Russian Military Using Smartphones to Track Troop Movements

Crowdstrike has an interesting blog post about how the Russian military is tracking Ukrainian field artillery units by compromising soldiers' smartphones and tracking them.

News article.

Posted on December 23, 2016 at 8:46 AM • 41 Comments

Comments

JohnDecember 23, 2016 9:09 AM

Running about with a cell-phone in a combat-area probably isn't the smartest thing to do in the first place, especially if you understand the importance of not being seen !

Ross SniderDecember 23, 2016 12:18 PM

@Steve

It's a proxy war. They have special forces there, where they support separatists.

There's a proxy conflict between the United States and Russia in Ukraine and in Syria.

In Eastern Europe, in Central Asia, in the Middle East as well as a number of other places (Arctic), Russia and the United States are jockying for power and position and political influence (at the end of a gun or not).

Ross SniderDecember 23, 2016 12:30 PM

This is the kind of bullshit you get when security isn't built into consumer electronics. It expands the area of military and power competition, even commercial power competition in domestic settings.

The insecurity of the entire technology ecosystem creates a giant zero-sum game where the only way to lose is not to play.

This is how cybersecurity harms our National Security: it doesn't matter how much 'better' we are at hacking foreign countries than they are at hacking us. As a technology it *creates* security dilemmas between competing powers.

Managing conflicts between military powers has everything to do with avoiding and addressing security dilemmas. Having an industry constantly "entrepreneur" new innovative scaffolds for future security dilemma is an awful choice and an awful pattern, and one we ought to address.

How about a "Manhattan Project" for building a secure and provably trustable technology stack starting at silicon, building through ISA (x86, etc), to protocol, all the way to applications and user experience?

That's the kind of peace-loving investment that could avert wars, stop criminals, and free people from surveillance and censorship.

But somehow it doesn't seem to be anywhere need the table. Clinton suggested creating a Manhattan Project for the purposes of backdooring encryption: the very opposite of this imaginary proposal.

The United States and Russia are showing increasing sophistication in the 'cyber domain'. In the United States the Air Force has evolved from simple brigading of social media to maintaining imaginary identities ("persona management") with playbooks and now are looking to develop propaganda bot armies. The logic of the state is never to curtail capabilities, because this puts them at risk for losing the arms race.

We need technology that doesn't encourage arms races. Normally I would say that's not possible, except that in this case, infotech and infosec is designed in full by us.

vas pupDecember 23, 2016 12:46 PM

@Bruce: Do you recall your recent competition of security threat scenario? I do recall that one of my suggestion was hacking US electorate system and elect kind of Pamela Anderson (as best of my memory - you probably have it in archive)or Vladimir Putin. That was definitely joke on my side, but looks like LEAs/Intel on both sides of the Ocean are reading your blog, and unfortunately our side was not prepared to take election threat seriously. Actually, election machines were not hacked (no evidence yet), but process was affected by hacking and leaking sensitive information related to election . Usually, each joke is only partially joke.

Happy Holidays all respected bloggers!

ab praeceptisDecember 23, 2016 12:53 PM

Ross Snider

"infotech and infosec is designed in full by us." - the Russians will love to read that. There is no better opponent than a sleeping one who feels secure.
And btw: A look at reality shows what you *really* designed in full: unsafe crap and loads of security problems.

Just in case you are interested in reality: The Russians have their own processors (and certainly not old crap. Weaker than modern xeons but still damn powerful enough), they have solidly surpassed others in different fields such as SDR, they are known to be brillant in analog electronics (and they have the brains to not smirk at analog electronics), they have lots of smart people who went to real universities plus they have lots and lots of software engineers who learned their trade the hard way. I have worked with quite some russian IT engineers; and I'm not talking about us-americans who had russian parents but about Russians who were just a couple of years in the west.

If tasked with a security related project and to chose to do it either with x us-american developers or with x/3 Russians I'd always take the Russian without needing a second to think about it (Btw, I'd do the same with french engineers albeit in a more more modest ratio).

