CROWDSTRIKE GLOBAL INTELLIGENCE TEAM
web: WWW.CROWDSTRIKE.COM | twitter: @CROWDSTRIKE
Copyright 2016
U S E O F FANCY BEAR A N D R O I D M A L WA R E I N T R A C K I N G O F U K R A I N I A N F I E L D A R T I L L E R Y U N I T S
P U B L I S H E D D E C E M B E R 2 2
K E Y P O I N TS• From late 2014 and through 2016, FANCY BEAR X-Agent implant
was covertly distributed on Ukrainian military forums within a
legitimate Android application developed by Ukrainian artillery
officer Yaroslav Sherstuk.
• The original application enabled artillery forces to more rapidly
process targeting data for the Soviet-era D-30 Howitzer employed
by Ukrainian artillery forces reducing targeting time from
minutes to under 15 seconds. According to Sherstuk’s interviews
with the press, over 9000 artillery personnel have been using
the application in Ukrainian military.
• Successful deployment of the FANCY BEAR malware within
this application may have facilitated reconnaissance against
Ukrainian troops. The ability of this malware to retrieve
communications and gross locational data from an infected
device makes it an attractive way to identify the general location
of Ukrainian artillery forces and engage them.
• Open source reporting indicates that Ukrainian artillery forces
have lost over 50% of their weapons in the 2 years of conflict and
over 80% of D-30 howitzers, the highest percentage of loss of any
other artillery pieces in Ukraine's arsenal.
• This previously unseen variant of X-Agent represents FANCY
BEAR’s expansion in mobile malware development from iOS-
capable implants to Android devices, and reveals one more
component of the broad spectrum approach to cyber operations
taken by Russia-based actors in the war in Ukraine.
• The collection of such tactical artillery force positioning
intelligence by FANCY BEAR further supports CrowdStrike’s
previous assessments that FANCY BEAR is likely affiliated with
the Russian military intelligence (GRU), and works closely with
Russian military forces operating in Eastern Ukraine and its
border regions in Russia.
“
O P E N -S O U R C E R E P O R T I N G I N D I C AT E S
L O S S E S O F A L M O S T 5 0 % O F E Q U I P M E N T I N T H E L A S T 2 Y E A R S O F C O N F L I C T A M O N G S T
U K R A I N I A N A R T I L L E R Y F O R C E S A N D O V E R 8 0 %
O F D -3 0 H O W I T Z E R S W E R E L O S T, F A R M O R E
T H A N A N Y O T H E R P I E C E O F U K R A I N I A N A R T I L L E R Y 9 .
”
BACKGROUNDIn late June and August 2016, CrowdStrike Intelligence provided initial
reporting and technical analysis of a variant of the FANCY BEAR implant
X-Agent that targeted the Android mobile platform2. CrowdStrike
identified this X-Agent variant within a legitimate Android application
named Попр-Д30.apk. This app was developed and used by artillery
troops to simplify targeting data for the D-30 towed howitzer. CrowdStrike
investigation reveals that this app has been utilized in a possible training
or operational role in at least one unit of the Ukrainian military. Therefore,
the implant likely targeted military artillery units operating against pro-
Russian separatists in Eastern Ukraine.
This implant represents further advancements in FANCY BEAR’s
development of mobile malware for targeted intrusions and extends
Russian cyber capabilities to the front lines of the battlefield. This Tipper
builds on CrowdStrike’s previous reporting by providing a timeline
of events, contextual discussion regarding the potential drivers for
development and deployment of the malware, and a description of the
analytical process resulting in targeting assessments. Finally, this Tipper
leverages these assessments, in conjunction with more recently observed
activity by Russia-based adversaries, to determine the potential for any
future activity in the mobile malware threat space.
