Russian DNC hackers also hacked Ukrainian military, new report says

Michael Isikoff
·Chief Investigative Correspondent
A pro-Russian rebel military vehicle convoy moves towards Donetsk , eastern Ukraine, in 2014.
A pro-Russian rebel military vehicle convoy moves towards Donetsk , eastern Ukraine, in 2014. (Photo: Mstyslav Chernov/AP)

The same Russian intelligence hackers who attacked the Democratic National Committee and stole thousands of internal emails used computer malware to penetrate the Android cellphone of a Ukrainian military officer, enabling the Russian military to target and destroy Ukrainian artillery forces in that country, according to a new report released Thursday by a top cybersecurity firm.

The report is by CrowdStrike, the firm that was hired by the DNC last spring and that first linked the hack of the committee’s computers to Russian hackers it called “Fancy Bear.” Its new analysis further strengthens the case that these same Fancy Bear hackers are closely tied to the Russian military, said Dmitri Alperovitch, chief technology officer and co-founder of CrowdStrike.

“The same hackers that have stolen files from the DNC are engaged in the identification and targeting of Ukrainian forces in eastern Ukraine,” said Alperovitch in an interview with Yahoo News. “This establishes a connection between Fancy Bear and the Russian military at an operational level.”

The deployment of Fancy Bear hacking tools in the Ukrainian conflict is, in one sense, not a surprise. Ever since CrowdStrike first published its report linking the DNC hack to Fancy Bear, the firm has contended the perpetrators were closely associated with the GRU, the name of Russia’s military intelligence service.

But the new report being published Thursday would appear to make the linkages even stronger, suggesting that Fancy Bear hackers even used the identical malware to penetrate both the DNC and the Ukrainian military.

According to its new report, the malware was likely initially designed in order to target a mobile app that had been developed by a Ukrainian military officer, part of that country’s 55th Artillery Brigade, to enable his country’s artillery forces to more rapidly fire D-30 Howitzers against Russian separatist forces, backed by the Russian military, in eastern Ukraine.

The military officer, a Russian language speaker, in April 2013 surprisingly promoted the app as “modern combat software” on a Russian language social media site. This apparently drew the attention of the Fancy Bear hackers, who regularly monitor such sites, according to the CrowdStrike report. The hackers then developed a malware dubbed “X-agent” to infiltrate the officer’s Android app sometime in late 2014 — a year of turmoil in Ukraine when then pro-Russian president Viktor Yanukovych fled the country following protests in Maiden Square, and military conflict broke out with an estimated 10,000 Russian troops moving into the country.

The report says Russian troops then used the X-agent malware to pinpoint the location of Ukrainian Howitzers and destroy them. This resulted in potentially hundreds of Ukrainian casualties, according to Alperovitch. Relying in part on open source media reports and eyewitness accounts, the report notes that the Russians used drones to develop more precise locational data for Ukrainian positions, “introducing the possibility that the Android malware served to support the reconnaissance role of traditional battlefield assets.”

But what may be most significant, according to Alperovitch, is that the same X-agent malware was later used by Fancy Bear to attack the DNC.

“We have ONLY seen Fancy Bear use it and no other group ever,” he wrote in an email to Yahoo News. “Its source code is also not publicly available and has never been seen on any underground forums.”