News Stay informed about the latest enterprise technology news and product updates.

Fancy Bear ties to Kremlin strengthened with Ukraine military hack

Researchers found the Fancy Bear threat group used mobile malware to track the Ukraine military, lending more confidence to assertions the group is linked to the Russian government.

The threat group behind the hacks of the Democratic National Committee, Fancy Bear, was found using mobile malware...

to track the Ukraine military, leading many to confirm suspicions the group is sponsored by the Russian government.

CrowdStrike Intelligence analysts said they found Android malware infecting an app on Ukraine military devices that contained a variant of X-Agent, a remote access toolkit also used in the hack of the DNC.

"CrowdStrike associates the use of X-Agent with an actor we call Fancy Bear. This actor, to date, is the exclusive operator of the malware, and has continuously developed the platform for ongoing operations, which CrowdStrike assesses is likely tied to Russian military intelligence," Adam Meyers, vice president of intelligence at CrowdStrike, based in Irvine, Calif., wrote in a blog post. "The source code to this malware has not been observed in the public domain and appears to have been developed uniquely by Fancy Bear."

Timo Laaksonen, president of Finland-based F-Secure Corp., said on Twitter this was evidence the Kremlin was behind the DNC hacks.

CrowdStrike said the X-Agent variant was found in an app used by the Ukraine military, which "enabled artillery forces to more rapidly process targeting data for the Soviet-era D-30 howitzer." Fancy Bear distributed a trojanized version of the app to as many as 9,000 users.

"Successful deployment of the Fancy Bear malware within this application may have facilitated reconnaissance against Ukrainian troops," Meyers wrote. "The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them."

According to CrowdStrike, the use of this malware to track the Ukraine military "supports CrowdStrike's previous assessments that Fancy Bear is likely affiliated with the Russian military intelligence, and works closely with Russian military forces operating in eastern Ukraine and its border regions in Russia."

Many on Twitter said this report was proof that Fancy Bear is a threat group sponsored by the Russian government, which further strengthens suspicions that the Russian government was behind the DNC hack and attempts to influence the U.S. presidential election.

Andrei Soldatov, a Russian investigative journalist and Russian security services expert, agreed.

Next Steps

Learn more about the White House warning Russia about election hacking.

Find out why cyber attribution relies on human intelligence.

Get info on the White House considering proportional response to Russian hackers

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think about the connection between Fancy Bear and the Russian government?
Cancel

there is strong evidence that they are affiliated with the Russian government. It is indicative of the way that Russian cyber hacks operate. They do not act independently but only with the blessings of their government. So yes I do believe that they were behind all of the hacks that went on during the election.

they wanted to see their man (Donald Trump get in

Cancel
Really.
A US based, government intelligence/law enforcement personnel staffed tech company pointing fingers at Russia.
Again.
With statements like "We believe" and "points to" as evidence to accuse another country of what the US has declared ammounts to acts of war.
Hmm.
Where have I heard this song and dance before...
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close