A new report appears to confirm that the hackers behind the July attack on the Democratic National Committee servers are deeply embedded within the Russian government and work closely with the Russian military.
The report from U.S. security company CrowdStrike details how the group — known as Fancy Bear — used malware to strike the DNC. They linked this malware to other malware used to hack an app employed by the Ukrainian military. Fancy Bear was then able to use the app to spy on the location of Ukrainian forces during Russia’s annexation of Crimea in 2014.
CrowdStrike is the same company the DNC hired to investigate the breach of its servers earlier this year. The company had previously said it was moderately confident in attributing the attack to the Russian government, but with this new intelligence, it’s now “highly confident.”
The report states: “The collection of such tactical artillery force positioning intelligence by Fancy Bear further supports CrowdStrike’s previous assessments that Fancy Bear is likely affiliated with the Russian military intelligence (GRU), and works closely with Russian military forces operating in Eastern Ukraine and its border regions in Russia.”
All the U.S. intelligence agencies have fingered the Kremlin for the DNC attacks, accusing it of interfering in the U.S. election by stealing sensitive emails that were subsequently published by WikiLeaks — though Russian President Vladimir Putin has consistently denied those allegations.
President-elect Donald Trump — who called on Russian hackers to find Hillary Clinton’s missing emails during his campaign — has called the allegations against Russia “ridiculous” and says that they undermine the credibility of the CIA after it agreed with the FBI’s conclusion that the Kremlin was behind the attacks.
“I think seeing the same tools [that were used against the DNC] used in the Ukraine, it is definitely a government agency in Russia….that is reporting directly to the Kremlin,” Sean Sullivan, a security expert from F-Secure, told VICE News.
Sullivan points out that because the malicious version of the app collected location data, whoever was behind the attack would have needed direct connections to the military in order to act on the information it gathered.
The Android app was developed by a Ukrainian military officer named Yaroslav Sherstuk. It was designed to speed up the processing of targeting data for the Soviet-era D-30 Howitzers he was using. The app helped reduce the time it took the gun to fix a target from minutes to under 15 seconds. Sherstuk distributed the app among Ukrainian military personnel and in a video talking about the app’s success, he claimed it was used by 9,000 Ukrainian military personnel.
Russian intelligence agencies actively monitor social media channels related to the Ukraine conflict, including VKontakte — the Russian equivalent of Facebook — and CrowdStrike says it was here where the Kremlin first took notice of the app, after it was promoted by its author in 2013.
This led to the development of a malicious version of the app by the Fancy Bear hacking group, which it then distributed on a Russian-language Ukrainian military forum from December 2014.
CrowdStrike was unable to find conclusive evidence of the app being used to directly target the D-30 Howitzers, but it did cite open-source data that shows that in the last two years — the period the malicious version of the app was available — the Ukrainian military lost 80 percent of its D-30 Howitzers, the highest percentage of loss of artillery pieces in Ukraine’s arsenal.
“The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them,” the report says.
Despite the high-profile nature of these attacks, Sullivan believes the media attention won’t stop the Fancy Bear hacking group from doing what it does.
“They have been using [the malware] for several years, and every time something gets discovered, they just make a new version of it and keep going — I don’t think they are going to slow down any time soon.”
He added that in 2017 we are likely to see a move away from the U.S. and onto other targets. “I think they are going to shift from the U.S. to Europe, and I think Europe should be on the lookout for activity related to the German and French elections.”