Doubts cast on claim that Russia hacked Ukraine's military via Trojanised Android app

CrowdStrike report described as "delusional" by Ukrainian artillery officer

Claims before Christmas that Ukraine's military was effectively hacked by a group linked to Russia, enabling Russian-backed rebels in the east of the country to easily target Ukrainian military artillery, have been rejected by Ukraine's military and a number of security specialists.

The claims were made by threat intelligence company CrowdStrike, who claimed that the same group that penetrated the US Democratic National Committee (DNC) last year had also produced and propagated a Trojanised version of an app that Ukraine's artillery forces used to speed-up targeting.

However, Yaroslav Sherstuk, the Ukrainian artillery officer behind the app, has described CrowdStrike"s report as a "delusional article, designed for amateurs" in a response on Facebook.

He added that "distribution of the software is still under my control and is not in the public domain", contrary to CrowdStrike's claims that the targeting app, designed to improve the efficiency of the country"s Soviet-era D30 howitzers, was typically downloaded by crews via online forums. The app can only be activated personally by him, Sherstuk added.

Security specialist Jeffrey Carr, who has also investigated Russian cyber attacks on Georgia, also believes that CrowdStrike's claims don't stand up.

In a Medium blog posting, Carr says that he reached his conclusion after conducting interviews with Ukrainian hackers and soldiers, as well as an independent analysis of the malware conducted by CrySys Lab. Carr says that he will present the full findings at the Suits and Spooks conference in Washington DC next week.

"Crowdstrike, along with FireEye and other cyber security companies, have long propagated the claim that Fancy Bear and all of its affiliated monikers (APT28, Sednit, Sofacy, Strontium, Tsar Team, Pawn Storm, etcetera) were the exclusive developers and users of X-Agent. We now know that is false," he writes.

Indeed, a number of people and organisations are known to hold the X-Agent malware at the heart of the Trojanised Ukrainian military targeting app. In addition, the first versions of the Trojanised app did not even use GPS or ask for GPS location information, he adds. And, although it did collect base station information, that wouldn't have been sufficient for identifying the location of the user.

"In rural areas, one base station could have a range of up to 30 kilometers. In Eastern Ukraine, mobile phone service was poor even before the war. It has only grown worse since," notes Carr.

On top of that, claims that Ukraine's military has lost as many as four-fifths of its D30 howitzers as a result are also flawed, with the claims coming solely from one pro-Russian blogger, and based on a misinterpretation of military reports. Estimates of Ukrainian military hardware losses also include D30s left in Crimea when it was seized by Russia, for example, much of which haven't been returned.

"Crowdstrike never contacted the app's developer to inform him about their findings. Had they performed that simple courtesy, they might have learned from Jaroslav Sherstuk how improbable, if not impossible, their theory was," concluded Carr.

He added: "Instead, they worked inside their own research bubble, performed no verification of infected applications or tablets used by Ukraine's artillery corps, and extrapolated an effect of 80 per cent losses based upon a self-proclaimed, pro-Russian propagandist and an imaginary number of infected applications."