Episode Description: In this episode of IntrusionsInDepth, host Josh Stepp uncovers the story of how a Ukrainian-developed artillery targeting app, designed to assist soldiers on the battlefield, was compromised by the Russian cyber espionage group Fancy Bear. The episode explores the technical breakdown of the malware used, its devastating impact on Ukrainian forces, and the broader implications of integrating technology into warfare. Josh takes listeners through the timeline of events from 2014-2016 and discusses the challenges of attribution, malware analysis, and the future of cyber warfare as an integrated component of military operations.
Main Topics Discussed:
The Compromise of the D-30 Howitzer App
The episode kicks off with a discussion on the Ukrainian artillery officer Yaroslav Sherstuk’s development of the Correction-D30 app, which sped up artillery targeting. Fancy Bear, a Russian cyber espionage group, inserted X-Agent malware into a trojanized version of the app, leading to devastating consequences for Ukrainian artillery.
Understanding the D-30 Howitzer
Josh explains the technical aspects of the D-30 Howitzer, a Soviet-designed 122mm artillery piece, and how the Correction-D30 app was designed to speed up targeting calculations, increasing efficiency and accuracy in battle.
Fancy Bear and the X-Agent Malware
The episode provides an in-depth analysis of Fancy Bear’s use of the X-Agent malware in compromising the app. This includes a technical breakdown of how the malware worked, including its reconnaissance capabilities, use of Android’s built-in APIs, and its ability to collect sensitive data from infected devices.
Impact of the Malware on Ukrainian Forces
Josh examines how the malware allowed Russian forces to track Ukrainian artillery movements, leading to the loss of up to 20% of Ukraine’s D-30 Howitzers in combat. The discussion touches on the implications of this kind of cyber warfare for real-world military tactics.
Attribution Challenges
The episode delves into the complexities of attributing the attack to Fancy Bear, touching on the challenges of tracking malware use across different threat actors. Josh discusses how Crowdstrike and other security firms identified Fancy Bear’s involvement and the challenges of confirming attribution with certainty.
Call to Action:
Subscribe to the podcast for more episodes on high-profile cyber intrusions.
Visit our website at intrusionsindepth.com for additional stories and insights.
Share your thoughts on social media using #IntrusionsInDepth.
Links and Resources:
https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf
https://web-assets.esetstatic.com/wls/2016/10/eset-sednit-part-2.pdf
https://en.interfax.com.ua/news/general/395186.html
https://blog.focal-point.com/focal-point-releases-malware-analysis-of-android-x-agent-implant
https://www.scribd.com/document/468214030/X-Agent-Malware-Technical-Analysis-Focal-Point
https://www.realclearinvestigations.com/articles/2020/05/13/hidden_over_2_years_dem_cyber-firms_sworn_testimony_it_had_no_proof_of_russian_hack_of_dnc_123596.html
https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/
Change Agents - Dmitri Alperovitch
Books:
Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks by Scott J. Shapiro
Credits:
Host: Josh Stepp
Produced by: Josh Stepp
Thank you for tuning in to Intrusions in Depth. Stay informed, stay safe, and see you in the next episode!
Share this post