One shouldn't be fooled and think that kaspersky and some russian banks are the lighthouses of russian IT. They are definitely not.

Now feel free to hit at me if you feel the urge.

k15December 23, 2016 1:03 PM

Internet security is still privatized, right? So while you could go to cops or fbi to say "everything feels very wrong about this situation", it would be a recipe for something other than fixing it?

JohnDecember 23, 2016 1:12 PM

@ Ross Snider :
A cell-phone is no different from any other radio-transmitter :
It can be located easily, the art of locating a radio-transmitter is almost as old as the transmitter itself .
Many a European Freedom Fighter during WWII paid the ultimate price because of this simple fact : Any radio-transmitter is one big " Here I Am"-sign .

JohnDecember 23, 2016 1:15 PM

PS :
The Ukrainian conflict isn't only a "proxy-war" it more like a real territorial conflict (East-Crimea) being exploited in a "Super-Power" proxy-propaganda-war .

Ross SniderDecember 23, 2016 1:27 PM

@ab praeceptis

Right. A simple response.

> "infotech and infosec is designed in full by us." - the Russians will love to read that. There is no better opponent than a sleeping one who feels secure.

By "us" I meant mankind/humans. I did not mean Americans.

The rest of your comment rests on that (and a couple other) misreading. If you would like further clarification, let me know.

Ross SniderDecember 23, 2016 1:38 PM

@John

Yes of course, but the scaffolding of cellular networking (triangulation, always on, pinging) plus the nature of software of the device make the problem much, much worse.

Regarding Ukraine. Sure. Syria is also not only a proxy war, but also a regional war, a religious war, a Kurdish independence war and a civil war, as well as a territorial conflict (wrt Kurds, Turkey, Israel if you count Golan Heights).

This is true of pretty much every proxy war, including the Ukraine proxy conflict.

The geopolitical rewards (power in the form of land, access, political support, regional decision making, forward deployment, etc) mixed with the regional fighting factions (separatists, terrorists, insurgents, rebels, whatever) is how you get the 'proxy' aspect to it.

The propaganda aspect of Ukraine is also not really unique to the region, and we could happily call Syria a "Super-Power" proxy-propaganda-war.

Ross SniderDecember 23, 2016 1:55 PM

@ab praeceptis

I think my comment may have been better said by Henry Kissinger:

"The pervasiveness of networked communications in the social, financial, industrial, and military sectors has … revolutionized vulnerabilities. Outpacing most rules and regulations (and indeed the technical comprehension of many regulators), it has, in some respects, created the state of nature about which philosophers have speculated and the escape from which, according to [Thomas] Hobbes, provided the motivating force for creating a political order.… [A]symmetry and a kind of congenital world disorder are built into relations between cyber powers both in diplomacy and in strategy.… Absent articulation of some rules of international conduct, a crisis will arise from the inner dynamics of the system."

Basically, cybersecurity has created a vacuum where there is competition.

We should correct that. One approach is by creating cybernorms. We've tried and failed but I see no reason not to continue pursuing from this angle: it's important.

Another approach is to address the systemic global vulnerability that cyber [in]security has created. To put it in impolite terms: there isn't a realistic way to do that without losing a lot of compatibility with the tech stack that we have today.

Armed SantaDecember 23, 2016 2:02 PM

@Ross Snider

Do you have a link for that quote?

On topic:

I don't know why people are so surprised about soliders carrying smartphones into combat. If people think that a citizen-solider is the front line of defense then a citizen is going to be bringing his citizen implements with him. It is no different than in olden time when soldiers used to bring their wives along (if they had wives) so that there could be certain there was someone to cook for them back at camp. I don't think it is realistic to expect such citizen soldiers not to use phones.

The underlying problem seems to be that no one did a threat analysis because this seems a rather obvious attack vector.

Use SignalDecember 23, 2016 2:08 PM

Good reminder on why phones (particularly smartphones) are fundamentally insecure and should not be used.

ab praeceptisDecember 23, 2016 2:34 PM

Ross Snider

"...cybernorms. We've tried and failed but I see no reason not to continue pursuing from this angle: it's important.