“
C R O W D S T R I K E I D E N T I F I E D T H I S
X- A G E N T VA R I A N T W I T H I N A L E G I T I M AT E
A N D R O I D A P P L I C AT I O N N A M E D
T H I S A P P WA S D E V E L-O P E D A N D U S E D B Y
A R T I L L E R Y T R O O P S T O S I M P L I F Y TA R G E T I N G
D ATA F O R T H E D -3 0 T O W E D H O W I T Z E R
”
Ru
ss
ia o
ffe
rs
Uk
rain
e l
oa
ns
an
d
dis
co
un
ts o
n g
as
Re
fere
nd
um
on
C
rim
ea
/Cri
me
an
a
nn
ex
ati
on
Ga
zpro
m i
nc
rea
se
s
ga
s p
ric
es
, Uk
rain
e
sk
ips
pa
ym
en
t
Intr
us
ion
s i
nto
U
kra
ine
’s
Tra
ns
po
rta
tio
n
Se
cto
r
Pre
sid
en
tia
l
Ele
cti
on
s i
n
Uk
rain
e
DD
oS
an
d t
arg
ete
d
intr
us
ion
s i
n m
ed
ia,
fin
an
cia
l, &
po
liti
ca
l e
nti
tie
s i
n U
kra
ine
Ma
lic
iou
s A
pp
O
bs
erv
ed
in
D
istr
ibu
tio
n o
n F
oru
ms
Pro
tes
ts r
ea
ch
th
eir
p
ea
k, g
ov
’t c
rac
ks
do
wn
v
iole
ntl
y;
ag
ree
me
nt
rea
ch
ed
fo
r e
lec
tio
ns
;
Ya
nu
ko
vic
h f
lee
s t
o
Ru
ss
ia
Arm
ed
me
n a
pp
ea
r
in u
nm
ark
ed
un
ifo
rms
in
Cri
me
a
DD
oS
v
s. N
AT
O
Pro
-Ru
ss
ian
fo
rce
s b
eg
in
se
izin
g
go
ve
rnm
en
t re
so
urc
es
in
E
as
tern
Uk
rain
e
Intr
us
ion
ag
ain
st
Uk
rain
e’s
Ce
ntr
al
Ele
cti
on
C
om
mis
sio
n
Ma
lay
sia
Air
Fli
gh
t M
H17
de
str
oy
ed
b
y p
ro-R
us
sia
n
Se
pa
rati
sts
Min
sk
I
Ce
as
efi
re
Sig
ne
d Vid
eo
de
pic
tin
g
us
e o
f П
оп
р-Д
30
a
pp
lic
ati
on
in
e
as
tern
Uk
rain
e
Ea
rlie
st
pu
bli
c
rep
ort
ing
on
th
e A
nd
roid
Ap
p
de
ve
lop
ed
by
the
U
kra
inia
n s
old
ier
Cy
be
rBe
rku
t
Em
erg
es
JAN
FEB
MAR
APR
MAY
JUNE
JULY
AUG
SEPT
OCT
NOV
DEC
JAN
FEB
MAR
APR
MAY
JUNE
JULY
AUG
SEPT
OCT
NOV
DEC
ПОПР-Д
30
DE
VE
LO
PE
D 2
0 F
EB
-
13
AP
R
Uk
rain
e’s
Pa
rlia
me
nt
co
nv
en
es
an
d p
lan
s t
o l
ay
fou
nd
ati
on
fo
r E
U
As
so
cia
tio
n A
gre
em
en
t
UK
R P
res
. Y
an
uk
ov
yc
h d
oe
s
ab
ou
t fa
ce
on
p
lan
ne
d E
U a
gre
e-
me
nt,
ori
en
ts
tow
ard
s R
us
sia
Pro
tes
t m
ov
em
en
t b
eg
ins
in
Kie
v
Ind
ivid
ua
l b
eli
ev
ed
to
be
th
e
de
ve
lop
er
pro
mo
tes
An
dro
id
Ap
p o
n R
us
sia
n S
oc
ial
Me
dia
S
ite
vK
on
tak
teK
rem
lin
th
rea
ten
s U
kra
ine
o
ve
r E
U a
gre
em
en
t
An
on
Op
s v
s.
