The GRU-Ukraine Artillery Hack That May Never Have Happened

Well, this is an interesting case we’ve uncovered actually all the way in Ukraine where Ukraine artillerymen were targeted by the same hackers who were called Fancy Bear, that targeted the DNC, but this time, they were targeting their cell phones to understand their location so that the Russian military and Russian artillery forces can actually target them in the open battle. (Dmitri Alperovich on PBS Newshour)

UPDATE (21 MAR 2017): VOA News published new information that “the International Institute for Strategic Studies (IISS) told VOA that CrowdStrike erroneously used IISS data as proof of the intrusion. IISS disavowed any connection to the CrowdStrike report. Ukraine’s Ministry of Defense also has claimed combat losses and hacking never happened.” Read the follow article here.

UPDATE (06 JAN 2017): Ukraine’s Ministry of Defense issued this statement today (machine translation to English from Ukrainian).

Not only did Crowdstrike choose to quote improbably high losses estimated by a Pro-Russia analyst, we know have confirmation from Ukraine’s MOD that (1) those figures were wrong, (2) Crowdstrike’s reason for the losses were wrong, and (3) Crowdstrike’s spread of false information caused harm.

— — — — -

Crowdstrike’s latest report regarding Fancy Bear contains its most dramatic and controversial claim to date; that GRU-written mobile malware used by Ukrainian artillery soldiers contributed to massive artillery losses by the Ukrainian military. “It’s pretty high confidence that Fancy Bear had to be in touch with the Russian military,” Dmitri Alperovich told Forbes. “This is exactly what the mission is of the GRU.”

Crowdstrike’s core argument has three premises:

  1. Fancy Bear (APT28) is the exclusive developer and user of X-Agent [1]
  2. Fancy Bear developed an X-Agent Android variant specifically to compromise an Android ballistic computing application called Попр-Д30.apk for the purpose of geolocating Ukrainian D-30 Howitzer artillery sites[2]
  3. The D-30 Howitzers suffered 80% losses since the start of the war.[3]

If all of these premises were true, then Crowdstrike’s prior claim that Fancy Bear must be affiliated with the GRU [4] would be substantially supported by this new finding. Dmitri referred to it in the PBS interview as “DNA evidence”.

In fact, none of those premises are supported by the facts. This article is a summary of the evidence that I’ve gathered during hours of interviews and background research with Ukrainian hackers, soldiers, and an independent analysis of the malware by CrySys Lab. My complete findings will be presented in Washington D.C. next week on January 12th at Suits and Spooks.

X-Agent Is In The Wild

Crowdstrike, along with FireEye and other cybersecurity companies, have long propagated the claim that Fancy Bear and all of its affiliated monikers (APT28, Sednit, Sofacy, Strontium, Tsar Team, Pawn Storm, etc.) were the exclusive developers and users of X-Agent. We now know that is false.

ESET was able to obtain the complete source code for X-Agent (aka Xagent) for the Linux OS with a compilation date of July 2015. [5]

A hacker known as RUH8 aka Sean Townsend with the Ukrainian Cyber Alliance has informed me that he has also obtained the source code for X-Agent Linux. [11]

If both a security company and a hacker collective have the X-Agent source code, then so do others, and attribution to APT28/Fancy Bear/GRU based solely upon the presumption of “exclusive use” must be thrown out.

This doesn’t mean that the Russian government may not choose to use it. In fact, Sean Townsend believes that the Russian security services DO use it but he also knows that they aren’t the only ones.

No GPS functionality in the malware or the original application

The first iteration of the POPR-D30 Android app designed by Ukrainian military officer Jaroslav Sherstuk (and the only iteration allegedly impacted by this malware) was a simple ballistics program that calculated corrections for humidity, atmospheric pressure, and other environmental factors that determine accuracy of the D-30 Howitzer. It did not have the capability to connect to WiFi, nor to receive or transmit any data.[6]

The Android APK malware doesn’t use GPS nor does it ask for GPS location information from the infected phone or tablet.[7] That’s a surprising design flaw for custom-made malware whose alleged objective was to collect and transmit location data on Ukrainian artillery to the GRU.

It does collect base station information but that isn’t nearly sufficient for targeting purposes. In rural areas, one base station could have a range of up to 30 kilometers (18.6 miles).[8] In Eastern Ukraine, mobile phone service was poor even before the war. It has only grown worse since.