Theoretically yes. Practically I don't like it because those norms would come from where the current norms came from ...

"Another approach is to address the systemic global vulnerability that cyber [in]security has created. To put it in impolite terms: there isn't a realistic way to do that without losing a lot of compatibility with the tech stack that we have today."

But that's just one part. The whole system is rotten and neither gov. agencies (let alone politicians) nor big corporations will make room for others to (co-)decide.

Don't get me wrong; I agree with you. I just don't see that happen anytime soon.

JohnDecember 23, 2016 3:47 PM

@ Ross Snider :
Active radio-transmitter = Here I Am !
It's as simple as that -
Now, why some military commander would allow his personnel to ALL wander about with a active "smart-phone" (GSM or whatever the "#&%#&%) is simply ..
Beyond belief - HERE I AM !!

Ross SniderDecember 23, 2016 4:13 PM

@John

> Active radio-transmitter = Here I Am !
> It's as simple as that

It's not as simple as that though. There are spread spectrum broadcasts, repeaters, low power broadcasts, directional broadcasts, etc, etc.

Furthermore this article is about software for Android (APK) that facilitates this troop movement tracking. Namely, it is specific to the vulnerabilities introduced by adding a general purpose computer on top of a radio transmitter.

The vulnerability discussed in the article has everything to do with smartphone (software) vulnerabilities - specifically. It's not about tracking radio signals.

Anyway, I understand what argument you are trying to make.

Gerard van VoorenDecember 23, 2016 4:47 PM

@ ab praeceptis, Ross Snider

But that's just one part. The whole system is rotten and neither gov. agencies (let alone politicians) nor big corporations will make room for others to (co-)decide.

Either I am losing my mind or I am finally seeing the whole picture. We are seeing here a short discussion between the realist and the idealist. The only guy who is lacking is the opportunist, the businessman. To think of it, that guy hasn't been here all the time. I mean, that guy isn't on Schneiers blog.

This quote:

Another approach is to address the systemic global vulnerability that cyber [in]security has created. To put it in impolite terms: there isn't a realistic way to do that without losing a lot of compatibility with the tech stack that we have today."

Why isn't this happening? Why is there no cooperation between the "good guys" at all? Why on Linux don't cooperate Red Hat, Canonical, Suse and Debian for instance to ... fix this issue?

My answer is that because the businessman, the opportunist, just doesn't care or worse. I could be wrong but the fact that this problem hasn't been solved for all this time, makes me realize that there are other factors at play.

Sancho_PDecember 23, 2016 6:51 PM

@Gerard van Vooren

The businessman is dead, big business (Bill G +) have killed capitalism.
They wrote what politicians signed into law, disengaging liability, incentive, punishment and competition.
Some call it bribery or revolving door, some call it future.

Merry ...

TatütataDecember 23, 2016 6:54 PM

The story sounds familiar, I believe I read reports describing the same "technique" being used in Iraq or Afghanistan by the US against the other side. (Or vice-versa).

Even if the networks aren't penetrated, you could still imagine someone with a Sting-Ray (or a Sting-Raysski) in the opposite trench ferreting out MSs.

ab praeceptisDecember 24, 2016 1:37 AM

Gerard van Vooren

You touched a very ugly point, one epicenter of the cancer. I'll tell you where they are, the opportunists: they are everywhere (which is normal and maybe "healthy" depending on the level of insanity of the viewer) and they have solidly settled themselves in the gov. agencies, the committees, the editor offices, the universities.

One particularly nasty example are those researchers who first grab the opportunity to research some tech well funded and equipped by the public, and once they have achieved something the grab the opportunity to take (not at all) "their" work to their new company to turn it into a money cow.

The damage they create is *immense and horrible*. Those opportunists are guilty to a very considerable part of much of the security mess we're in. I encountered this many, many times, I encountered that across the ocean and in europe, on the small level and even on multi-level, e.g. university + country + eu.
One typical crime pattern is to pro-forma hand out a very old and/or next to unusable version publicly (often hidden in the depths of web sites) and to then have their company "create a product for professional use".

