The Russian military intelligence agency that stole information from the Democratic National Committee this year also employed its hacking tools to pinpoint and kill Ukrainian soldiers in 2014, according to a report released Thursday by a cyber security firm.
The company, Crowdstrike, was hired by the DNC to investigate the hack and issued a report publicly attributing it to Russian intelligence. One of Crowdstrike’s senior executives is Shawn Henry, a former senior FBI official who consults for NBC News. The firm employs other veterans of the FBI and the National Security Agency, the government’s digital spying arm.
Co-founder Dmitri Alperovitch, who oversaw the research, told NBC News that the report is further evidence that "it wasn’t a 400-pound guy in his bed," who hacked the Democrats, but Russian intelligence agencies. President-elect Donald Trump famously raised the possibility that the Democrats were hacked by an overweight man.
In June, Crowdstrike went public with its findings that two separate Russian intelligence agencies had hacked the DNC. One, which Crowdstrike and other researchers call Cozy Bear, is believed to be linked to Russia’s CIA, known as the FSB. The other, known as Fancy Bear, is believed to be tied to the military intelligence agency, called the GRU.
Crowdstrike and other researchers have linked a specific piece of malware, known as X-Agent, to Fancy Bear. The hackers used that to infiltrate DNC computers by getting someone to click on a link in a spear-phishing email, Alperovitch said.
The source code in the malware is not public, Alperovitch said, which is one reason the company believes only Fancy Bear uses it.
In Thursday’s report, Crowdstrike says Fancy Bear used a variant of the malware to learn the locations of Ukrainian artillery positions in 2014, when that country was battling Russian-backed separatists.
The Russian spies did so ingeniously, according to Crowdstrike’s account, by injecting malware into an Android phone app being used by Ukrainian artillery soldiers to target separatists. The app was being used by artillerymen to speed their ability to target enemy positions using a D-30 Howitzer, Crowdstrike says.
A video posted on Oct. 18, 2015 shows Ukrainian forces employing the app and operating in the vicinity of eastern Ukraine.
But the Russians used the app to turn the tables on their foes, Crowdstrike says. Once a Ukrainian soldier downloaded it on his Android phone, the Russians were able to eavesdrop on his communications and determine his position through geo-location.
The app wasn’t the only factor, Crowdstrike said, but notes that Ukrainian units suffered heavy losses in bombardment by separatists after the malware was deployed. Additionally, a study by the International Institute of Strategic Studies determined that the weapons platform bearing the highest losses between 2013 and 2016 was the D-30 towed howitzer.
"Between July and August 2014, Russian-backed forces launched some of the most decisive attacks against Ukrainian forces, resulting in significant loss of life, weaponry, and territory," the report says.
"According to open sources, Ukrainian service personnel from the 24th and 72nd Mechanized Brigade, as well as the 79th Airborne Brigade, were among the units to have suffered casualties. International monitoring groups later assessed some of the attacks were likely to have come from inside Russian territory."
U.S. intelligence officials declined to comment on the Crowdstrike report.