“ It ’ s pretty high confidence that Fancy Bear had to be in touch with the Russian military , ” Dmitri Alperovich told Forbes . Crowdstrike ’ s core argument has three premises : If all of these premises were true , then Crowdstrike ’ s prior claim that Fancy Bear must be affiliated with the GRU [ 4 ] would be substantially supported by this new finding . Dmitri referred to it in the PBS interview as “ DNA evidence ” . In fact , none of those premises are supported by the facts . This article is a summary of the evidence that I ’ ve gathered during hours of interviews and background research with Ukrainian hackers , soldiers , and an independent analysis of the malware by CrySys Lab . My complete findings will be presented in Washington D.C. next week on January 12th at Suits and Spooks . Crowdstrike , along with FireEye and other cybersecurity companies , have long propagated the claim that Fancy Bear and all of its affiliated monikers ( APT28 , Sednit , Sofacy , Strontium , Tsar Team , Pawn Storm , etc . ) were the exclusive developers and users of X-Agent . If both a security company and a hacker collective have the X-Agent source code , then so do others , and attribution to APT28/Fancy Bear/GRU based solely upon the presumption of “ exclusive use ” must be thrown out . This doesn ’ t mean that the Russian government may not choose to use it . In fact , Sean Townsend believes that the Russian security services DO use it but he also knows that they aren ’ t the only ones . The first iteration of the POPR-D30 Android app designed by Ukrainian military officer Jaroslav Sherstuk ( and the only iteration allegedly impacted by this malware ) was a simple ballistics program that calculated corrections for humidity , atmospheric pressure , and other environmental factors that determine accuracy of the D-30 Howitzer . The Android APK malware doesn ’ t use GPS nor does it ask for GPS location information from the infected phone or tablet . That ’ s a surprising design flaw for custom-made malware whose alleged objective was to collect Attack.Databreach and transmit location data on Ukrainian artillery to the GRU . It does collect Attack.Databreach base station information but that isn ’ t nearly sufficient for targeting purposes . In rural areas , one base station could have a range of up to 30 kilometers ( 18.6 miles ) . Crowdstrike ’ s estimate of 80 % losses of the D-30 Howitzers came from one source — an article written by pro-Russian blogger Boris Rozhin , a resident of Crimea who writes for a blog called The Saker which he calls “ the voice of totalitarian propaganda ” Bloomberg journalist Leonid Bershidsky pointed out that the estimates “ appear to be based on an assumption that changes in military balance reports , themselves far from perfect , can be interpreted as losses . Ukraine , a nation at war , doesn ’ t broadcast information about its specific capabilities ” . Pavlo Narozhnyy , a Ukraine military advisor , told VOA that “ I personally know hundreds of gunmen in the war zone . None of them told me of D-30 losses caused by hacking or any other reason ” . Even Rozhin acknowledged that his interpretation of the International Institute of Strategic Studies ( IISS ) data needs work : “ Generally speaking , both methods have their advantages and disadvantages , as it is obvious that lost armour did not count everything destroyed , as well as that the loss of hardware ( counted based on staffing standards ) in some cases did not mean that it was destroyed . For example , some hardware lost after 2013 was left in Crimea and returned to Ukraine only partially . Some hardware could have existed only on paper and even before the war could have been non-repairable . This suggests that the real losses of the UA still need to be further researched to make the conclusions more precise ” . While the original POPR-D30 app was available for download online , users had to contact Sherstuk personally and provide their military credentials in order to receive a code for activation . There is no evidence that any of those users had their apps compromised by malware . In fact , Crowdstrike hasn ’ t provided any evidence that the malware-infected Android app was used by even a single Ukrainian soldier . Sherstuk himself stopped supporting the first version in 2015 [ 10 ] so how could Crowdstrike even begin to justify its claims as to the malware ’ s effectiveness ? Part of the evidence supporting Russian government involvement in the DNC and related hacks ( including the German Bundestag and France ’ s TV5 Monde ) stemmed from the assumption that X-Agent malware was exclusively developed and used by Fancy Bear . We now know that ’ s false , and that the source code has been obtained Attack.Databreach by others outside of Russia . The GRU , according to Crowdstrike , developed a variant of X-Agent to infect an Android mobile app in order to geolocate and destroy Ukraine ’ s D-30 howitzers . To do this , they chose an artillery app which had no way to send or receive data , and wrote malware for it that didn ’ t ask for GPS position information ? Crowdstrike never contacted the app ’ s developer to inform him about their findings . Had they performed that simple courtesy , they might have learned from Jaroslav Sherstuk how improbable , if not impossible , their theory was . Instead , they worked inside of their own research bubble , performed no verification of infected applications or tablets used by Ukraine ’ s artillery corps , and extrapolated an effect of 80 % losses based upon a self-proclaimed , pro-Russian propagandist and an imaginary number of infected applications .