Did CrowdStrike really miss the mark?

When Russia-backed forces overran Crimea and eastern Ukraine in 2014, Yuri Dobronravin quit his job.

Dobronravin had been working as a developer, designing military simulation programs for a client in Kazakhstan. But Kiev’s poorly funded forces were reeling from the Russian-backed onslaught and Dobronravin became one of many Ukrainian volunteers who pitched in, providing food, clothes, materiel and — in Dobronravin’s case — tech support.

“The Ukrainian military, in 2014, didn’t have even the basic equipment — helmets, equipment, body armor,” he told me recently. “There was a huge civil effort to prepare the army.”

Dobronravin began providing the military with navigation aids, working through a group called Army SOS to distribute Android tablets loaded with gigabytes of digital topographic maps. As the effort evolved, the functionality of the tablets expanded; a fellow programmer, Dmytro (who agreed to be identified only by his first name, citing security concerns) experimented with an add-on that would allow soldiers to connect the tablets via radio and swap coordinates and text messages.

An undated Ukrainian Ministry of Defense photograph (left) shows men in camouflage using an Army SOS tablet. An April, 2015 photograph (right) shot by Dobronravin shows an Army SOS tablet and various accessories resting on a treaded vehicle.

Dobronravin said that, by mid-2015, thousands of soldiers were using his navigation app and Army SOS’ profile was rising. Journalists visited the group’s warehouse in Kiev where volunteers packed vans with heavy equipment, potatoes and toilet paper to ship them to the front and cobbled together homemade surveillance drones aimed at getting an edge over the Russians.

It wasn’t long before someone in Moscow took notice.

Targeting data collected by the cybersecurity firm Secureworks, which I’ve been examining and writing about for the past nine months, shows that Dobronravin, Dmytro, and others at Army SOS were targeted by the Russian cyberespionage group generally nicknamed Fancy Bear.

They were among the more than 500 Ukrainian Gmail users targeted in Fancy Bear’s prolific phishing campaign, which I’ve outlined in a series of stories about journalists, Congressional staffers and military wives. But there are indications that the hackers’ interest in Army SOS went beyond run-of-the-mill espionage — and may have been aimed at soldiers in the field.

On August 27, 2015, three dozen of Dmytro’s contacts received an email, written in his name, asking them to download the latest version of his experimental add-on, called Network Bridge. The message was a trap; Dmytro never sent it, and the utility had a hidden ability to intercept messages and harvest GPS coordinates.

An August 27, 2015 email purporting to come from Dmytro, a programmer working on the Army SOS Android app. Note the yellow banner warning that the message is potentially malicious. I’ve redacted some information at Dmytro’s request.

Dmytro immediately warned his colleagues not to download the rogue add-on and sent a copy of the malicious email to a Ukrainian hacker pseudonymously known as Sean Townsend for analysis.

Everyone concerned is convinced no one fell for the ruse, saying Google flagged the email as suspicious.

“I doubt that there were any real installations of the malware,” Townsend told me.

The Army SOS story caught my eye because it echoed a December 2016 report put out by the Sunnyvale, California-based CrowdStrike. The company had already drawn international attention when it announced in June of that year that two Russian hacking groups — Fancy Bear and a second group, dubbed Cozy Bear — had broken into the Democratic National Committee’s network. Six months later, CrowdStrike drew headlines again when it found the Fancy Bear code used to break into the DNC lurking in a booby trapped version of a Ukrainian artillery targeting app. Coming only a month after the presidential contest and a few weeks before the U.S. intelligence community officially laid the blame for election meddling at Moscow’s door, the find appeared to provide new and powerful evidence for CrowdStrike’s allegation that Fancy Bear had been behind the interference. Who else would have any interest in hacking both the Democrats and field-level Ukrainian artillery officers?

But the report had several weaknesses. CrowdStrike overstated the losses suffered by Ukrainian howitzers and implied— with scant evidence — that the rogue artillery app had been to blame. Journalists, myself included, wondered how it was possible that an app said to have been installed on offline devices — and without GPS functionality — could realistically be used to hone in on fighters in eastern Ukraine.

The report was ambiguously worded, leading some media to conflate the thinly circulated knockoff program identified by CrowdStrike with the legitimate app itself. The app’s creator, Yaroslav Sherstyuk, denied his program had been compromised and pushed back against “deluded” coverage. The Ukrainian military issued a statement saying CrowdStrike got it wrong. Skeptics and conspiracy theorists seized on the confusion as proof that CrowdStrike either didn’t know what it was doing or was trying to frame the Russian government.

The Army SOS incident is another indication that the conspiracy theories aren’t worth entertaining. The Secureworks data, which was gathered independently of CrowdStrike between mid-2015 and early 2016, has already confirmed that Fancy Bear (also known as APT28 or Iron Twilight) tried to hack into the Gmail inbox of Sherstyuk, the artillery app developer. Now I’ve established that Army SOS was in Fancy Bear’s sights too. Dmytro provided confirmation of his own, producing several Fancy Bear phishing messages from his inbox.

A Fancy Bear Gmail phishing message sent to Dmytro, a designer involved with the Army SOS Android app, on August 5, 2015. I’ve redacted some information at Dmytro’s request.

There was more: The August 2015 email sent to Dmytro’s contacts came from a known Fancy Bear domain, mx1.servicetransfermail[.]com. And when Townsend, the Ukrainian hacker, went through the code of the fake Army SOS app he found striking similarities to the bogus artillery app found by CrowdStrike — and to X-Agent, Fancy Bear’s signature spy program.

A side-by-side comparison of the Army SOS add-in sent to Sean Townsend in 2015 (left) and the artillery app exposed by CrowdStrike in 2016 (right). These screengrabs were provided by Townsend.

“To me the conclusion is pretty obvious,” said Townsend, who wrote about the find last year in a Ukrainian-language article for InformNapalm. “I admit that there could be a set up to blame APT28, but this is very unlikely. All three programs share the same features and similar style. So I am almost sure that this is X-Agent.”

CrowdStrike declined to offer an on-the-record comment, but Ben Read of rival cybersecurity firm FireEye echoed Townsend’s findings, saying in an email that the bogus app “has full backdoor capabilities and can send all the information from the phone back to APT28 controlled infrastructure.” In a phone call, he described the link to the Russian hacking group as “solid.”

Unlike the fake artillery program, the Network Bridge knockoff had the ability to ingest GPS data, adding weight to the theory that Russians sought to use malware to get a lock on Ukrainian soldiers’ positions. While both programs may ultimately have gone nowhere — there’s still no public evidence either of them was successfully deployed — the discovery of a second piece of military-linked Android malware circulating in Ukraine suggests a more aggressive effort to compromise ground-level fighters than previously known.

The discovery also suggests that, despite justified criticism of CrowdStrike’s 2016 report, the company’s technical work was right on target.

SHA256 hash of the malicious Network Bridge add-on: 9fa75b01401d155cd855e9ea7367244c05fb47a2e6d40c2d2cd26b41f82efb2b