The Cable

In a Hacked Ukrainian App, a Picture of the Future of War

Russian military intelligence hackers targeted both the DNC and Ukrainian artillery troops.

A Ukrainian serviceman smokes while manning a position near Svitlodarsk, in the Donetsk region, on February 21, 2015. The continued fighting in eastern Ukraine has made a mockery of the West's latest attempts to negotiate a ceasefire but may ultimately pave the way for a more durable peace, say analysts. AFP PHOTO/ ANATOLII STEPANOV        (Photo credit should read ANATOLII STEPANOV/AFP/Getty Images)
A Ukrainian serviceman smokes while manning a position near Svitlodarsk, in the Donetsk region, on February 21, 2015. The continued fighting in eastern Ukraine has made a mockery of the West's latest attempts to negotiate a ceasefire but may ultimately pave the way for a more durable peace, say analysts. AFP PHOTO/ ANATOLII STEPANOV (Photo credit should read ANATOLII STEPANOV/AFP/Getty Images)

Ukrainian artillery forces and the Democratic National Committee have something surprising in common: They were targeted by the same Russian code and spied upon by the same military intelligence unit.

The finding, contained in a report released Thursday by security firm Crowdstrike, provides additional evidence linking hackers working on behalf of the Russian state — in this case, Russian military intelligence, or GRU — with the 2016 digital break-in at the Democratic headquarters. Emails stolen from Democratic Party servers eventually turned up on WikiLeaks and are a central part of what American intelligence officials describe as an effort by Russia to influence the U.S. election in President-elect Donald Trump’s favor.

Thursday’s report provides a direct line between the information operations carried out against American political organizations, and the ongoing armed conflict in eastern Ukraine. It illustrates how hacking represents not just a tool used in propaganda operations but in traditional military engagements.

According to Crowdstrike, a hacking group known Fancy Bear attempted to spy on Ukrainian artillery units by distributing a bogus Android application used for weapons targeting. It is unclear how successful the effort was, but according to the firm, the app had “the potential ability to map out a unit’s composition and hierarchy, determine their plans, and even triangulate their approximate location.”

The app in question allowed Ukrainian military forces to more quickly pinpoint their targets and was distributed to units operating the Soviet-era D-30 towed howitzer. Russian hackers distributed their version of the app on social media forums popular among Ukrainian service members. Ukrainian troops operating the D-30 suffered above-average casualty rates, and Crowdstrike speculates that this may have been as a result of being tracked by the malicious app.

In the video below, Ukrainian forces use the application in the field.

Yaroslav Sherstuk, the creator of the application, has denounced the Crowdstrike report on social media, calling it “rotten information,” and said that he tightly controlled its distribution.

The military impact of the application is difficult to assess, but its discovery by Crowdstrike provides a fascinating insight into the operation of Russian military intelligence. Both the Ukrainian app and the DNC break-in relied on a malware strain known as X-Agent. Its presence in both operations illustrates the variety of functions taken on by the Russian military intelligence force — from a pure digital break-in, to a sophisticated propaganda operation, to traditional military intelligence activities, all of which are carried out in cyberspace.

By leveraging a mobile application for military purposes, Crowdstrike argued that Russian forces are delivering on what Moscow’s military thinkers describe as the “the practical application of full-spectrum combat.”

“As a part of full-spectrum operations in Ukraine, Russia-based adversaries have leveraged malware on the battlefield, in the civil sector, and against critical infrastructure,” Crowdstrike wrote in its report. “They have also engaged in aggressive information operations in the media. In relation to this broader picture of Russian computer operations, the approach to targeting mobile smartphone and tablet devices in order to gain strategic insight into communications is a tactic that cannot be disregarded.”

In the aftermath of Russian efforts to tilt the election in Trump’s favor, American officials are carrying out a painful examination of just what went wrong. The White House has commissioned a review of attempts to influence recent presidential elections, and there are growing calls on both sides of the aisle on Capitol Hill for an investigation into the attacks on the DNC and other political organizations.

Trump has denounced these inquiries — which aim to more fully understand Russia’s meddling in the election — as an attempt by Democrats to undermine his legitimacy. But American intelligence officials have said in public statements and a series of leaks that they are in possession of hard evidence linking the cyber-interference to senior Russian officials, including Russian President Vladimir Putin. Firms such as Crowdstrike, which investigated the DNC breach, have presented public evidence linking Russia to a campaign of hacking into email accounts and publishing the purloined evidence.

But that hasn’t stopped Trump from rejecting their findings. He has compared the intelligence assessment about Russia’s intervention on his behalf to false claims about Saddam Hussein’s weapons of mass destruction ahead of the 2003 invasion of Iraq.

Regardless of Trump’s refusal to face up to the evidence, 2016 has now provided a fascinating case study on the cutting edge of information operations and low intensity conflict. In the United States, it includes hacking and publishing the stolen material. In Ukraine, it takes the shape of a bogus artillery-targeting application.

ANATOLII STEPANOV/AFP/Getty Images

Elias Groll is a staff writer at Foreign Policy covering cyberspace, its conflicts, and controversies. @eliasgroll

Trending Now Sponsored Links by Taboola

By Taboola

More from Foreign Policy

By Taboola