As for the rest, I see mainly 3 types of foss projects: a) single or small group working on fixing an itch. Usually unprofessional java or .net/mono crap but sometimes really good stuff. b) larger projects with good and clear concept, good management, good people - who have to beg for some support to survive, and c) foss projects that are actually multi-corp or corp projects. In the better cases the corps want something useful for them, in the less lucky cases they consider it their crap department where the really important factor for them is the "no responsability whatsoever" of foss.

You want another example of the opportunist flooding and collusion? Here you are: The AV companies, basically snakeoil+gadgets vendors have achieved to put themselves close enough to the security (and "security") circles as to be considered a part of the security circles. This could be achieved by putting many millions into marketing and PR and by putting some more millions into "research", i.e. buying themselves into the "security community".
The result? snakeoil vendors and leak generators are preaching as "security experts" in the usual security theater circles (like blackhat, etc.)

WaelDecember 24, 2016 2:55 AM

Alexander Bortnikov -> Putin: We can track them. Power of технология!

Putin -> Alexander Bortnikov: Great work, comrade! I heard that you'd know if a fly came or left Moscow! Show me a demo! I'm proud of you!

***Meanwhile... Ukrainian troops installed a fake location app on their devices***

Alexander Bortnikov -> Putin: Look at the command and control screen, sir. Ukrainian troops are currently located at ... ummm

Putin-> Alexander Bortnikov: Holy crap! They're in the kremlin, butt-head! You're going to Siberia for an extended vacation. Enjoy your stay, and remember: don't eat yellow snow.

oliverDecember 24, 2016 3:38 AM

I call BS on that whole "report".
Check the source of that "report". What are they selling and who are their customers?
This is not a reliable source for that kind of "report"!

GordonDecember 24, 2016 11:49 PM

As Tatütata noted, this is not the first time military units have been tracked by their mobile phones.

I'm pretty sure that the report I read was of Hezbollah tracking Israeli units because Israeli reservists were trying to run their businesses from the front line. This would have been during Israel's last invasion of Lebanon.

Here is a link to a discussion on this forum, primarily about Hezbollah cracking radio, but the referenced article ( broken link), also discussed Hezbollah monitoring cell phone usage, and using lists of the cell phone numbers of unit commanders. Not clear if they were triangulating though.
https://www.schneier.com/blog/archives/2006/09/did_hezbollah_c.html

albertDecember 25, 2016 12:43 PM

@Ross,
That Kissinger book is relatively new. I wonder what Brzezinski is up to. As much as one may dislike those two, they're required reading for insight into the US geopolitical plans and goals. So one holds ones nose and dives in. Everything plays out much as they predicted.

. .. . .. --- ....

mozDecember 25, 2016 7:20 PM

What nobody here has mentioned, and I'm afraid this reflects badly, is that the original, untrojaned android app allowed the artillery batteries to set a target in 15 seconds compared to a normal time of multiple minutes.

Put another way, this app converted an obsolete and largely useless weapon which would lose any artillery duel to a modern system capable of manoeuvre and fire into one which would be able to take on almost anything out there with the right circumstances and luck. Given that Ukraine was at times taking on real, modern Russian armour that would be pretty important.

If this is the case, the advice not to touch mobile phones is useless. What you want is advice like disabling the GSM antenna or somehow ensuring that your app isn't trojaned. Advice about a cheap, easily available secure hardware alternative might be useful, but it's unlikely you will match the ubiquity, build quality and cost point of a standard phone. Any other advice is likely to get people killed because they will be forced to ignore it. Which makes it pretty bad advice.

Bong-Smoking Primitive Monkey-Brained SpookDecember 26, 2016 12:22 AM

@moz,

and I'm afraid this reflects badly

Sounds like words that would come out of an incompetent scumbag manager's mouth. Hopefully you're not a manager ;)

TatütataDecember 26, 2016 2:45 PM

That Kissinger book is relatively new. I wonder what Brzezinski is up to.