Uk
rain
e G
ov
’t W
eb
-s
ite
s -
De
fac
em
en
ts
an
d D
Do
S
2013
2014
LIK
ELY
RU
SS
IA-B
AS
ED
RE
CO
NN
AIS
SA
NC
E O
F U
KR
AIN
IAN
GO
VE
RN
ME
NT
AN
D/O
R M
ILIT
AR
Y T
AR
GE
TS
AR
ME
D C
ON
FL
ICT
IN
UK
RA
INE
MA
LIC
IOU
S A
PP
DIS
TR
IBU
TIO
NP
OS
SIB
LE
DE
VE
LO
PM
EN
T T
IME
FR
AM
E:
MA
LIC
IOU
S X
-AG
EN
T I
MP
LA
NT
IN
JE
CT
FO
R П
ОПР-Д
30
LA
TE
AP
RIL
20
13 -
EA
RLY
DE
CE
MB
ER
20
14
LEGEND
E
ve
nts
as
so
cia
ted
wit
h t
he
An
dro
id a
pp
I
nte
rna
tio
na
l E
ve
nts
or
Dip
lom
ac
y E
ffo
rts
U
kra
inia
n D
om
es
tic
Aff
air
s
T
arg
ete
d I
ntr
us
ion
, DD
oS
or
Dis
info
rma
tio
n
R
us
sia
n /
Uk
rain
ian
Co
nfr
on
tati
on
JAN
FEB
MAR
APR
MAY
JUNE
JULY
AUG
SEPT
OCT
NOV
DEC
JAN
FEB
MAR
APR
MAY
JUNE
JULY
AUG
SEPT
OCT
NOV
DEC
De
ve
lop
er
of
be
nig
n
ap
p p
rom
ote
d w
ith
in
Uk
rain
ian
mil
ita
ryP
ro-R
us
sia
n H
ac
kti
vis
t G
rou
p S
pru
t E
me
rge
s
Cri
me
a l
ac
ks
e
lec
tric
ity
aft
er
ph
ys
ica
l a
tta
ck
Cy
be
r a
tta
ck
s
ag
ain
st
Uk
rain
ian
p
ow
er
sta
tio
ns
Att
ac
k o
n K
iev
A
irp
ort
Sy
ste
m
Re
po
rte
d t
es
tin
g
pe
rio
d f
or
Art
OS N
ew
s s
tory
as
so
cia
tin
g
ap
p a
uth
or
as
he
ad
of
the
A
rtO
S p
roje
ct,
a j
oin
t e
n-
de
av
or
wit
h t
he
No
os
ph
ere
E
ng
ine
eri
ng
Sc
ho
ol
Fo
rum
s d
isc
us
sin
g t
he
ap
p
an
d c
laim
ing
to
be
as
so
cia
t-e
d w
ith
th
e d
ev
elo
pe
rs u
se
rs
are
ca
lle
d o
ut
as
fra
ud
ule
nt
so
me
us
ers
cla
im c
op
y a
pp
s
are
dis
trib
uti
ng
ma
lwa
re
Fir
st
Min
sk
Ce
as
efi
re
Co
lla
ps
es
Min
sk
II
Pro
toc
ol
s
ign
ed
Targ
ete
d i
ntr
us
ion
s
ag
ain
st
Uk
rain
e’s
M
inis
try
of
De
fen
se
2015
2016
LIK
ELY
RU
SS
IA-B
AS
ED
RE
CO
NN
AIS
SA
NC
E O
F U
KR
AIN
IAN
GO
VE
RN
ME
NT
AN
D/O
R M
ILIT
AR
Y T
AR
GE
TS
AR
ME
D C
ON
FL
ICT
IN
UK
RA
INE
MA
LIC
IOU
S A
PP
DE
VE
LO
PM
EN
T,
DE
PL
OY
ME
NT
, A
ND
US
AG
E T
IME
FR
AM
E L
AT
E A
PR
IL 2
013
- A
ND
BE
YO
ND
LEGEND
E
ve
nts
as
so
cia
ted
wit
h t
he
An
dro
id a
pp
I
nte
rna
tio
na
l E
ve
nts
or
Dip
lom
ac
y E
ffo
rts
U
kra
inia
n D
om
es
tic
Aff
air
s
T
arg
ete
d I
ntr
us
ion
, DD
oS
or
Dis
info
rma
tio
n
R
us
sia
n /
Uk
rain
ian
Co
nfr
on
tati
on
Cy
be
rBe
rku
t R
ele
as
es
In
fo
As
so
cia
ted
Wit
h C
laim
ed
In
tru
sio
n i
nto
Uk
rain
e’s
S
ec
uri
ty S
erv
ice
SB
U
Cy
be
rBe
rku
t D
efa
ce
s
Be
llin
gc
at
We
bs
ite
“
T H E O R I G I N A L , B E N I G N A P P L I C AT I O N E N A B L E D A R T I L L E R Y
F O R C E S T O M O R E R A P I D LY P R O C E S S
TA R G E T I N G D ATA F O R T H E D -3 0 H O W I T Z E R
R E D U C I N G TA R G E T I N G T I M E F R O M M I N U T E S
D O W N T O 1 5 S E C O N D S .
”
T IME L I N E O F E V EN TS
DEVELOPMENT AND DISTRIBUTION PROCESS OF THE BENIGN APPLICATIONThe original application central to this discussion, Попр-Д30.apk, was
initially developed domestically within Ukraine by a member of the 55th
Artillery Brigade. Based on the file creation timestamps as well as the
