Image 01 Image 03

CrowdStrike Revises Russian Hack Into Ukrainian Artillery

CrowdStrike Revises Russian Hack Into Ukrainian Artillery

It’s the same report that claimed Russian groups used malware on the DNC.

Cybersecurity firm CrowdStrike recently revised a report from December that insisted that the group “Fancy Bear,” which has ties to Russian intelligence, used malware to hack into Ukrainian artillery. In the same report, the firm said “Fancy Bear” used the same malware to “hack” into the American election.

Well, British think tank International Institute for Strategic Studies (IISS) found that CrowdStrike “erroneously used IISS data as proof of the intrusion.” This also calls into question its findings of meddling in our election.

The Original Report

CrowdStrike produced its report on December 22, 2016. The company’s co-founder Dmitri Alperovitch stated that the firm found the “malware used to track Ukrainian artillery units was a variant of the kind used to hack into the Democratic National Committee.” He stressed that those who used the malware had to have communication with Russian military:

The implant leveraged a legitimate Android application developed by a Ukrainian artillery officer to process targeting data more quickly, CrowdStrike said.

Its deployment “extends Russian cyber capabilities to the front lines of the battlefield,” the report said, and “could have facilitated anticipatory awareness of Ukrainian artillery force troop movement, thus providing Russian forces with useful strategic planning information.”

Downloads of the legitimate app were promoted on pages used by Ukrainian artillery on vKontakte, a Russian social media website, CrowdStrike said. There is no evidence the application was made available in the Android app store, limiting its distribution, the firm said.

The report used a Russian blogger to cite the IISS findings:

“Between July and August 2014, Russian-backed forces launched some of the most-decisive attacks against Ukrainian forces, resulting in significant loss of life, weaponry and territory,” CrowdStrike wrote in its report, explaining that the hack compromised an app used to aim Soviet-era D-30 howitzers.

“Ukrainian artillery forces have lost over 50% of their weapons in the two years of conflict and over 80% of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine’s arsenal,” the report said, crediting a Russian blogger who had cited figures from IISS.

Skepticism Mounted Immediately

Yaroslav Sherstyuk developed the Ukrainian military app. He lashed out at CrowdStrike on Facebook, calling the report “delusional.” He also expressed frustration that the firm never reached out to him.

It turns out CrowdStrike did not reach out to IISS either:

“The CrowdStrike report uses our data, but the inferences and analysis drawn from that data belong solely to the report’s authors,” the IISS said. “The inference they make that reductions in Ukrainian D-30 artillery holdings between 2013 and 2016 were primarily the result of combat losses is not a conclusion that we have ever suggested ourselves, nor one we believe to be accurate.”

One of the IISS researchers who produced the data said that while the think tank had dramatically lowered its estimates of Ukrainian artillery assets and howitzers in 2013, it did so as part of a “reassessment” and reallocation of units to airborne forces.

“No, we have never attributed this reduction to combat losses,” the IISS researcher said, explaining that most of the reallocation occurred prior to the two-year period that CrowdStrike cites in its report.

“The vast majority of the reduction actually occurs … before Crimea/Donbass,” he added, referring to the 2014 Russian invasion of Ukraine.

Ukraine’s military technical advisor Pavlo Narozhnyy said that malware could have infected the app, but someone would have spotted it:

“I personally know hundreds of gunmen in the war zone,” Narozhnyy told VOA in December. “None of them told me of D-30 losses caused by hacking or any other reason.”

In January, the Ukrainian Ministry of Defense also denied any hacking took place. The ministry also said the “artillery losses were many times smaller and not caused” by Russian hackers. The report said Ukraine lost 80% of its howitzers, but that means the country would have lost almost all of its biggest guns:

“The spread of false information leads to a heightening of social tensions and undermines people’s trust in Ukraine’s armed forces,” the defence ministry said.

What Changed?

That all changed last week when CrowdStrike made numerous changes to its initial report (emphasis mine):

The company removed language that said Ukraine’s artillery lost 80 percent of the Soviet-era D-30 howitzers, which used aiming software that purportedly was hacked. Instead, the revised report cites figures of 15 to 20 percent losses in combat operations, attributing the figures to IISS.

The company also removed language saying Ukraine’s howitzers suffered “the highest percentage of loss of any … artillery pieces in Ukraine’s arsenal.”

Finally, CrowdStrike deleted a statement saying “deployment of this malware-infected application may have contributed to the high-loss nature of this platform” — meaning the howitzers — and excised a link sourcing its IISS data to a blogger in Russia-occupied Crimea.

CrowdStrike spokeswoman Ilina Dmitrova told VOA that the firm changed its numbers on the artillery losses due to a conversation with Hnery Boyd at IISS. She did not say why the firm decided now to contact the think tank.

What Does That Mean to America?

Like I said, it calls CrowdStrike’s reputation and statistics into question. As someone who despises Russia, I still want the truth. It’s sickening if the firm misrepresented data concerning the DNC because the left and Russian conspiracy theorists latched onto CrowdStrike’s report. Comey even stuck up for CrowdStrike during his Congressional hearing.


Donations tax deductible
to the full extent allowed by law.


How does getting some statistics related purely to contextual fluff wrong call into question the credibility of their actual technical analysis? Their claim was not “this app must be hacked because there are high losses”, it was “here are the indicators that show this app was hacked. This could explain these high loss rates”.