The link initially leads to an empty page ("maximum number of pages exceeded"), but curiously, after reloading a couple of times the excerpt appears.

The book is called "World Order" and was published in 2014. It got me sufficiently interested to place a hold for my local library's copy.

As much as one may dislike those two, they're required reading for insight into the US geopolitical plans and goals.

US Geopolitical plans? What an elitist, East-coast, frigging-intellectual conception from dark Pre-Donaldian times... From now on, any national design can only exist if it fits into 140 characters.

But what was the old war criminal doing in Trump tower hours after the election, and what was his mission to Peking?

What was that nasty old quip about America again? Something about going straight from barbarity to decline without going through the civilization stage... Who said that?

SteveDecember 27, 2016 5:56 PM

@ Ross Snider

Hi Ross! Meant my comment as a joke. President Elect Trump, during the election, reportedly was unaware that the Russians had entered Ukraine.

MozDecember 29, 2016 6:11 AM

@Bong-Smoking Primitive Monkey-Brained Spook

Maybe from the fact I'm going for the message, not the messenger you can tell otherwise? You?

There are two interesting questions here:

You are a target in a battle zone and your life depends on using a GPS enabled Android app. What should you do?

And

You are doing IT security for a small army made up mostly of recently conscripted civilians. There is an Android app your troops need and you can't provide a replacement. What can you reasonably do to secure them?

When it comes to the individual soldiers, they can't use the app store because Google won't accept the app, so:

A) you need some kind of easy procedure for them to check they have valid software
B) they should probably switch to aeroplane mode when they can
C) they could use something like x-privacy or maybe even android 7 app privileges to limit internet connections

There are a bunch more things..e.g. how do you protect against a stingray style system?

For the army they could do a bunch more

A) set up a special, isolated connection for the soldiers in the network with connections to enemy sites blocked
B) set up a custom app store - like, and probably based on, fdroid
C) do random audits of phones and identify malware
D) provide a special Android mod (based on CyanogenMod - now LineageOS https://github.com/lineageos or something like) and set it up to only connect to verified friendly 3G networks

There's lots more possible. Anybody got a decent list of threats they would like to share here?

I understand that "don't use android" is a safer, easier answer, but it's exactly the kind of thing which gets people working on security ignored because it doesn't solve the actual problem

Bong-Smoking Primitive Monkey-Brained SpookDecember 30, 2016 9:51 AM

@Moz,

Maybe from the fact I'm going for the message, not the messenger you can tell otherwise? You?

...

What nobody here has mentioned, and I'm afraid this reflects badly

I disdain condescending remarks. Whether they apply to the message or the messenger, make little difference.

mostly harmfulJanuary 3, 2017 6:39 PM

The GRU-Ukraine Artillery Hack That May Never Have Happened, by Jeffrey Carr
https://medium.com/@jeffreycarr/the-gru-ukraine-artillery-hack-that-may-never-have-happened-820960bbb02d


Crowdstrike's core argument has three premises:



  1. Fancy Bear (APT28) is the exclusive developer and user of X-Agent[1]


  2. Fancy Bear developed an X-Agent Android variant specifically to compromise an Android ballistic computing application called Попр-Д30.apk for the purpose of geolocating Ukrainian D-30 Howitzer artillery sites[1]


  3. The D-30 Howitzers suffered 80% losses since the start of the war[2].



If all of these premises were true, then Crowdstrike's prior claim that Fancy Bear must be affiliated with the GRU would be substantially supported by this new finding. Dmitri [Alperovich] referred to it in the PBS interview[3] as "DNA evidence".


In fact, none of those premises are supported by the facts. This article is a summary of the evidence that I've gathered during hours of interviews and background research with Ukrainian hackers, soldiers, and an independent analysis of the malware by CrySys Lab. My complete findings will be presented in Washington D.C. next week on January 12th at Suits and Spooks[4].


    [References]
  1. https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/
  2. https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf
  3. http://www.pbs.org/newshour/bb/security-company-releases-new-evidence-russian-role-dnc-hack/
  4. https://fhl.global/

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.