Accessibility links

'Fancy Bear' Tried To Hack E-Mail Of Ukrainian Making Artillery-Guidance App


The artillery-guidance app has been the subject of much controversy since a cybersecurity firm published a report saying malware created by Fancy Bear was found lurking within it.
The artillery-guidance app has been the subject of much controversy since a cybersecurity firm published a report saying malware created by Fancy Bear was found lurking within it.

KYIV -- An officer who developed an artillery-guidance app used by the Ukrainian military in its fight against Moscow-backed separatists was among 545 members of Ukraine's political and military elite targeted by a hacking group with alleged links to Russian security services, according to an investigation by the Associated Press.

The hacking group -- known as "Fancy Bear," among other aliases -- has been accused of responsibility for cyberattacks on various Western government and security organizations, as well as the U.S. Democratic Party ahead of the 2016 presidential election.

According to the AP report on November 2, a digital "hit list" supplied by the threat-intelligence firm Secureworks and analyzed by the news agency provides the most detailed forensic evidence of the connection between the Russian hackers and the Kremlin to date. It also shows the operation stretched back years and tried to crack the inboxes of 4,700 Gmail users in the United States, Russia, and elsewhere.

Excluded from the AP report, but included in a post on the publishing platform Medium by the report's lead author, Raphael Satter, is a screenshot he said showed data gathered by Secureworks of "the attempt to break in to the developer of a well-known Ukrainian artillery guidance app" dated April 3, 2015.

RFE/RL has confirmed that the e-mail listed -- while blurred in Satter's screenshot – is that of Ukrainian officer Yaroslav Sherstyuk.

Speaking to RFE/RL by phone on November 2 from a military firing range outside Kyiv, Sherstyuk said that he had been notified by AP that he had been targeted by the hackers, but said his e-mail had not been hacked. Separately, Satter confirmed that the "hit list" was merely a catalog of targets and that the presence of an account on it did not necessarily mean the target had been hacked.

Sherstyuk's artillery-guidance app has been the subject of much controversy since the Virginia-based cybersecurity firm CrowdStrike published a report in December 2016 that said malware created by Fancy Bear was found lurking within it.

CrowdStrike claimed that Ukraine's military had lost 80 percent of its Soviet-era D-30 howitzers as a result, due to the malware's ability to retrieve communications and some locational data from infected devices.

The information collected, according to the firm, would have been used by Russia-backed separatists fighting Ukrainian government forces in Ukraine's eastern Donetsk and Luhansk regions. Cyberwarfare has played a big role alongside the shooting war that is in its fourth year and killed more than 10,100 people.

Sherestyuk denied following the CrowdStrike conclusions that his app had been compromised, and Ukraine's Defense Ministry denied its arsenal of howitzers had been damaged to the extent the firm's report claimed.

The CrowdStrike report was found by some analysts to have been problematic and the data upon which it was based misinterpreted. The firm reissued the report with new analysis in March 2017, removing language that alleged that Ukraine had lost 80 percent of its howitzers, which were used with the app that purportedly was hacked. The revised report claimed a loss of 15 to 20 percent, a figure attributed to the London-based International Institute for Strategic Studies.

The new AP report, however, lends some credence to the original CrowdStrike report, showing that the app had, in fact, been targeted.

CrowdStrike had claimed that from late 2014 through 2016 Fancy Bear covertly distributed a malware implant into the Android app developed by Sherstyuk.

Secureworks' data shows that Fancy Bear targeted the e-mail account of Sherstyuk in April 2015 -- squarely in the middle of the period CrowdStrike said the hackers had distributed their malicious implant.

Other Ukrainian Targets

Besides Sherstyuk, AP reported that Fancy Bear tried to break into at least 545 accounts of other Ukrainians, including those of President Petro Poroshenko and his son Oleksiy, a lawmaker. Half a dozen current and former ministers, such as Interior Minister Arsen Avakov, and as many as two dozen current and former lawmakers were targeted, according to the AP report.

Notably among the listed targets was Serhiy Leshchenko, an opposition lawmaker who helped uncover the slush fund used by former President Viktor Yanukovych's Party of Regions to allegedly pay Paul Manafort for his work as a political consultant.

Manafort, who went on to become Donald Trump's U.S. presidential campaign chairman, was indicted in Washington on October 30 on charges of money laundering, tax evasion, and failure to register as an agent for foreign interests, much of it related to his work in Ukraine.

RFE/RL has been declared an "undesirable organization" by the Russian government.

If you are in Russia or the Russia-controlled parts of Ukraine and hold a Russian passport or are a stateless person residing permanently in Russia or the Russia-controlled parts of Ukraine, please note that you could face fines or imprisonment for sharing, liking, commenting on, or saving our content, or for contacting us.

To find out more, click here.

XS
SM
MD
LG