{
  "Event": {
    "analysis": "2",
    "date": "2016-12-22",
    "extends_uuid": "",
    "info": "OSINT - Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units",
    "publish_timestamp": "1482412774",
    "published": true,
    "threat_level_id": "2",
    "timestamp": "1482412759",
    "uuid": "585bd19b-43a4-4b35-9023-4d60950d210f",
    "Orgc": {
      "name": "CIRCL",
      "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
    },
    "Tag": [
      {
        "colour": "#12e000",
        "local": false,
        "name": "misp-galaxy:threat-actor=\"Sofacy\"",
        "relationship_type": ""
      },
      {
        "colour": "#0c9800",
        "local": false,
        "name": "misp-galaxy:tool=\"X-Agent\"",
        "relationship_type": ""
      },
      {
        "colour": "#00223b",
        "local": false,
        "name": "osint:source-type=\"blog-post\"",
        "relationship_type": ""
      },
      {
        "colour": "#ffffff",
        "local": false,
        "name": "tlp:white",
        "relationship_type": ""
      }
    ],
    "Attribute": [
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1482412480",
        "to_ids": false,
        "type": "comment",
        "uuid": "585bd1c0-3154-4180-ad13-19c8950d210f",
        "value": "In June CrowdStrike identified and attributed a series of targeted intrusions at the Democratic National Committee (DNC), and other political organizations that utilized a well known implant commonly called X-Agent. X-Agent is a cross platform remote access toolkit, variants have been identified for various Windows operating systems, Apple\u00e2\u20ac\u2122s iOS, and likely the MacOS. Also known as Sofacy, X-Agent has been tracked by the security community for almost a decade, CrowdStrike associates the use of X-Agent with an actor we call FANCY BEAR. This actor to date is the exclusive operator of the malware, and has continuously developed the platform for ongoing operations which CrowdStrike assesses is likely tied to Russian Military Intelligence (GRU). The source code to this malware has not been observed in the public domain and appears to have been developed uniquely by FANCY BEAR.\r\n\r\nLate in the summer of 2016, CrowdStrike Intelligence analysts began investigating a curious Android Package (APK) named \u00e2\u20ac\u02dc\u00d0\u0178\u00d0\u00be\u00d0\u00bf\u00d1\u20ac-\u00d0\u201d30.apk\u00e2\u20ac\u2122 (MD5: 6f7523d3019fa190499f327211e01fcb) which contained a number of Russian language artifacts that were military in nature. Initial research identified that the filename suggested a relationship to the D-30 122mm towed howitzer, an artillery weapon first manufactured in the Soviet Union in the 1960s but still in use today. In-depth reverse engineering revealed the APK contained an Android variant of X-Agent, the command and control protocol was closely linked to observed Windows variants of X-Agent, and utilized a cryptographic algorithm called RC4 with a very similar 50 byte base key."
