Ukraine's armed forces fighting Russian-backed insurgents in the east of the country were unwittingly tracked by rebels after using a Trojanised application that they had been instructed to use to help them speed up their targeting.
The malware was a legitimate application that the country's military leaders advised artilliery groups to download to their Android smartphones. Hackers linked to the Russian government are believed to have got hold of, Trojanised and then re-distributed it via bulletin boards.
The country's own commanders had promoted the app, which (obviously) wasn't available for download via the Google Play store.
The malware was used, either by Russian military intelligence or by the rebels, to track Ukrainian artillery deployments, exposing them to highly targeted counter-attacks. According to some reports, more than half of Ukraine's artillery has been captured or destroyed during the two or so years that the war has raged.
The app was developed in Ukraine to help crews manning Soviet-era D-30 howitzers reduce the amount of time it took to target the out-dated artillery from minutes to seconds.
That is the claim of CrowdStrike co-founder Dmitri Alperovitch, who has linked the malware found on the Android smartphones of Ukrainian military personnel with the same ‘Fancy Bear' group of hackers that, he claims, were behind attacks on the US Democratic National Committee.
Yaroslav Sherstuk, an officer of the 55th Artillery Brigade, had shown off the app on Ukrainian television.
"Late in the summer of 2016, CrowdStrike Intelligence analysts began investigating a curious Android Package (APK) named ‘Попр-Д30.apk' (MD5: 6f7523d3019fa190499f327211e01fcb) which contained a number of Russian language artifacts that were military in nature," claimed Adam Meyers, vice president for intelligence at CrowdStrike in a research note released today.
He continued: "Initial research identified that the filename suggested a relationship to the D-30 122mm towed howitzer, an artillery weapon first manufactured in the Soviet Union in the 1960s, but still in use today.
"In-depth reverse engineering revealed the APK contained an Android variant of X-Agent, the command and control protocol was closely linked to observed Windows variants of X-Agent, and utilised a cryptographic algorithm called RC4 with a very similar 50 byte base key."
X-Agent is a cross platform remote access toolkit that runs on Windows and Apple's iOS and MacOS operating system, as well as Android.
"Also known as Sofacy, X-Agent has been tracked by the security community for almost a decade, CrowdStrike associates the use of X-Agent with an actor we call Fancy Bear," he added.
"Successful deployment of the Fancy Bear malware within this application may have facilitated reconnaissance against Ukrainian troops. The ability of this malware to retrieve communications and gross-locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them."
CrowdStrike, which linked the Fancy Bear group with the attack on the US Democratic National Committee, believes that the group is affiliated with Russian military intelligence, and works closely with Russian military forces operating in Eastern Ukraine and its border regions in Russia.
AlphaBay users had flocked to Hansa after it was closed down - not realising it had already been taken over by Dutch police
Microsoft closes in on $100bn annual revenues with sales weighing-in at $23.3bn
Moves to take down cyber-squatted domains reveals Fancy Bear hacking network, claims Microsoft
Intel claims 'world first' in artificial intelligence that can be plugged-in almost anywhere