Hackers believed behind Moscow’s ‘hybrid’ attacks on Ukraine

Military, power grid and state agencies among Russia’s alleged hacking targets

Soldiers of the separatist Luhansk People’s Republic on the line of contact with the Ukrainian army: Ukrainian forces appear to have been targeted by Russian-backed hackers.   Photograph: Alexander Ermochenko/Reuters

Soldiers of the separatist Luhansk People’s Republic on the line of contact with the Ukrainian army: Ukrainian forces appear to have been targeted by Russian-backed hackers. Photograph: Alexander Ermochenko/Reuters


As the United States considers how to respond to alleged Russian meddling in its presidential election, a cyber security report and major blackout in Kiev have highlighted the role of hacking in Moscow’s “hybrid” aggression against Ukraine.

Computer security firm CrowdStrike believes the “Fancy Bear” group – suspected of hacking the Democratic National Committee ahead of November’s US election – also targeted Ukrainian forces fighting Russian-backed separatists.

CrowdStrike found that a variant of the so-called X-Agent malware that was used to hack the DNC had also infected an application developed by a Ukrainian officer to help his country’s military fire its D-30 howitzer artillery more rapidly.

The original application was believed to be used by some 9,000 Ukrainian artillery personnel, and the X-Agent implant would have allowed the hackers and their associates to track and target those servicemen’s units on the battlefield.

“Open-source reporting indicates that Ukrainian artillery forces have lost over 50 per cent of their weapons in the two years of conflict and over 80 per cent of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine’s arsenal,” CrowdStrike said.

Medical records

The company said the apparent targeting of Ukraine’s military strengthened suspicions that the Russian state was closely linked to Fancy Bear, which also hacked anti-doping authorities and released western athletes’ medical records after many Russians were banned from competing at this summer’s Olympics.

“The collection of such tactical artillery force positioning intelligence by Fancy Bear further supports CrowdStrike’s previous assessments that Fancy Bear is likely affiliated with the Russian military intelligence (GRU), and works closely with Russian military forces operating in eastern Ukraine and its border regions in Russia, ” CrowdStrike said.

Also last week, the Bellingcat open source investigative group accused Russia’s military of firing thousands of shells across the border into eastern Ukraine in summer 2014, during the most intense fighting in the region’s 32-month conflict.

Bellingcat used satellite imagery to match evidence of launch sites in western Russia with impact areas in eastern Ukraine; several independent experts have judged the report’s methodology and findings to be solid and credible.

Bellingcat said the scale of the artillery onslaught made it “impossible to consider these attacks merely as accidents or as the actions of rogue units. These attacks can only therefore be considered as acts of war of the Russian Federation against Ukraine.”

Fake satellite imagery

In earlier reports, Bellingcat released extensive evidence to suggest that a Russian military unit delivered the missile that shot down a Malaysia Airlines passenger jet over eastern Ukraine in July 2014, and debunked fake satellite imagery that Russian presented as proof that Ukraine was to blame for the atrocity.

Cyber-security firm ThreatConnect also believes that Bellingcat was targeted by the Fancy Bear group and other pro-Russian hackers.

Ukrainian investigators believe a cyber attack almost certainly caused a blackout across a swathe of the capital, Kiev, in the early hours of December 18th.

The power cut came amid a surge in fighting in eastern Ukraine between Russian-backed militants and government troops, who are still locked in a grinding conflict that has killed 10,000 people and displaced well over one million.

Much of northern Kiev was left without electricity for several hours, when a power distribution centre unexpectedly shut down, depriving the city of about one-fifth of its normal nightly power supply.

“The main theory is external interference through the data transmission network. Our cyber-security specialists promise to deliver a report soon,” said Vsevolod Kovalchuk, acting head of state energy firm Ukrenergo.

‘Sandworm’ blackout

Last December, Ukraine’s security service blamed Russia for a cyber attack that caused a major blackout in western Ukraine; US cyber firm iSight Partners said a Russian hacking group known as “Sandworm” was the culprit.

In recent weeks, the websites and payment systems of several Ukrainian government ministries and other agencies including the state railway company suffered cyber attacks.

“The Russian special services take part in many hacker attacks,” Vasyl Hrytsak, head of Ukraine’s security service, said recently. “I would go further, and say that Ukraine has been chosen as a test site for such experiments . . . According to our information, a virus called Black Energy, which was tested in Ukraine, was later used in the West by the Russian special services.”