-

ment, orients towards Russia

Protest movement begins in Kiev

Individual believed to be the developer promotes Android App on Russian Social Media

Site vKontakteKremlin threatens Ukraine

over EU agreement

Anon Ops vs. Ukraine Gov’t Web-sites - Defacements

and DDoS

2 0 1 3 2 0 1 4

LIKELY RUSSIA-BASED RECONNAISSANCE OF UKRAINIAN GOVERNMENT AND/OR MILITARY TARGETS

ARMED CONFLICT IN UKRAINE

MALICIOUS APP DISTRIBUTIONPOSSIBLE DEVELOPMENT TIME FRAME: MALICIOUS X-AGENT IMPLANT INJECT FOR ПОПР-Д30 LATE APRIL 2013 - EARLY DECEMBER 2014

LEGEND Events associated with the Android app

International Events or Diplomacy Efforts

Ukrainian Domestic Affairs

Targeted Intrusion, DDoS or Disinformation

Russian / Ukrainian Confrontation

J A N F E B M A R A P R M AY JUNE JULY A UG SE P T OC T NO V DE C J A N F E B M A R A P R M AY JUNE JULY A UG SE P T OC T NO V DE C

Developer of benign app promoted within

Ukrainian militaryPro-Russian Hacktivist Group Sprut Emerges

Crimea lacks electricity after physical attack

Cyber attacks against Ukrainian

power stations

Attack on Kiev Airport System

Reported testing period for ArtOS

News story associating app author as head of the ArtOS project, a joint en-

deavor with the Noosphere Engineering School

Forums discussing the app and claiming to be associat-ed with the developers users are called out as fraudulent some users claim copy apps

are distributing malware

First Minsk Ceasefire Collapses

Minsk II Protocol signed

Targeted intrusions against Ukraine’s

Ministry of Defense

2 0 1 5 2 0 1 6

LIKELY RUSSIA-BASED RECONNAISSANCE OF UKRAINIAN GOVERNMENT AND/OR MILITARY TARGETS

ARMED CONFLICT IN UKRAINE

MALICIOUS APP DEVELOPMENT, DEPLOYMENT, AND USAGE TIME FRAME LATE APRIL 2013 - AND BEYOND

LEGEND Events associated with the Android app

International Events or Diplomacy Efforts

Ukrainian Domestic Affairs

Targeted Intrusion, DDoS or Disinformation

Russian / Ukrainian Confrontation

CyberBerkut Releases Info Associated With Claimed Intrusion into Ukraine’s

Security Service SBU

CyberBerkut Defaces Bellingcat Website

“T H E O R I G I N A L ,

B E N I G N A P P L I C AT I O N E N A B L E D A R T I L L E R Y

F O R C E S T O M O R E R A P I D LY P R O C E S S

TA R G E T I N G D ATA F O R T H E D -3 0 H O W I T Z E R

R E D U C I N G TA R G E T I N G T I M E F R O M M I N U T E S

D O W N T O 1 5 S E C O N D S .

”

T I M E L I N E O F E V E N T S

DEVELO PM EN T AN D D IST RIBUT IO N PRO CES S OF T H E BEN IG N APPLICAT IO NThe original application central to this discussion, Попр-Д30.apk, was

initially developed domestically within Ukraine by a member of the 55th

Artillery Brigade. Based on the file creation timestamps as well as the

app signing process, which occurred on 28 March 2013, CrowdStrike has

determined that the app was developed sometime between 20 February

and 13 April 2013.

Shortly after that time frame, on 28 April 2013, an individual bearing the

same name as the application’s developer promoted the application

on Russian vKontakte3 pages associated with the artillery forces. The

promotion of the program was likely limited to social media, and the

distribution was controlled from the author’s main page, «Програмное

обеспечение современного боя» (translation: "Modern combat software").4

As an additional control measure, the program was only activated for

use after the developer was contacted and issued a code to the individual

downloading the application.

No evidence of the application has been observed on the Android app

store, making it unlikely that the app was distributed via that platform.

The control measures established by the developer to limit the use and

proliferation of the Попр-Д30.apk application, coupled with its unique

purpose, make its broad distribution on the Android store improbable.

At the time of this writing, it is unclear to what degree and for how

long this specific application was utilized by the entirety of the

Ukrainian Artillery Forces. Based on open source reporting, social

media posts, and video evidence, CrowdStrike assesses that Попр-Д30.apk

was potentially used through 2016 by at least one artillery unit operating

in eastern Ukraine.

