Support Russia Insider - Go Ad-Free!

What Happens to a Russia Hacking Story When Someone Checks the Evidence?

It falls apart

Vladimir Putin hacked the US election. We all know that. Part of the reason why we know that is that an internet security firm which stands to gain tons of publicity has said so.

The same firm has also claims the pro-Russian hacking group Fancy Bear is run by the sinister Russian military intelligence, the GRU, and had hacked Ukraine army artillery during the civil war in eastern Ukraine:

But so far, the only evidence pointing to Russian government involvement comes from cybersecurity companies that have studied Advanced Persistent Threat 28, a hacker collective that has attacked many targets over the years -- including the DNC in 2016.

That evidence is best summarized in a 2014 blog post by the security firm FireEye. APT 28 attacks governments and militaries hostile to Russia or strategically important for it. APT 28 appears professional and well-financed. APT 28 uses Russian in its malware. The malware is compiled during working hours in the Moscow time zone.

CrowdStrike, the firm that detected the DNC hack, calls APT 28 Fancy Bear. Until recently, the company's founder, Dmitri Alperovitch, said he had "medium level confidence" that the group was run by the GRU, Russia's military intelligence service.

Now, he says the confidence level has changed to high. The increase comes from the finding by CrowdStrike that a Ukrainian-developed Android application, used to simplify targeting data for the D-30 howitzer, was contaminated with a version of APT 28 malware.

The logic: If the malware implant within the application was used to collect positioning data about Ukrainian artillery units, who else could be in the market for it but the GRU? Ominously, the CrowdStrike report says:

"Open source reporting indicates that Ukrainian artillery forces have lost over 50% of their weapons in the 2 years of conflict and over 80% of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine's arsenal."

The inference is that the Russians hacked the app used to target the D-30, and so the howitzers were mostly destroyed.

Except as Leonid Bershidsky, a Putin-critic in a self-imposed exile from Rusia since 2014, found there isn't actually any evidence of that:

Then there's the issue of the targeting software itself. Yaroslav Sherstyuk, the Ukrainian military officer who developed the application, reacted angrily on Facebook to the CrowdStrike report, saying he never published the software on any public forums and encouraging fellow Ukrainian servicemen to keep using the latest version of his app. 

Via Facebook Messenger, he told me that he didn't believe an infected version of the app even existed. "This is a hoax to scare everyone and make us go back to the old methods of targeting fire," he wrote. A CrowdStrike spokesperson did not respond when I asked if it had contacted Sherstyuk. He said it hadn't.

The spokesperson, Ilina Dimitrova, wrote that "it is indisputable that the app has been hacked with Fancy Bear malware -- we have published the indicators related to it and they have been confirmed by others in the cybersecurity community." CrowdStrike said that it found the infected app "in limited public distribution on a Russian language, Ukrainian military forum."

I doubt anyone in the Ukrainian military would download software for targeting artillery fire from a forum. Typically, they obtain it directly from known developers such as Sherstyuk. If I can contact him directly, so can Ukrainian artillery officers seeking to improve their performance in battle.

Hence, it's hard for me to believe that this infected app -- found somewhere on the internet and likely never used by Ukrainian soldiers -- offers evidence tying the GRU to APT28. 

Indeed, why would Ukraine servicemen be downloading targeting apps from dodgy online forums?? Even if an infected version of the targeting app ever existed there is absolutely no evidence it was ever even downloaded by Ukrainian artillery crews, much less installed and then exploited by Russians to reveal their location.

Support Russia Insider - Go Ad-Free!

Our commenting rules: You can say pretty much anything except the F word. If you are abusive, obscene, or a paid troll, we will ban you. Full statement from the Editor, Charles Bausman.