app signing process, which occurred on 28 March 2013, CrowdStrike has
determined that the app was developed sometime between 20 February
and 13 April 2013.
Shortly after that time frame, on 28 April 2013, an individual bearing the
same name as the application’s developer promoted the application
on Russian vKontakte3 pages associated with the artillery forces. The
promotion of the program was likely limited to social media, and the
distribution was controlled from the author’s main page, «Програмное
обеспечение современного боя» (translation: "Modern combat software").4
As an additional control measure, the program was only activated for
use after the developer was contacted and issued a code to the individual
downloading the application.
No evidence of the application has been observed on the Android app
store, making it unlikely that the app was distributed via that platform.
The control measures established by the developer to limit the use and
proliferation of the Попр-Д30.apk application, coupled with its unique
purpose, make its broad distribution on the Android store improbable.
At the time of this writing, it is unclear to what degree and for how
long this specific application was utilized by the entirety of the
Ukrainian Artillery Forces. Based on open source reporting, social
media posts, and video evidence, CrowdStrike assesses that Попр-Д30.apk
was potentially used through 2016 by at least one artillery unit operating
in eastern Ukraine.
RECONNAISSANCE, DEVELOPMENT AND DISTRIBUTION OF THE MALICIOUS APPLICATION RECONNAISSANCE
Given the estimated development timeframe and the promotional period
for the benign Попр-Д30.apk application, the program was likely available
online for distribution after late April 2013. CrowdStrike Intelligence
assesses that the application likely came to the attention of Russia-
based adversaries around this time frame as a result of ongoing Russian
reconnaissance associated with the revolution in Ukraine. Actors with a
nexus to Russia regularly monitor social media sites in order to better
understand or formulate operations against their targets.
CrowdStrike Intelligence has noted instances in which some Russia-based
actors and attribution front groups have leveraged information obtained
from Ukrainian social media sites in order to perform operations. The
most notable recent example of this was in the case of extortion-based
threats directed against the Polish Government.5 In this particular case,
the perpetrators likely sought out openly available account information
from a vKontakte page belonging to a Ukrainian citizen, who was soliciting
donations to aid volunteer soldiers fighting in eastern Ukraine. The adversary
then used this profile information, in conjunction with the name "Pravyy
Sector," to make it appear as though the extortion threats against the Polish
government were originating from an ultranationalist Ukrainian group.
