26 December 2016

Report documents Russian malware targeting Ukrainian military

By: Mark Pomerleau

Report documents Russian malware targeting Ukrainian military

A unit within the Russian military intelligence, which was also subsequently attributed by some private security firms for part of the hacks against the Democratic National Committee during the 2016 U.S. presidential election, has implanted malware within the Android platform allowing for easier reconnaissance and even targeting of Ukrainian soldiers using these mobile devices.

According to a new report released Dec. 22 by the security firm CrowdStrike, a unit within Russian military intelligence, known as GRU and named by the firm as Fancy Bear, distributed something called an X-Agent implant on Ukrainian military forums within a legitimate Android application that was developed by a Ukrainian artillery officer to more quickly process targeting data from minutes to under 15 seconds

The successful deployment of this malware on this application, the report notes, “may have facilitated reconnaissance against Ukrainian troops. The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them.”

CrowdStrike also affirmed that this recent finding substantiates previous assessments made by the firm that Fancy Bear is likely affiliated with GRU and works alongside Russian military forces in Eastern Ukraine and aiding Russian-backed separatists against the Ukrainian army and affiliated artillery units. This malware is not destructive in nature, but rather, sits passively allowing the infected application to function properly and allowing for insight into contacts, Short Message Service (SMS) text messages, call logs, internet data, potential ability to map out a unit’s composition and hierarchy, determine their plans, and triangulate approximate location. As such, CrowdStrike assessed that Fancy Bear would likely leverage this type of information for intelligence and planning value to “enable the identification of zones in which troops are operating and help prioritize assets within those zones for future targeting.”

“Because the Android malware could facilitate gross position information, its successful deployment could have facilitated anticipatory awareness of Ukrainian artillery force troop movement, thus providing Russian forces with useful strategic planning information,” the report said, noting this capability illustrates the application of full-spectrum operations in Ukraine. “Indeed, the 55th Artillery Brigade and similar artillery units operated frequently against pro-Russian separatists in eastern Ukraine.”

These capabilities used at the tactical edge but also for strategic planning purposes are exactly what Cyber Command is after, and conversely, what top military officials and planners are warning they will be facing in future conflicts.

Secretary of Defense Ash Carter has on numerous times warned of full-spectrum conflict, which he describes as one against a “ high-end enemy.”

In fact the military as a whole is shifting to a more multi-domain battle construct that encompasses capabilities and effects seamlessly across all five domains of battle; land, sea, air, space and cyber.

Similar to what CrowdStrike unearthed, Col. Robert “Chipper” Cole, director of Air Forces Cyber (forward), provided a similar hypothetical during a recent presentation regarding how cyber can contribute to these full-spectrum fights. Derived from the movie “Black Hawk Down,” recalled the child sitting on a hill with a telephone; the child was acting as a lookout to warn warlords in Somalia’s capital, Mogadishu, that Americans were en route in helicopters.

“What if that kid that was up there right before the helicopters took off, he got a phone call that said, ‘Hey, you need to put your cellphone down and walk off this hill or you’re going to be a target,’” Cole said, providing an example of how cyber can play a role in the kinetic fight. In the real world, there might be a cyber effect that allows a high-value target to be identified so that an overhead asset can pick up the location and find that individual to take that high-value asset out with kinetic means, he said.

The individual services are each taking a look at how cyberspace operations, enabled by their service cyber components from Cyber Command, can contribute to traditional missions in their respective domains. These include;

- Efforts by the Air Force under the director of cyber forces to integrate cyber into the theater of the service's multi-domain operations;

- The Army’s Cyber Support to Corps and Below effort to integrate cyber effects to the tactical edge to support real-world missions and unified land operations;

- The Marine Corps’ similar efforts to adjust from the post 9/11 environment of counterterrorism and counterinsurgency to fighting across multiple physical and virtual domains of warfare and integrating cyber capabilities within traditional forces by training Marines organic to the Marine Expeditionary Forces, and;

- The Navy’s efforts to operate its network as a warfighting platform executed by integrating its sailors from Fleet Cyber Command/10th Fleet Task Force 1030 with traditional Navy units to both train and assess unit-level cybersecurity readiness

Initiatives like these seek to provide commanders the requisite knowledge for campaign plans and effects that might be exacted, along with one of Cyber Command’s three stated goals, which is to support joint force commander objectives. This also falls in line with exercises such as Cyber Flag, which seek to exercise full spectrum cyberspace operations, defend networks and support joint force commander objectives by integrating operations in cyberspace with simulations simulated operations in air, land, sea and space alongside allies and partners.

On the tactical level, efforts from Army Cyber Command, such as modifying a quadcopter to provide brigade level intelligence on Wi-Fi signals of a makeshift town during an exercise over the summer previous to the bridge entering.

These are also the types of capabilities the U.S. is looking to leverage against the Islamic State group with its cyber front against the organization, the command’s first big test, Carter has said. Carter told Congress earlier this year that CYBERCOM’s directive is to interrupt ISIS’s “command and control, interrupt its ability to move money around, interrupt its ability to tyrannize and control population, interrupt its ability to recruit externally,” all of which is done in a cyber-enabled way. “The overall effect we’re trying to achieve is virtual isolation and this compliments very much our physical actions on the ground and the particular focus is external operations that might be conducted by” ISIS, Chairman of the Joint Chiefs of Staff Gen Joseph Dunford told the same committee.

GPS location services on mobile devices can also provide commanders with coordinates for potential adversaries on the battlefield. ISIS operatives in the past have kept GPS-location services active on their mobile devices providing reliable coordinates for intelligence officials when these individuals post to social media, a 2015 Brookings Institution report titled “ The ISIS Twitter Census” found.

The U.S. has taken seriously the threats from actors such as the Russians, for which the Ukrainian theater is a providing a great window. “We’re learning an awful lot from the environment in Ukraine…the capabilities we’ve seen the Russians display in Crimea,” Lt. Gen. Ben Hodges, commanding general for U.S. Army Europe, said earlier this year.

No comments: