Malware From DNC Hack Now Found in Ukraine App, CrowdStrike SaysBy
Fancy Bear group used code to gain access to Ukrainian forces
‘Significant evidence’ group linked to Russian intelligence
The same malicious code that breached the U.S. Democratic National Committee’s computer networks ahead of the presidential election has appeared in Ukraine, providing further evidence linking Russian military intelligence to far-reaching hacking attacks, according to cybersecurity firm CrowdStrike Inc.
In June, CrowdStrike disclosed that a Russian cyber group it dubbed Fancy Bear used malware to gain access to the DNC, which hired the cybersecurity firm to respond to the breach. Since then, CrowdStrike researchers have discovered a version of the same code designed to infiltrate an Android mobile application used by Ukrainian artillery forces to rapidly pinpoint targeting data for the D-30 Howitzer, a Soviet-era weapon, Dmitri Alperovitch, CrowdStrike’s chief technology officer, said in a phone interview.
“They put the same malware they used in DNC," but this time it was designed for an Android application instead of computer systems using Microsoft Corp’s Windows software as in the DNC, he said. “This is a pretty significant piece of evidence.”
The report comes as President-elect Donald Trump continues to dismiss findings by U.S. intelligence agencies that the Kremlin directed hacking of the DNC to help his campaign. President Barack Obama has ordered intelligence agencies to conduct a review of foreign interference in the U.S. election before he leaves office, while both Republican and Democratic senators have called for a Congressional probe.
The source code found in the Ukrainian app is not publicly available nor is it found in underground criminal web forums, and is only associated with Fancy Bear, Alperovitch said. From late 2014 through 2016, Fancy Bear covertly distributed an "implant" that accessed the Ukrainian mobile app, providing reconnaissance on troop plans and location, CrowdStrike said in a report Thursday.
The finding underscores CrowdStrike’s previous assessment that Fancy Bear is affiliated with the GRU, or Russian military intelligence, and “works closely with Russian military forces operating in Eastern Ukraine and its border regions in Russia,” the report said. Russian officials have repeatedly denied accusations of hacking.
Because people are asking for more evidence that Russia is responsible for the hacks, Alperovitch said he wanted to make public the latest links. The Ukrainian and DNC malware demonstrates CrowdStrike’s “much higher level of confidence” that the cyber-attacks are the work of Russian intelligence.