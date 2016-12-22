A Ukrainian howitzer moves near Debaltseve, eastern Ukraine, Feb. 8, 2015. Evgeniy Maloletka / AP

The source code in the malware is not public, Alperovitch said, which is one reason the company believes only Fancy Bear uses it.

In Thursday’s report, Crowdstrike says Fancy Bear used a variant of the malware to learn the locations of Ukrainian artillery positions in 2014, when that country was battling Russian-backed separatists.

The Russian spies did so ingeniously, according to Crowdstrike’s account, by injecting malware into an Android phone app being used by Ukrainian artillery soldiers to target separatists. The app was being used by artillerymen to speed their ability to target enemy positions using a D-30 Howitzer, Crowdstrike says.

A video posted on Oct. 18, 2015 shows Ukrainian forces employing the app and operating in the vicinity of eastern Ukraine.

But the Russians used the app to turn the tables on their foes, Crowdstrike says. Once a Ukrainian soldier downloaded it on his Android phone, the Russians were able to eavesdrop on his communications and determine his position through geo-location.

The app wasn’t the only factor, Crowdstrike said, but notes that Ukrainian units suffered

heavy losses in bombardment by separatists after the malware was deployed. Additionally, a study by the International Institute of Strategic Studies determined that the weapons platform bearing the highest losses between 2013 and 2016 was the D-30 towed howitzer.

“Between July and August 2014, Russian-backed forces launched some of the most decisive attacks against Ukrainian forces, resulting in significant loss of life, weaponry, and territory,” the report says.

“According to open sources, Ukrainian service personnel from the 24th and 72nd Mechanized Brigade, as well as the 79th Airborne Brigade, were among the units to have suffered casualties. International monitoring groups later assessed some of the attacks were likely to have come from inside Russian territory.”