CrowdStrike has assessed that by performing this type of deceptive
operation the perpetrator likely sought to make it appear as though
Ukrainian interests were threatening the Polish government. In addition,
because the individual account hijacked for this operation had been used to
try to raise funds for Ukrainian forces, the adversary may have been trying to
aggravate Western governments enough to freeze the individual’s accounts.
The attack did not appear to achieve its intended result. Poland rebuffed the
threats, and the owner of the vKontakte page denounced any involvement
in the threat. Subsequently the Pravyy Sector group scrubbed their social
media page of much of the information associated with this failed operation.
This particular incident is an example of how a disinformation operation is
staged. While this incident is not likely to be related to the development of
the X-Agent Android variant, it demonstrates the reconnaissance and pre-
planning tactics that precede the rest of a campaign. Development
and Distribution
CrowdStrike has discovered indications that as early as 2015 FANCY BEAR
likely developed X-Agent applications for the iOS environment, targeting
"jailbroken" Apple mobile devices. The use of the X-Agent implant in the
original Попр-Д30.apk application appears to be the first observed case
of FANCY BEAR malware developed for the Android mobile platform. On 21
December 2014 the malicious variant of the Android application was first
observed in limited public distribution on a Russian language, Ukrainian
military forum. A late 2014 public release would place the development
timeframe for this implant sometime between late-April 2013 and early
December 2014.
“
F O R U K R A I N I A N T R O O P S , A R T I L L E R Y F O R C E S H AV E
A L S O S H O U L D E R E D AH E AV Y C O S T. I N 2
Y E A R S O F C O N F L I C T, T H E Y H AV E L O S T N E A R LY
5 0 % O F T H E I RA R T I L L E R Y P I E C E S A N D
O V E R 8 0 % O F D -3 0 H O W I T Z E R S , F A R M O R E
T H A N A N Y O T H E RP I E C E O F U K R A I N I A N
A R T I L L E R Y.
”
During that proposed development timeframe, a number of significant
events unfolded between Ukraine, Russia, and the international
community. Most notably, Russian attempts to influence Ukrainian-EU
relations resulted in the large-scale, Maidan protest movement, eventually
resulting in the ouster of then-president Victor YANUKOVYCH, the invasion
and annexation of the Crimean Peninsula by Russia, and the protracted
armed conflict in eastern Ukraine. Therefore, the creation of an application
that targets some of the front line forces pivotal in Ukrainian defense
on the eastern front would likely be a high priority for Russian adversary
malware developers seeking to turn the tide of the conflict in their favor.
CrowdStrike Intelligence has assessed that the distribution of the
malicious application targeted the very artillery units for which the benign
application was developed—brigades operating in eastern Ukraine on the
frontlines of the conflict with Russian-backed separatist forces during
the early stages of the conflict in late-2014. This assessment is based on a
number of factors, but chief among them is the likelihood that a military
member would only trust and use an application designed to calculate
something as critical as targeting data if it was developed and promoted
by a member of their own forces. The type of operational activity described
here suggests an extremely sophisticated understanding of the target that
only a skilled adversary would likely possess.
By late December 2014, the total number of Russian forces in the region
was approximately 10,000 troops.6 Because the Android malware could
facilitate gross position information, its successful deployment could
have facilitated anticipatory awareness of Ukrainian artillery force troop
movement, thus providing Russian forces with useful strategic planning
information. Indeed, the 55th Artillery Brigade and similar artillery units
operated frequently against pro-Russian separatists in eastern Ukraine.
A video posted on 18 October 20157 specifically shows them employing the
Попр-Д30.apk application and operating in the vicinity of eastern Ukraine.
The choice of the Russian language character set in the application further
underscores the targeting of forces within eastern Ukraine, as Russian is the
predominant language utilized in that region. An assessment of languages
spoken by region based on the most recent census information illustrates
the permeation of the Russian language in that region and highlights the
value of providing Russian in the malicious Попр-Д30.apk application.
