The conclusions of the report by CrowdStrike on the Russian hacker group Fancy Bear might prove wrong amid growing skepticism as hacktivists from Ukrainian Cyberaliance (UCA) joined the fact-checking effort.
On 22 December the CrowdStrike analytical group published a report citing an alleged hack of a mobile app for Ukrainian artillerymen by Fancy Bear, a Russian hacker group.
While many media outlets rushed to fan the hot news, few cared to do the fact-checking and scrutinize the report findings.
As early as on 23 December the BBC Russian Service reacted with a story presenting a number of expert opinions that put a pinch of salt on the results and conclusions presented in the report.
CrowdStrike reported that an X-Agent remote access malware had been planted on Ukrainian military forums that would be distributed with the artillery software and could be used later on to track and locate positions of Ukrainian artillery units.
However, the system of distribution of the application developed by Yaroslav Sherstiuk, a military officer of the Ukrainian Armed Forces at 55th Separate Artillery Brigade, implemented multiple levels of protection against falling into wrong hands. In most cases the application had been personally handed by the developer to its end users, and the chances of artillery officers downloading it from anywhere except official sources were close to zero.
A Bloomberg View observer Leonid Bershidsky was skeptical too:
“I doubt that any of the Ukrainian military would download gun aiming software from a web forum. Under normal circumstances they would rather order it directly from the developers they know, from someone like Sherstiuk. Therefore, it is hard for me to believe that the infected application found somewhere on the net and, most probably, never used by Ukrainian military, can prove the connection between GRU (Main Intelligence Directorate) and ART28”.
Experts with were not alone in their general skepticism about CrowdStrike conclusions, also Ukrainian hacktivists from UCA came in to check the possible data leaks.
Sean Townsend, a hacktivist from the RUH8 group (being a part of UCA, who won international renown after hacking into the office of the Russian presidential aide Vladislav Surkov), too commented on the sensational report by CrowdStrike:
“I’ve read the report by the CrowdStrike company entitled Fancy Bear Tracks Ukrainian Artillery. Being a hacker, I have little liking of the security industry as the guys in this business fear are fearmongers, but CrowdStrike failed to keep to even the mediocre standards generally accepted in the industry. They start their report with a bold statement alleging that the Ukrainian Armed Forces lost up to 80% of all their D-30 howitzers. The figure of 80% did not come from the International Institute for Strategic Studies, but was voiced by colonelcassad (Ed.: the nickname of a Russian propagandist blogger). And even he, when blurting out this 80% figure then says it is not due to combat losses, but rather to a transfer of weapons from the Ukrainian Army to the National Guard (note that the section of the IISS report quotes a “very precise figure”, of “some D-30” ). The report further alleges (with no proof links) that the attack was made using X-Agent for Android. I have a couple of questions here – where are hashes, where are the addresses of control centers, estimated number of infected phones? Was it really X-Agent? I do understand that there are plans of congressional hearings on “Russian hackers” and CrowdStrike would like to show their relevance, but I think it is irresponsible on their part to act like that.
We already have specimens of malware CrowdStrike associated with Fancy Bear and our findings are to follow. I won’t promise you communist zombies from GRU. I do think highly of the post-soviet hacktivist scene, but one should not demonize Russian hackers. We hacked a couple of them and it was too ridiculous for words. The screenshot undermines the version about “terrible Russian hackers from GRU”. All you see in the screenshot are strange letters and numbers, but an expert will see it flashing in big letters “THIS CODE HAS BEEN WRITTEN AND USED BY A MORON”
InformNapalm volunteer intelligence community periodically presents stories based on analysis of data dug out by UCA hacktivists to the wide audience. As soon as we have the full details after the hacktivists will have the source data analyzed, we will certainly share further findings with the public. Stay tuned for updates in the Hachtivism section.
Translated by Denis Bolovlov, edited by Artem Velichko.
(CC BY 4.0) The story has been written specially for InformNapalm.org, any reproduction or use must contain or be subject to a valid hyperlink to our project.
We call on our readers to actively share our publications on social networks. Broad public awareness of these investigations is a major factor in the information and actual warfare.