RECONNAISSANCE, DEVELOPMENT AND DISTRIBUTION OF THE MALICIOUS APPLICATION RECONNAISSANCE

Given the estimated development timeframe and the promotional period

for the benign Попр-Д30.apk application, the program was likely available

online for distribution after late April 2013. CrowdStrike Intelligence

assesses that the application likely came to the attention of Russia-

based adversaries around this time frame as a result of ongoing Russian

reconnaissance associated with the revolution in Ukraine. Actors with a

nexus to Russia regularly monitor social media sites in order to better

understand or formulate operations against their targets.

CrowdStrike Intelligence has noted instances in which some Russia-based

actors and attribution front groups have leveraged information obtained

from Ukrainian social media sites in order to perform operations. The

most notable recent example of this was in the case of extortion-based

threats directed against the Polish Government.5 In this particular case,

the perpetrators likely sought out openly available account information

from a vKontakte page belonging to a Ukrainian citizen, who was soliciting

donations to aid volunteer soldiers fighting in eastern Ukraine. The adversary

then used this profile information, in conjunction with the name "Pravyy

Sector," to make it appear as though the extortion threats against the Polish

government were originating from an ultranationalist Ukrainian group.

CrowdStrike has assessed that by performing this type of deceptive

operation the perpetrator likely sought to make it appear as though

Ukrainian interests were threatening the Polish government. In addition,

because the individual account hijacked for this operation had been used to

try to raise funds for Ukrainian forces, the adversary may have been trying to

aggravate Western governments enough to freeze the individual’s accounts.

The attack did not appear to achieve its intended result. Poland rebuffed the

threats, and the owner of the vKontakte page denounced any involvement

in the threat. Subsequently the Pravyy Sector group scrubbed their social

media page of much of the information associated with this failed operation.

This particular incident is an example of how a disinformation operation is

staged. While this incident is not likely to be related to the development of

the X-Agent Android variant, it demonstrates the reconnaissance and pre-

planning tactics that precede the rest of a campaign. Development

and Distribution

CrowdStrike has discovered indications that as early as 2015 FANCY BEAR

likely developed X-Agent applications for the iOS environment, targeting

"jailbroken" Apple mobile devices. The use of the X-Agent implant in the

original Попр-Д30.apk application appears to be the first observed case

of FANCY BEAR malware developed for the Android mobile platform. On 21

December 2014 the malicious variant of the Android application was first

observed in limited public distribution on a Russian language, Ukrainian

military forum. A late 2014 public release would place the development

timeframe for this implant sometime between late-April 2013 and early

December 2014.

“F O R U K R A I N I A N T R O O P S , A R T I L L E R Y F O R C E S H AV E

A L S O S H O U L D E R E D AH E AV Y C O S T. I N 2

Y E A R S O F C O N F L I C T, T H E Y H AV E L O S T N E A R LY

5 0 % O F T H E I RA R T I L L E R Y P I E C E S A N D

O V E R 8 0 % O F D -3 0 H O W I T Z E R S , F A R M O R E

T H A N A N Y O T H E RP I E C E O F U K R A I N I A N

A R T I L L E R Y.

”

During that proposed development timeframe, a number of significant

events unfolded between Ukraine, Russia, and the international

community. Most notably, Russian attempts to influence Ukrainian-EU

relations resulted in the large-scale, Maidan protest movement, eventually

resulting in the ouster of then-president Victor YANUKOVYCH, the invasion

and annexation of the Crimean Peninsula by Russia, and the protracted

armed conflict in eastern Ukraine. Therefore, the creation of an application

that targets some of the front line forces pivotal in Ukrainian defense

on the eastern front would likely be a high priority for Russian adversary

malware developers seeking to turn the tide of the conflict in their favor.

CrowdStrike Intelligence has assessed that the distribution of the

malicious application targeted the very artillery units for which the benign

application was developed—brigades operating in eastern Ukraine on the

frontlines of the conflict with Russian-backed separatist forces during

the early stages of the conflict in late-2014. This assessment is based on a

number of factors, but chief among them is the likelihood that a military

member would only trust and use an application designed to calculate

something as critical as targeting data if it was developed and promoted

by a member of their own forces. The type of operational activity described

here suggests an extremely sophisticated understanding of the target that

only a skilled adversary would likely possess.

