The most convincing evidence yet tying Russia's GRU intelligence agency to the hack of the Democratic National Committee has been found in a bizarre tale involving an Android app developed by a Ukrainian military officer, security firm CrowdStrike claimed today.
The company, which helped the DNC with the investigation of its notorious breach earlier this year, said it had uncovered Android malware used by the so-called Fancy Bear crew in June 2016. Fancy Bear is widely believed to be the group behind the DNC hit as well as the Democratic Congressional Campaign Committee (DCCC) hack.
That spyware was hiding inside an app developed by a Ukrainian artillery officer called Yaroslav Sherstuk, which was designed to help expedite the processing of targeting data for the Soviet-era D-30 Howitzers he was using, CrowdStrike said.
As it wasn't an official government project, Sherstuk shared the app across forums frequented by fellow army personnel, explained CrowdStrike CTO and co-founder Dmitri Alperovitch. As many as 9,000 were said to have downloaded the app, as it reduced targeting time to 15 seconds. The video below shows Sherstuk talking about the apparent success of the app, noting that he had the authorization codes required to make the tool work. (Thanks to Kromtech Security for translating the Ukrainian).
Fancy Bear inserted its malware into the apps, which would reveal the location of the host Android phone and allowed Fancy Bear to snoop on infected devices, he said. This may have had a devastating impact on Ukraine's defense, Alperovitch added, pointing to open source research that indicated in two years of conflict over 80 per cent of D-30 howitzers had been destroyed. "This was pretty devastatingly effective," said Alperovitch.
That Fancy Bear was involved in such a campaign further proved the group was Russian and was facilitating GRU operations. Previous reports had linked the GRU to the DNC hack, though hard evidence was thin on the ground. But Alperovitch believes this is one of the clearest indicators yet that the hacks on the U.S. election were ordered by the GRU. "It's pretty high confidence that Fancy Bear had to be in touch with the Russian military," he added. "This is exactly what the mission is of the GRU."
CrowdStrike has sent the information to its customers, both in government and across private industry.
Patrick Wardle, ex-NSA staffer and head of research at security firm Synack, told me the malware beaconed back to the U.S. -- more an indicator of irony than anything else. The Android spyware was not particularly sophisticated, much like the hack of the DNC, he added. Both were effective, however. "There are a lot strings in the clear, makes it super easy to analyze," Wardle said. "If it's on your phone, you are done, it grabs pretty much everything. Kind of perfect for Russian hackers to infect the opposing forces with."
Today saw the U.S. impose more sanctions of Russian individuals over the annexation of Crimea, whilst Obama has promised retaliation for the hacks. With evidence increasingly pointing to Russia's culpability, Obama is evidently emboldened to come down hard on Putin before president-elect Donald Trump moves into the White House.
