DNC Hack Now Linked to Russian Army Malware

image dnc hack now linked to russian army malware
Client supplied

As 2017 continues to bring with it a stream of further revelations detailing Russian government involvement in the hack of the Democratic National Committee, a new facet has emerged. Russian army malware, dubbed “X-Agent,” has been linked to both the DNC hack as well as infected devices in the Ukrainian military. In other words, it appears that Russian intelligence tested its weaponized viruses in Ukraine before moving on to harder targets.

This malware is significant for a number of reasons. Leaving aside the fact that it links Russia to the attack on the DNC, it also demonstrates an evolution of the ways that computer viruses are going to be used in war. Furthermore, it shows the evolving ways in which the war-torn country of Ukraine continues to be a test-bed for cyberweapons. Both governments and enterprises should take note.

Tying DNC Malware to the GRU

The malware known as “X-Agent” is an implant. It’s designed to supplement phishing campaigns, such as the one that ensnared the ranking leadership of the DNC. It’s dropped by infected sites, designed to look legitimate,  and once installed it logs keystrokes, exfiltrates data, and executes commands remotely. According to Crowdstrike, this malware is exclusively used by “Fancy Bear,” a codename for an APT group that’s been extensively linked to the Main Intelligence Agency of the General Staff of the Armed Forces of the Russian Federation—usually abbreviated as the GRU.

How do you turn an anodyne spying tool into a weapon of war? That’s a complicated answer, and it involves Ukrainian loyalists, smartphones, and outdated Cold War-era artillery.

Weaponizing Malware: From Stealth to Lethality

Here’s what we know: Back in 2014, after Ukrainian protesters threw out their Russian-aligned president, Viktor Yanukovych, the Russian Federation struck back. They annexed Crimea, and began backing rebel forces in the north of the country. Loyalist Ukrainian forces have held the line, but they’ve had to make do with outdated equipment, while the rebel forces always seem to mysteriously end up with top-of-the-line Russian military hardware.

One of the mainstays of the Ukrainian armed forces is the D-30 howitzer, a towed artillery piece that was new in 1963. Due to its manual controls, the D-30 is slow to aim and fire, but a simple Android app allowed users to input targeting data and improve performance by several shots per minute. You can probably guess what happened next.

Fancy Bear operatives cloned the app, implanted Russian Army malware, and then distributed it on Ukrainian military forums. (Readers will recognize some similarity to a malware variant that attacked Pokemon GO! users.) It was downloaded 9,000 times, and once installed on Ukrainian phones, it began to telegraph the locations of army units to Russian forces. Since the Ukrainian conflict began, over 80% of their D-30 artillery units have been destroyed.

To See What Russian Army Malware Does Next, Keep a Close Watch on Ukraine

It is becoming evident that any malware that Russia wants to use in the United States and Europe will be tested in Ukraine first. Fancy Bear tested X-Agent in Ukraine in 2014 before using it on the DNC. Ukraine was also the venue for the first known hack of another country’s electrical grid. More worryingly, a second hack was reported to have shut down the city of Kiev in late 2016. As the scale and efficacy of these attacks increase, it is likely that other countries will see their electrical grids become a target.

Enterprises who wish to harden their defenses against Russian Army malware must do so with an eye towards the future. The Russians have been observed to constantly innovate and iterate their attacks, even as they move into actions on objectives. Any attack by the Russian intelligence services is also viewed as an opportunity for them to experiment with new techniques. For more information, check out our white paper on “The Democratization of Nation-State Attacks,” or contact SentinelOne today.


Copyright © 2017 IDG Communications, Inc.