How Russian intelligence hacks into commanders’ phones: real detective story

Author: Yurii Butusov

Two years ago, the battalion commander of one of the Ukrainian infantry battalions shared a photo of his dugout, which had been completely destroyed. I’ve always tried to find out exactly what happened.

-"Early this morning, two ‘Krasnopol’ shells hit my dugout. I survived only because my room is located a bit further back inside the dugout."

-"Were other positions of yours shelled by ‘Krasnopols’?"

-"No."

- "You don’t line up personnel or concentrate vehicles near your dugout. What could have indicated it was your command post?"

- "I don’t know, probably someone local leaked it."

- "That’s impossible. There are many battalion positions around, with people and equipment moving about. The enemy drone couldn’t have identified your exact location, and locals wouldn’t be able to figure out where the commander’s post is. If there had been a massive strike on all positions with Krasnopol artillery, then one could suspect the drones were hitting everything. But they hit your camouflaged dugout specifically, meaning the enemy identified you as a priority target without any visible signs of exposure. That means data was leaked, and since other brigade headquarters weren’t attacked, it indicates a phone breach in your defense area, either yours or that of the officers sending coordinates via those phones. Change your phone, get a new iPhone, and don’t open attachments from anyone."

- "Okay, we’ll start looking."

Two days later:

- "Hi. I changed my phone and moved the command post. That location got hit again last night, two more Krasnopol strikes."

- "Is everyone alive?"

- "Yes. We just identified the location. I informed command of the new coordinates, but actually moved to the basement of a nearby ruined house. And immediately two Krasnopol shells hit the coordinates I gave."

- "Good that everyone’s alive, and now we know for sure, it’s a data leak from a phone, so we need to find out which one. Did you send the coordinates to anyone?"

- "I personally didn’t send them, so it wasn’t from me. We’re going to investigate now. I have to give coordinates if someone comes to see me."

- "Try sending coordinates as if you’ve moved the command post again, but actually provide a false location, about 300 meters away from the house where your duty officer will be stationed. That way, any commanders who come will find the duty officer and be led to you without any risk."

- "That’s exactly what we did, and now I’ll be sending false coordinates to every phone that had access to information about my previous command posts (СPs)".

A call two days later.

- "We found the phone from which the leak occurred. I informed the duty officer of the location of the new false command post, and he reported the false coordinates from his phone to the brigade headquarters. But during the night, he made a mistake, he sent the coordinates not to headquarters but only to me, so those coordinates weren’t shared in any other messages. And a few hours later, two more Krasnopol shells hit that location again. I called the duty officer and counterintelligence; they confiscated the phone. It turned out that this phone was the only means of communication left to us by those who were here before. The previous battalion’s duty officer left the phone to our duty officer. The phone is an iPhone, but it had several command Signal chats installed for all units in this area, and for convenience, all operational information was shared through those chats. Counter-intelligence discovered that spyware had been installed on the phone, most likely after someone opened a phishing message, and the malware gave the enemy access to all the data on that command handset. Now I have forbidden sending real coordinates of any of our positions and banned sharing any coordinates or timing of our operations in any group chats. Counterintelligence is now figuring out what to do next with the previous owners of that phone."

In light of the strike on the headquarters of the 110th Mechanized Brigade on July 2, it is clear that not all commanders at every level have established an information security system in their communications. Even now, numerous service members continue to post coordinates and schedules of various activities in shared group chats. When the enemy manages to hack any phone participating in those chats, they gain access to operational information, can refine the data and launch strikes that cause heavy casualties. I think a separate piece should be written about the 110th Brigade incident and the security measures that need to be formalised by orders, so we can set clear, war‑appropriate rules.

Yurii Butusov, Censor. NET