      },
      {
        "category": "Payload delivery",
        "comment": "CrowdStrike Intelligence analysts began investigating a curious Android Package (APK) named \u00e2\u20ac\u02dc\u00d0\u0178\u00d0\u00be\u00d0\u00bf\u00d1\u20ac-\u00d0\u201d30.apk\u00e2\u20ac\u2122 (MD5: 6f7523d3019fa190499f327211e01fcb) which contained a number of Russian language artifacts that were military in nature.",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1482412508",
        "to_ids": true,
        "type": "md5",
        "uuid": "585bd1dc-9354-4c00-b6a6-19c8950d210f",
        "value": "6f7523d3019fa190499f327211e01fcb"
      },
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1482412525",
        "to_ids": false,
        "type": "link",
        "uuid": "585bd1ed-a290-48d1-be47-49fa950d210f",
        "value": "https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/"
      },
      {
        "category": "Payload delivery",
        "comment": "Late in the summer of 2016, CrowdStrike Intelligence analysts began investigating a curious Android Package (APK) named \u00e2\u20ac\u02dc\u00d0\u0178\u00d0\u00be\u00d0\u00bf\u00d1\u20ac-\u00d0\u201d30.apk\u00e2\u20ac\u2122 (MD5: 6f7523d3019fa190499f327211e01fcb) which contained a number of Russian language artifacts that were military in nature.",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1482412678",
        "to_ids": true,
        "type": "filename",
        "uuid": "585bd286-c11c-4b6e-a08e-4e1f950d210f",
        "value": "\u00d0\u0178\u00d0\u00be\u00d0\u00bf\u00d1\u20ac-\u00d0\u201d30.apk"
      },
      {
        "category": "Network activity",
        "comment": "Snort rule matches on the X-Agent-Android C2 beacon request",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1482412723",
        "to_ids": true,
        "type": "snort",
        "uuid": "585bd2b3-1e1c-462f-b7e4-473f950d210f",
        "value": "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (\\\r\nmsg: \u00e2\u20ac\u0153CrowdStrike FANCY BEAR X-Agent Android C2 Request\u00e2\u20ac\u009d; \\\r\nflow: established,to_server; \\\r\ncontent: \u00e2\u20ac\u0153lm=\u00e2\u20ac\u009d; http_uri; \\\r\npcre: \u00e2\u20ac\u0153/^\\/(watch|search|find|results|open|close)\\/\\?/U\u00e2\u20ac\u009d; \\\r\npcre: \u00e2\u20ac\u0153/[\\?\\&](text|from|ags|oe|aq|btnG|oprnd)=/U\u00e2\u20ac\u009d; \\\r\nclasstype: trojan-activity; metadata: service http; \\\r\nsid: XXXX; rev: 20160815;)"
      },
      {
        "category": "Payload delivery",
        "comment": "CrowdStrike Intelligence analysts began investigating a curious Android Package (APK) named \u00e2\u20ac\u02dc\u00d0\u0178\u00d0\u00be\u00d0\u00bf\u00d1\u20ac-\u00d0\u201d30.apk\u00e2\u20ac\u2122 (MD5: 6f7523d3019fa190499f327211e01fcb) which contained a number of Russian language artifacts that were military in nature. - Xchecked via VT: 6f7523d3019fa190499f327211e01fcb",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1482412759",
        "to_ids": true,
        "type": "sha256",
        "uuid": "585bd2d7-d830-46c3-a138-471502de0b81",
        "value": "02de72e43d578c45d9d6359299cb2d47771081617ff01363b736414eb831deea"
      },
      {
        "category": "Payload delivery",
        "comment": "CrowdStrike Intelligence analysts began investigating a curious Android Package (APK) named \u00e2\u20ac\u02dc\u00d0\u0178\u00d0\u00be\u00d0\u00bf\u00d1\u20ac-\u00d0\u201d30.apk\u00e2\u20ac\u2122 (MD5: 6f7523d3019fa190499f327211e01fcb) which contained a number of Russian language artifacts that were military in nature. - Xchecked via VT: 6f7523d3019fa190499f327211e01fcb",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1482412760",
        "to_ids": true,
        "type": "sha1",
        "uuid": "585bd2d8-a480-435c-b1bb-461802de0b81",
        "value": "c492d80fc6797b06105a20b98a0263b239d2ea27"
      },
      {
        "category": "External analysis",
        "comment": "CrowdStrike Intelligence analysts began investigating a curious Android Package (APK) named \u00e2\u20ac\u02dc\u00d0\u0178\u00d0\u00be\u00d0\u00bf\u00d1\u20ac-\u00d0\u201d30.apk\u00e2\u20ac\u2122 (MD5: 6f7523d3019fa190499f327211e01fcb) which contained a number of Russian language artifacts that were military in nature. - Xchecked via VT: 6f7523d3019fa190499f327211e01fcb",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1482412760",
        "to_ids": false,
        "type": "link",
        "uuid": "585bd2d8-8c28-442d-8e18-474a02de0b81",
        "value": "https://www.virustotal.com/file/02de72e43d578c45d9d6359299cb2d47771081617ff01363b736414eb831deea/analysis/1482411451/"
      }
    ]
  }
}