By late December 2014, the total number of Russian forces in the region

was approximately 10,000 troops.6 Because the Android malware could

facilitate gross position information, its successful deployment could

have facilitated anticipatory awareness of Ukrainian artillery force troop

movement, thus providing Russian forces with useful strategic planning

information. Indeed, the 55th Artillery Brigade and similar artillery units

operated frequently against pro-Russian separatists in eastern Ukraine.

A video posted on 18 October 20157 specifically shows them employing the

Попр-Д30.apk application and operating in the vicinity of eastern Ukraine.

The choice of the Russian language character set in the application further

underscores the targeting of forces within eastern Ukraine, as Russian is the

predominant language utilized in that region. An assessment of languages

spoken by region based on the most recent census information illustrates

the permeation of the Russian language in that region and highlights the

value of providing Russian in the malicious Попр-Д30.apk application.

One alternative theory regarding the use of the Russian language in the

application could be that targeting may have been directed at pro-Russian

“C R O W D S T R I K E

I N T E L L I G E N C E H A S A S S E S S E D T H AT T H E

D I S T R I B U T I O N O F T H E M A L I C I O U S A P P L I C AT I O N

TA R G E T E D T H E V E R Y A R T I L L E R Y U N I T S F O R

W H I C H T H E B E N I G N A P P L I C AT I O N WA S

D E V E L O P E D — B R I G A D E S O P E R AT I N G I N E A S T E R N

U K R A I N E O N T H E F R O N T L I N E S O F T H E

C O N F L I C T W I T H R U S S I A N - B A C K E D

S E PA R AT I S T F O R C E S D U R I N G T H E E A R LY

S TA G E S O F T H E C O N F L I C T I N L AT E -2 0 1 4 .

”

forces operating in eastern Ukraine. A relevant and likely counterargument for this theory, however, is that Russian

forces likely have employed fire support systems and other technologies that can already calculate targeting data,

negating the need for an application to perform this task. Additionally, the application was initially developed by a

member of the Ukrainian army. An opposing force would probably not adopt technology developed by the enemy for use

on the battlefield.

OU TC OME S AND CONCLUSIONThe eastern Ukrainian front has been markedly impacted by heavy fighting involving Russian troops and pro-Russian

rebel fighters deployed to this region. Artillery forces on both sides of the conflict have served an important role. For

Ukrainian troops, artillery forces have also shouldered a heavy cost. Open-source reporting indicates losses of almost

50% of equipment in the last 2 years of conflict amongst Ukrainian artillery forces and over 80% of D-30 howitzers were

lost, far more than any other piece of Ukrainian artillery 9.9

Between July and August 2014, Russian backed forces launched some of the most decisive attacks against Ukrainian

forces, resulting in significant loss of life, weaponry, and territory. According to open sources, Ukrainian service

personnel from the 24th and 72nd Mechanized Brigade, as well as the 79th Airborne Brigade, were among the units to

have suffered casualties. International monitoring groups later assessed some of the attacks were likely to have come

from inside Russian territory.10

A malware-infected Попр-Д30.apk application probably could not have provided all the necessary data required to

directly facilitate the types of tactical strikes that occurred between July and August 2014. Eyewitness accounts from

individuals within the impacted units reported seeing an unmanned aerial vehicle (UAV) used in the area prior to one

attack, underscoring the need for precise locational data for these particular strikes and introducing the possibility

U K R A N I A N

R U S S I A N

O T H E R

U N C L E A R

U K R A N I A N & R U S S I A N E Q U A L L Y

92.6% 78.2% 35.3% 37.4% 19.9%

2.9% 16.6% 38.4% 34.4% 34%

40.4%25.9%20%4.2%2%

W E S T C E N T E R S O U T H E A S T D O N B A S S

1.6% .4% 5.4% 1.3% 5.2%

.5%1%.9%.6%.9%

L A N G U A G E S S P O K E N B Y R E G I O N

Distribution of Russian/Ukrainian Language Use in Ukraine8

“C R O W D S T R I K E

I N T E L L I G E N C E A S S E S S E S A T O O L S U C H A S T H I S

H A S T H E P O T E N T I A L A B I L I T Y T O M A P O U T A U N I T ’ S C O M P O S I T I O N

A N D H I E R A R C H Y, D E T E R M I N E T H E I R P L A N S , A N D E V E N

T R I A N G U L AT E T H E I R A P P R O X I M AT E L O C AT I O N

”

that the Android malware served to support the reconnaissance role of

traditional battlefield assets. Although traditional overhead intelligence

surveillance and reconnaissance (ISR) assets were likely still needed

to finalize tactical movements, the ability of this application to retrieve

communications and gross locational data from infected devices, could

provide insight for further planning, coordination, and tasking of ISR,

artillery assets, and fighting forces.