D-30 loss estimates are unreliable and Russian-sourced

Crowdstrike’s estimate of 80% losses of the D-30 Howitzers came from one source — an article written by pro-Russian blogger Boris Rozhin, a resident of Crimea who writes for a blog called The Saker which he calls “the voice of totalitarian propaganda”.[9]

Bloomberg journalist Leonid Bershidsky pointed out that the estimates “appear to be based on an assumption that changes in military balance reports, themselves far from perfect, can be interpreted as losses. Ukraine, a nation at war, doesn’t broadcast information about its specific capabilities.”

Pavlo Narozhnyy, a Ukraine military advisor, told VOA that “I personally know hundreds of gunmen in the war zone. None of them told me of D-30 losses caused by hacking or any other reason.”

Even Rozhin acknowledged that his interpretation of the International Institute of Strategic Studies (IISS) data needs work: “Generally speaking, both methods have their advantages and disadvantages, as it is obvious that lost armour did not count everything destroyed, as well as that the loss of hardware (counted based on staffing standards) in some cases did not mean that it was destroyed. For example, some hardware lost after 2013 was left in Crimea and returned to Ukraine only partially. Some hardware could have existed only on paper and even before the war could have been non-repairable. This suggests that the real losses of the UA still need to be further researched to make the conclusions more precise.”

Controlled activation by the developer for vetted users only

While the original POPR-D30 app was available for download online, users had to contact Sherstuk personally and provide their military credentials in order to receive a code for activation. There is no evidence that any of those users had their apps compromised by malware.

In fact, Crowdstrike hasn’t provided any evidence that the malware-infected Android app was used by even a single Ukrainian soldier. Sherstuk himself stopped supporting the first version in 2015 [10] so how could Crowdstrike even begin to justify its claims as to the malware’s effectiveness?


Part of the evidence supporting Russian government involvement in the DNC and related hacks (including the German Bundestag and France’s TV5 Monde) stemmed from the assumption that X-Agent malware was exclusively developed and used by Fancy Bear. We now know that’s false, and that the source code has been obtained by others outside of Russia.

The GRU, according to Crowdstrike, developed a variant of X-Agent to infect an Android mobile app in order to geolocate and destroy Ukraine’s D-30 howitzers. To do this, they chose an artillery app which had no way to send or receive data, and wrote malware for it that didn’t ask for GPS position information? Bitch, please.

Crowdstrike never contacted the app’s developer to inform him about their findings. Had they performed that simple courtesy, they might have learned from Jaroslav Sherstuk how improbable, if not impossible, their theory was. Instead, they worked inside of their own research bubble, performed no verification of infected applications or tablets used by Ukraine’s artillery corps, and extrapolated an effect of 80% losses based upon a self-proclaimed, pro-Russian propagandist and an imaginary number of infected applications.

Major media outlets including the The Washington Post, CNN, NBC News, and PBS Newshour ran the story without fact-checking a single detail. Motherboard, Forbes, SC Magazine, and other media did the same. Only VOA and Bloomberg took the time to question Crowdstrike’s claims and do some of their own investigating.

With the release of its Danger Close report, Crowdstrike has acted as irresponsibly as the Washington Post did when the paper ran a story claiming that Russian hackers had breached a Vermont utility. Instead, it was only one laptop. In the case of Danger Close, Crowdstrike invented a “devastating” cyber attack out of thin air and called it DNA evidence of Russian government involvement.




[3]”USE OF FANCY BEAR ANDROID MALWARE IN TRACKING OF UKRAINIAN FIELD ARTILLERY UNITS” December 22, 2016 published by Crowdstrike Global Intelligence Team.

[4] “This cannot be a hands-off group or a bunch of criminals, they need to be in close communication with the Russian military,” Alperovitch said. Source:

[5] “During our investigations, we were able to retrieve the complete Xagent source code for the Linux operating system. To the best of our knowledge, this is the first time this Xagent source code has been found and documented by security researchers. This source code is a fully working C++ project, which was used by Sednit operators to compile a binary in July 2015 (at least).” Source: “Enroute with Sednit Part 2: Observing the Comings and Goings”, p. 12

[6] Interview via email between the app’s creator Jaroslav Sherstuk and the author on December 24, 2016.

[7]”Technical details on the Fancy Bear Android malware (poprd30.apk)” — CrySys Lab blog. Source:



[10] Interview via email with the author on December 24, 2016

[11] Interview via IM with the author on January 1, 2017