68 Guns

The FancyBear cyber espionage organisation is known by several pseudonyms. It is widely suspected as being part of Russia’s GRU military intelligence service

Russia’s use of malware to target Ukrainian artillery marks an important step in the application of tactical cyber warfare.

The UK’s Defence Science and Technology Laboratory’s Operating in the Future Electromagnetic Environment (OFEME) symposium on 23rd/24th November gave a tantalising glimpse into Russian cyber warfare. The event, held in London and online, included a presentation by Duncan McCrory. Mr. McCrory, an engineer and PhD candidate at London’s Kings College, highlighted the use of a Russian cyberattack tool called X-Agent. This was part of his wider presentation on Russian cyber and electronic warfare, and information operations.

Mr. McCrory said that X-Agent was malware used to infect computers with the Android operating system used by Ukrainian Army artillery. He cited evidence from cyber security firm CrowdStrike that X-Agent had been deployed by a Russian cyber espionage group called Fancy Bear.

Fancy Bear has several other pseudonyms including Pawn Storm, Sofacy Group, Sednit, Tsar Team and Strontium. These appellations are used by various cyber security organisations. Government agencies including the UK’s Foreign and Commonwealth Office stated with medium confidence that Fancy Bear was close to Russia’s GRU military intelligence service. Similar assessments have been made in the US. The Special Counsel Investigation on Russian interference in the 2016 US presidential election flagged Fancy Bear as being the work of the GRU.

The use of the malware in a counter-battery role was identified by CrowdStrike in 2016. CrowdStrike’s analysis said that a Ukrainian artillery officer had developed a legitimate Android software application called Correction-D30. This was to ease fire control for the PJSC 2A18/D-30 122mm howitzers used by the Ukrainian Army. The goal was to reduce the howitzers’ targeting time from several minutes to under 15 seconds.

X-Agent is believed to have infected Correction-D30 allowing details of communications and location data to be stolen. CrowdStrike’s analysis determined that X-Agent may have been deployed from 2013. Russia commenced her intervention in Ukraine one year later. CrowdStrike estimates that the infection of Android devices used by Ukrainian gunners may have occurred from 2014.

The 2A18/D-30 122mm howitzer was deployed by the Ukrainian Army during Ukraine’s civil war. D-30 gunners were targeted by Russian X-Agent malware.

No information appears in the public domain regarding how X-Agent was inserted into these Android devices, nor was this discussed in Mr. McCrory’s presentation.

It is almost certain that this was done wirelessly. That would require an electronic attack to inject the malware into the Android device. Russia deployed a myriad of Electronic Warfare (EW) systems into the Ukraine theatre as part of her intervention. Armada has extensively chronicled these systems in previous articles. Ground EW systems would need a line-of-sight range to these devices to perform such an attack. As this could potentially place these platforms in range of Ukrainian artillery, these seem unlikely delivery systems. Ukrainian Army sources have told Armada that Russian ground-based EW assets are usually deployed far from the frontline. Instead, the Russian Army’s Special Technological Centre (STC) RB-341V Leer-3 EW system may have been used for this task.

The RB-341V Leer-3 comprises three STC Orlan-10 Uninhabited Aerial Vehicles (UAVs) equipped with EW payloads. Open sources states that these payloads detect emissions from wireless devices using GSM (Global System for Mobile Communications) protocols. GSM frequencies inhabit wavebands of 900 megahertz to 1.9 gigahertz. The Orlan-10 has a published ceiling of over 16,000 feet (5,000 metres). This would give it a potential stand-off range of up to 205 nautical miles (380 kilometres). From some distance away, the UAVs could potentially detect transmissions from Android devices used by Ukrainian gunners. They could then infect these devices with X-Agent. Once infected, Russian gunners could use the stolen data to determine the position of Ukrainian artillery and employ counter-battery fire.


The use of X-Agent has significant implications. Traditionally, armies have relied on counter-battery radar, or air or land-based reconnaissance to find hostile artillery. Using malware adds another artillery reconnaissance method. In short, it gives armies and gunners more to worry about. Computerised fire control assists artillery no end and greatly accelerates the response to call for fires. However, while Correction-D30 was rightly seen as a strength for the Ukrainian Army, it paradoxically became a vulnerability.

The whole affair graphically underscores the importance of blue force emission control which was stressed by Mr. McCrory. He also emphasised the need for training in representative electromagnetically contested environments, and the development of joint cyber and electromagnetic resilience requirements.

Estimates by the IISS state that the Ukrainian Army may have lost up to 20 percent of their 2A18/D-30 inventory during the Ukrainian civil war.

Figures compiled by Henry Boyd, research fellow for defence and military analysis at London’s International Institute for Strategic Studies, graphically demonstrate Ukrainian artillery losses. Mr. Boyd states that Ukraine lost between 15 and 20 percent of her pre-war 2A18/D-30 inventory. It seems all but certain that X-Agent will have helped the Russian Army target these guns and their personnel.

by Dr. Thomas Withington