It also seems clear that the Ukrainian military technical adviser doesn’t understand the Crowdstrike’s claim, given his statement:

“I personally know hundreds of gunmen in the war zone. None of them told me of D-30 losses caused by hacking or any other reason.”

Crowdstrike’s claim is that the maleware allows the attacker to track the device, not that it directly harms it.

There is so much more to this story.

Zero Hedge, speculation, but with lots of links

It is true that Obama Deputy Assistant Secretary of Defense, Evelyn Farkas, openly admitted to Spying On Trump Team And Leaking Of Intel. This is supported by video from MSNBC.

Ms. Farkas also had contact with the principal of Crowdstrike, founder Dimitri Alperovitch. Both of them are members of the Atlantic Council, which opposes any kind of co-operation with Russia, in favor of Ukraine.

I sympathize with the Ukraine. I think the Russians are dangerous and grasping. That is still no excuse for spying on an incoming administration and leaking in hopes of damaging it.

Ever since the Democrats voted to invade Iraq and then followed Tom Daschle’s big plan to ride the invasion of Iraq all the way to the White House, the Democrats at the national level have shown a disturbing tendency to sacrifice the interests of the United State (including the lives of its people) as well as the lives of people of other countries (Iraq, Syria, and Mexico come to mind) in favor of their personal political interests.

This is how they lost their base of self-educated Democratic voters.

    Awing1 in reply to Valerie. | March 29, 2017 at 12:13 pm

    Watched the entire video, where does she admit to spying on Trump or leaking intel? She said they had information on the Trump staff’s connection to Russia, and they feared Trump Admin would compromise the sources and methods through which they obtained that information if they found out what those sources and methods were. She doesn’t say whether those sources and methods were spying on Trump, human intel in the Kremlin, SigInt from purely foreign targets discussing Trump Team, or what. She also says she knows people were trying to get information to the hill, which is a common name for Congress, not that she was leaking to the New York Times. It’s amazing how often Zero Hedge posts the evidence that they’re wrong right in the article, and people still believe the article over its author’s own evidence.

      Petrushka in reply to Awing1. | March 29, 2017 at 1:17 pm

      Those methods seem to have involved getting intel from the Brits and passing it on to the New York Times. Nice work, while it lasts.

buckeyeminuteman | March 29, 2017 at 11:54 am

Liberals can differentiate between 97 separate genders but can’t see the difference between hacking the DNC’s server and hacking the entire election. Or the difference between legal and illegal immigration…

There are several things to remember about the DNC server intrusion and Russian responsibility.

The first is that no hard evidence has been presented that any external cyber intrusion of the DNC servers took place. Though such an intrusion may have occurred, it is equally possible that there was a physical intrusion by a staffer which resulted in the information loss. What the CrowdStrike forensic team said that they found on the DNC servers, not confirmed by any acknowledged government forensic examination, were signatures of software routinely used by two hacker organizations which are thought to be affiliated with the FSB and/or the GRU, Cold Bear and Fancy Bear. It was assumed that both organizations were engaged in spear phishing operations intended to secure various passwords to email accounts. No hard evidence that either of these organizations are, in fact, part of the Russia intelligence apparatus have ever been provided, nor has any evidence been provided that proves that either of these organizations actually were responsible for the copying of the emails later released by Wikileaks. This is all supposition.

The second thing is the methodology used by CrowdStrike to arrive at “analytical” conclusions. AS every investigator quickly learns, it is always tempting to derive a theory from just a few facts and then to concentrate on other facts which support that theory. However, it is a far better method to gather all the facts that are available and linked to the occurrence in any way and then use those facts to build your theory. As soon a reasonable case for causation by another source can be made, a particular theory can not be said to be truth. Also, the facts used to support or develop a specific theory have to be proven to be accurate and must be available for widespread evaluation.

Now, the theory that Russia, or Russian affiliates, was responsible for the copying of the DNC emails may well be true. But, it is equally possible that it was the work of a person who had direct access to the server files. What CrowdStrike and US intelligence agencies did was to make a guess, then rated that guess as to reliability [based upon unknown criteria] and people are now treating that guess as proven fact. And guesses are often proven wrong.

    Mac45 in reply to Mac45. | March 29, 2017 at 12:14 pm

    Correction: substitute “Cozy Bear” for “Cold Bear”. I apologize for the error.

    Casey in reply to Mac45. | March 29, 2017 at 12:45 pm

    I thought that the phishing aspect was fairly well-established at this point. So really what we know is squat.


    Petrushka in reply to Mac45. | March 29, 2017 at 1:20 pm

    I’m still waiting for Comey to show som interest in the fact that he can’t conduct an investigation into Hillary’s server because she destroyed the evidence. Isn’t that at least a misdemeanor?

I would think that Russia has a lot more damaging information than the stupid DNC and John Podesta emails. This has all the markings of the deep state helping drive a narrative to undermine Trump.

The so-called rebels, including ethnic Ukrainians, Jews, Russians, and others, are refugees of a Western-backed coup in Kiev. It’s not Russia that invaded Ukraine, but rather an assembly of leftists, neo-Nazis, social justice adventurists, natural resource scavengers, and anti-native factions.

… the “malware used to track Ukrainian artillery units was a variant of the kind used to hack into the Democratic National Committee.”

So it isn’t the same malware. Sorry, at that point, the trail goes cold.

You can’t pin an assault on someone because fingerprints found on a weapon are a variant of those found on the suspect.