Faulty military intelligence analysis is irrelevant
Bottom Line Up Front
- The Ukrainian artillery forces used an Android app to aid the targeting of their D-30 guns. At some point around 2014 a version, infected with X-Agent malware, was created and distributed on Ukrainian military forums.
- X-Agent malware is linked exclusively with a single APT group — APT28, aka Sofacy, aka Fancy Bear, aka Russian military intelligence, the GRU
- The command and control IP address embedded in the D-30.apk was pointed at APT28 infrastructure. Critically, this C&C IP was in active use for another linked APT28 campaign active at the same time.
- The encryption key used by the malicious D-30.apk is the same key used in some variants of the Linux X-Agent malware. This key is almost identical to the Windows X-Agent encryption key.
- The effectiveness of the GRU’s malicious D-30.apk campaign is unknowable to outsiders, there are too many variables and considerations (e.g. security of operational usage of D-30.apk, combat losses — typical attrition vs. malware aided attrition, seizures in Crimea, etc.)
- Jumping on CrowdStrike’s poor military intelligence estimates for item #5, fringe elements of the infosec industry have attempted to cast misinformed doubts on the ironclad evidence in items #1-#3 plus the strong evidence of #4. This is, quite frankly, ludicrous.
How did we end up here?
In December 2016, CrowdStrike published a marketing blog post that attempted to do a number of things:
- Show the infected D-30.apk contained an Android variant of the APT28 X-Agent malware. (Every AV vendor agrees, see VirusTotal 02de72e43d578c45d9d6359299cb2d47771081617ff01363b736414eb831deea)
- Link the infect D-30.apk to military intelligence (given its clearly tactical military intelligence collection value)
- Therefore link APT28 to the GRU
- And, estimate the number of losses of D30 artillery units due to the infected D-30.apk
How did they do?
The important parts of their blog have withstood third party verification. There is an infected D-30.apk (you can grab it off VirusTotal if you want to look at it yourself.) The consensus of every major Threat Intel or Anti Virus company remains consistent — X-Agent is malware used exclusively by the APT28 group. The clear tactical military intelligence intention of an infected artillery targeting app is fairly compelling evidence that APT28 is a military intelligence organisation (again, not in issue by dispute by any major Threat Intel or Anti Virus company, or indeed any intelligence service.) CrowdStrike flubbed the estimate of D-30 unit losses, but they’re a cyber company not a military intelligence organisation.
This has been covered before, for example on Risky Business #449 during which Patrick and Adam suggested CrowdStrike should stick to its knitting.
CrowdStrike failed to mention some additional pertinent information. As a cyber intelligence company, they are justifiably loathe to give out information for free. However, they should have pointed out the link between the D-30.apk C&C IP and APT28 infrastructure, which further cements their case.
"used APT28 C2 infrastructure" -> do you mean 18.104.22.168 ? Btw how do you know it was APT28 infra ?
— codelancer (@codelancer) January 4, 2017
so, for free 🙂 I can confirm – that IP is part of Sofacy infrastructure
— codelancer (@codelancer) January 4, 2017
Fortunately, Kaspersky provided public confirmation of that data. As of yet, there is not a public confirmation that the C&C was in active use by APT28 during the timeframe. You’ll have to trust that the APT28 C&C server the D-30.apk intended to use was used exclusively by APT28 (at least at that time.)
The external infrastructure of a professional cyber intelligence collection organisation is typically dedicated servers. This makes resource and asset management significantly more simple. The likelihood of a 3rd party cyber intelligence group using the same C&C IP at the same time is pretty remote.
Despite the irrefutable evidence linking the infamous infected D30.apk to Russian military intelligence (GU, the intelligence service formerly known as GRU), fringe elements of the infosec community continue to cause confusion with spurious misinformation. The direct link between the malicious D30.apk and the GRU is well known and clearly established by multiple different sources and companies. For unknown reasons a tiny group of poorly informed infosec people refuse to accept the blindingly obvious.
Even Kaspersky links the infected D-30.apk to APT28’s X-Agent malware.
The fringe elements of the infosec industry that have continued to deny the link between the malicious D-30.apk, X-Agent, APT28 and the GRU, are so starved of data they weren’t even aware that the D-30.apk C&C IP was positively linked to known active APT28 infrastructure. Without data and rigorous analysis, all these fringe elements are doing is (charitably) spreading misinformation. They literally do not know what they are talking about.
Intelligence = data + analysis
Intelligence is the result of rigorous analysis of data. These fringe groups not only lack the necessary data to perform the analysis, but they have consistently failed to apply rigorous analytic techniques to the data made available to them by better informed companies. This failure to apply analytic technique to available data is the mark of amateurism, and their conclusions have been consistently incorrect. That this fringe element of the infosec industry has been able to broadcast their misinformed narrative into the media is extremely frustrating as falsehood flies while the truth comes limping after.
Why does it matter?
The effectiveness of the infected D30.apk campaign is completely immaterial to whether X-Agent is linked to APT28 (irrefutably, it is: see above), and whether APT28 is the Russian military intelligence (very likely they are: see above). The reason this is relevant is that one of the malware strains discovered on DNC network was X-Agent. Again, to be clear, the only group that is using X-Agent for operations is APT28, which bolsters the assessment that CrowdStrike discovered APT28 on the DNC network.
The questionable effectiveness of the D-30.apk campaign has no bearing on whether it was infected by GRU with their X-Agent malware, also found on the DNC network. Calling the CrowdStrike marketing blog post “disputed” is, quite literally, the sort of obfuscating statement that one would expect from a disinformation campaign. I will be charitable and chalk it up to simple ignorance, rather than maliciousness. If, however, there are further attempts to throw shade on the strong evidence linking GRU to X-Agent (and thus the DNC penetration), they will have to find better exculpatory evidence than the loss estimates of D-30 artillery units in Ukraine. Ignorance is no longer a sufficient excuse…
Fringe elements of the infosec industry have seized on an irrelevant mistake to spread misinformation, but have only exposed their own ignorance and poor understanding of cyber operations. Understanding cyber evidence requires a high degree of skill, and a considerable amount of data. These fringe infosec industry groups lack both. Basically, don’t turn to these guys for cyber intelligence analysis.
CrowdStrike has publicly established a link between a clearly military cyber intelligence operation and the APT28 group (formerly known as GRU.) The marketing blog post is full of information, although incomplete, and an irrelevant detail was incorrect. Basically, don’t turn to CrowdStrike for military intelligence analysis, they should stick with cyber.