A cybersecurity firm hired to investigate the Democratic National Committee breach that preceded this year’s presidential election said Thursday that the hack’s presumed perpetrators, Russia’s military intelligence agency, likely used the same malware to target Ukrainian soldiers on the battlefield during their ongoing war against pro-Moscow separatists.
The firm, CrowdStrike, said its researchers believe a hacking arm of Russia’s GRU managed to compromise the smartphones of Ukrainian soldiers by fooling targets into downloading a malicious Android app that had been surreptitiously embedded with a strain of malware known as “X-Agent” that’s been used exclusively in Kremlin-sponsored campaigns for nearly a decade.
When successfully installed, the malware enables hackers to remotely access a compromised device’s internal information — such as text messages, call logs and internet data — priceless pieces of data when placed in the hands of an adversary.
Indeed, security researchers discovered X-Agent variants on DNC computers during the course of investigating the pre-election breach that resulted in thousands of internal Democratic emails being provided to WikiLeaks for publication on the eve of the party’s nominating convention.
Despite the U.S. intelligence community attributing the DNC breach to Russian hackers, skeptics including President-elect Donald Trump have continued to dispute the federal government’s official findings with respect to what the Obama administration described as a blatant attempt to interfere with the American election process.
According to security experts, however, the discovery of an X-Agent strain in the anti-Ukraine campaign uncovered by CrowdStrike may be among the most convincing pieces of evidence yet of Moscow’s involvement in the DNC hack.
CrowdStrike co-founder Dmitri Alperovitch said his firm believes that a GRU unit known as “Fancy Bear” conducted the DNC breach in the aftermath of seeing similar malware used in Ukraine, NBC News reported Thursday.
“It’s pretty high confidence that Fancy Bear had to be in touch with the Russian military,” Mr. Alperovitch added in an interview with Forbes. “This is exactly what the mission is of the GRU.”
Researchers who studied the DNC breach believe hackers were able to infiltrate Democratic Party computers by tricking a target into clicking a malicious link contained in a spear-phishing email, the likes of which then installed an X-Agent variant that in turn gave hackers remote access to connected computers.
Across the Atlantic, meanwhile, CrowdStrike believes Russian spies circulated a malicious Android app on Ukrainian military forums that was injected with a variant of the same malware.
The malicious app, according to CrowdStrike, was modeled after and made to resemble a legitimate Android program that was being actively used on the battlefield by Ukrainian soldiers at war with pro-Russian separatists.
The original app, “Попр-Д30,” was developed in 2013 by a member of Ukraine’s 55th Artillery Brigade in order to help artillery troops more efficiently use their Soviet-era D-30 Howitzers, and was initially distributed solely through the creator’s social media page.
CrowdStrike believes Fancy Bear hijacked the app in 2014, however, and began distributing a malicious version infected with the Agent-X implant.
“Successful deployment of the Fancy Bear malware within this application may have facilitated reconnaissance against Ukrainian troops. The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them,” CrowdStrike’s report said.
Fancy Bear has been “the exclusive operator of the malware,” according to the security firm, and his continuously made revisions in order to conduct ongoing operations the security firm says are likely tied to the GRU.
“The source code to this malware has not been observed in the public domain and appears to have been developed uniquely by Fancy Bear,” the report said. “The collection of such tactical artillery force positioning intelligence by FANCY BEAR further supports CrowdStrike’s previous assessments that FANCY BEAR is likely affiliated with the Russian military intelligence (GRU), and works closely with Russian military forces operating in Eastern Ukraine and its border regions in Russia.”
Russia invaded Ukraine in 2014, annexing the Crimean peninsula and lending military support to an ongoing separatist campaign in the east led by pro-Kremlin fighters. The International Criminal Court condemned Russia’s involvement as an international armed conflict in a report released last month, and the Obama administration announced new sanctions against Moscow on Tuesday this week over the spat.
President Vladimir Putin has repeatedly denied that the Russian government was responsible for the DNC hack, contrary to the Obama administration’s assessment. Security researchers believe a similar spear-phishing campaign with Russian ties was used a month before the April 2016 DNC breach in order to compromise the personal email account of John Podesta, the chairman of Democratic presidential candidate Hillary Clinton’s failed White House run.