The X-Agent Android variant does not exhibit a destructive function and does

not interfere with the function of the original Попр-Д30.apk application.

Therefore, CrowdStrike Intelligence has assessed that the likely role of

this malware is strategic in nature. The capability of the malware includes

gaining access to contacts, Short Message Service (SMS) text messages,

call logs, and internet data, and FANCY BEAR would likely leverage this

information for its intelligence and planning value.

CrowdStrike Intelligence assesses a tool such as this has the potential

ability to map out a unit’s composition and hierarchy, determine their plans,

and even triangulate their approximate location. This type of strategic

analysis can enable the identification of zones in which troops are operating

and help prioritize assets within those zones for future targeting.

Additionally, a study provided by the International Institute of Strategic

Studies determined that the weapons platform bearing the highest losses

between 2013 and 2016 was the D-30 towed howitzer.11 It is possible that

the deployment of this malware infected application may have contributed

to the high-loss nature of this platform.

The development of the X-Agent Android malware represents an expansion

of FANCY BEAR capabilities in terms of mobile malware, and illustrates

the practical application of full-spectrum combat as envisioned in the

eponymous doctrinal writings of General Valery GERASIMOV. As a part

of full-spectrum operations in Ukraine, Russia-based adversaries have

leveraged malware on the battlefield, in the civil sector, and against

critical infrastructure. They have also engaged in aggressive information

operations in the media. In relation to this broader picture of Russian

computer operations, the approach to targeting mobile smartphone and

tablet devices in order to gain strategic insight into communications is a

tactic that cannot be disregarded.

CrowdStrike assesses that the observed and described X-Agent implant

targeting Ukrainian military Android devices running the Попр-Д30.apk

application is likely only the initial iteration of this type of malware. While

this malware was initially discovered in a battlefield environment, an

adversary could also leverage it in attacks against non-military targets.

Mobile devices and internet-connected technology have increasingly

proliferated civilian and military organizations. This technique may very

likely be deployed in the political, government, or non-governmental

sectors in the near future.

1-The name Попр-Д30.apk is an abbreviated variant of Поправки-Д30

which translates to Correction-D30.

2-For more information, contact CrowdStrike

3-vKontakte is a Russian social media networking site alike in layout

and functionality to Facebook.

4-http://programs-art.at.ua

5-For more information, contact CrowdStrike

6-Igor Sutyagin, “Russian Forces in Ukraine,“ Royal United Services

Institute, March 2015, https://rusi.org/sites/default/files/201503_bp_

russian_forces_in_ukraine.pdf

7-https://www.youtube.com/watch?v=qp-7e_ZGH8I

8-Data for image circa 2015. Note: These maps do not provide data for

Crimea. According to various sources, there are estimates suggesting

that, in greater Crimea 80% speak Russian, 10% speak Ukrainian, and 10%

speak Tatar. The percentage of Russian speakers is estimated to be higher

in Sevastopol, most likely dues to the Russian Naval Base in the region.

Source: The Razumkov Center report on "The Ukranian Citizen's Identity in

the New Environment: Status, Trends, Regional Differences,"“7 June 2016,

razumkov.org.ua/upload/identi-2016.pdf.

9-http://thesaker.is/ukrainian-army-losses-in-ato-anti-terrorist-operation-

according-to-the-iisss-military-balance/

10-For more information, see “Origin of Artillery Attacks on Ukrainian

Military Positions in Eastern Ukraine between 14 July 2014 and 8 August

2014, "https://www.bellingcat.com/news/uk-and-europe/2015/02/17/

origin-of-artillery-attacks/."

“T H E C O L L E C T I O N

O F S U C H TA C T I C A L A R T I L L E R Y F O R C E

P O S I T I O N I N G I N T E L L I G E N C E B Y F A N C Y

B E A R F U R T H E R S U P P O R T S C R O W D S T R I K E ’ S

P R E V I O U S A S S E S S M E N T S T H AT F A N C Y B E A R I S L I K E LY

A F F I L I AT E D W I T H T H E R U S S I A N M I L I TA R Y

I N T E L L I G E N C E (G R U )

”