One alternative theory regarding the use of the Russian language in the
application could be that targeting may have been directed at pro-Russian
“
C R O W D S T R I K E I N T E L L I G E N C E H A S
A S S E S S E D T H AT T H E D I S T R I B U T I O N O F T H E
M A L I C I O U S A P P L I C AT I O N TA R G E T E D T H E V E R Y
A R T I L L E R Y U N I T S F O R W H I C H T H E B E N I G N A P P L I C AT I O N WA S
D E V E L O P E D — B R I G A D E S O P E R AT I N G I N E A S T E R N
U K R A I N E O N T H E F R O N T L I N E S O F T H E
C O N F L I C T W I T H R U S S I A N - B A C K E D
S E PA R AT I S T F O R C E S D U R I N G T H E E A R LY
S TA G E S O F T H E C O N F L I C T I N L AT E -2 0 1 4 .
”
forces operating in eastern Ukraine. A relevant and likely counterargument for this theory, however, is that Russian
forces likely have employed fire support systems and other technologies that can already calculate targeting data,
negating the need for an application to perform this task. Additionally, the application was initially developed by a
member of the Ukrainian army. An opposing force would probably not adopt technology developed by the enemy for use
on the battlefield.
OUTCOMES AND CONCLUSIONThe eastern Ukrainian front has been markedly impacted by heavy fighting involving Russian troops and pro-Russian
rebel fighters deployed to this region. Artillery forces on both sides of the conflict have served an important role. For
Ukrainian troops, artillery forces have also shouldered a heavy cost. Open-source reporting indicates losses of almost
50% of equipment in the last 2 years of conflict amongst Ukrainian artillery forces and over 80% of D-30 howitzers were
lost, far more than any other piece of Ukrainian artillery 9.9
Between July and August 2014, Russian backed forces launched some of the most decisive attacks against Ukrainian
forces, resulting in significant loss of life, weaponry, and territory. According to open sources, Ukrainian service
personnel from the 24th and 72nd Mechanized Brigade, as well as the 79th Airborne Brigade, were among the units to
have suffered casualties. International monitoring groups later assessed some of the attacks were likely to have come
from inside Russian territory.10
A malware-infected Попр-Д30.apk application probably could not have provided all the necessary data required to
directly facilitate the types of tactical strikes that occurred between July and August 2014. Eyewitness accounts from
individuals within the impacted units reported seeing an unmanned aerial vehicle (UAV) used in the area prior to one
attack, underscoring the need for precise locational data for these particular strikes and introducing the possibility
U K R A N I A N
R U S S I A N
O T H E R
U N C L E A R
U K R A N I A N & R U S S I A N E Q U A L L Y
92.6% 78.2% 35.3% 37.4% 19.9%
2.9% 16.6% 38.4% 34.4% 34%
40.4%25.9%20%4.2%2%
W E S T C E N T E R S O U T H E A S T D O N B A S S
1.6% .4% 5.4% 1.3% 5.2%
.5%1%.9%.6%.9%
L A N G U A G E S S P O K E N B Y R E G I O N
Distribution of Russian/Ukrainian Language Use in Ukraine8
“
C R O W D S T R I K E I N T E L L I G E N C E A S S E S S E S
A T O O L S U C H A S T H I S H A S T H E P O T E N T I A L
A B I L I T Y T O M A P O U T A U N I T ’ S C O M P O S I T I O N
A N D H I E R A R C H Y, D E T E R M I N E T H E I R P L A N S , A N D E V E N
T R I A N G U L AT E T H E I R A P P R O X I M AT E L O C AT I O N
”
that the Android malware served to support the reconnaissance role of
traditional battlefield assets. Although traditional overhead intelligence
surveillance and reconnaissance (ISR) assets were likely still needed
to finalize tactical movements, the ability of this application to retrieve
communications and gross locational data from infected devices, could
provide insight for further planning, coordination, and tasking of ISR,
artillery assets, and fighting forces.
The X-Agent Android variant does not exhibit a destructive function and does
not interfere with the function of the original Попр-Д30.apk application.
Therefore, CrowdStrike Intelligence has assessed that the likely role of
this malware is strategic in nature. The capability of the malware includes
gaining access to contacts, Short Message Service (SMS) text messages,
call logs, and internet data, and FANCY BEAR would likely leverage this
information for its intelligence and planning value.
CrowdStrike Intelligence assesses a tool such as this has the potential
ability to map out a unit’s composition and hierarchy, determine their plans,
and even triangulate their approximate location. This type of strategic
analysis can enable the identification of zones in which troops are operating
and help prioritize assets within those zones for future targeting.
Additionally, a study provided by the International Institute of Strategic
Studies determined that the weapons platform bearing the highest losses
between 2013 and 2016 was the D-30 towed howitzer.11 It is possible that
the deployment of this malware infected application may have contributed
to the high-loss nature of this platform.
The development of the X-Agent Android malware represents an expansion
of FANCY BEAR capabilities in terms of mobile malware, and illustrates
the practical application of full-spectrum combat as envisioned in the
eponymous doctrinal writings of General Valery GERASIMOV. As a part
of full-spectrum operations in Ukraine, Russia-based adversaries have
leveraged malware on the battlefield, in the civil sector, and against
critical infrastructure. They have also engaged in aggressive information
operations in the media. In relation to this broader picture of Russian
computer operations, the approach to targeting mobile smartphone and
tablet devices in order to gain strategic insight into communications is a
tactic that cannot be disregarded.
CrowdStrike assesses that the observed and described X-Agent implant
targeting Ukrainian military Android devices running the Попр-Д30.apk
application is likely only the initial iteration of this type of malware. While
this malware was initially discovered in a battlefield environment, an
adversary could also leverage it in attacks against non-military targets.
Mobile devices and internet-connected technology have increasingly
proliferated civilian and military organizations. This technique may very
likely be deployed in the political, government, or non-governmental
sectors in the near future.
1-The name Попр-Д30.apk is an abbreviated variant of Поправки-Д30
which translates to Correction-D30.
2-For more information, contact CrowdStrike
3-vKontakte is a Russian social media networking site alike in layout
and functionality to Facebook.
4-http://programs-art.at.ua
5-For more information, contact CrowdStrike
Institute, March 2015, https://rusi.org/sites/default/files/201503_bp_
russian_forces_in_ukraine.pdf
7-https://www.youtube.com/watch?v=qp-7e_ZGH8I
8-Data for image circa 2015. Note: These maps do not provide data for
Crimea. According to various sources, there are estimates suggesting
that, in greater Crimea 80% speak Russian, 10% speak Ukrainian, and 10%
speak Tatar. The percentage of Russian speakers is estimated to be higher
in Sevastopol, most likely dues to the Russian Naval Base in the region.
Source: The Razumkov Center report on "The Ukranian Citizen's Identity in
razumkov.org.ua/upload/identi-2016.pdf.
9-http://thesaker.is/ukrainian-army-losses-in-ato-anti-terrorist-operation-
according-to-the-iisss-military-balance/
Military Positions in Eastern Ukraine between 14 July 2014 and 8 August
2014, "https://www.bellingcat.com/news/uk-and-europe/2015/02/17/
origin-of-artillery-attacks/."
“
T H E C O L L E C T I O N O F S U C H TA C T I C A L A R T I L L E R Y F O R C E
P O S I T I O N I N G I N T E L L I G E N C E B Y F A N C Y
B E A R F U R T H E R S U P P O R T S C R O W D S T R I K E ’ S
P R E V I O U S A S S E S S M E N T S T H AT F A N C Y B E A R I S L I K E LY
A F F I L I AT E D W I T H T H E R U S S I A N M I L I TA R Y
I N T E L L I G E N C E (G R U )
”