Groza: Anatomy of a Hack
Recently, the Russian battlefield fires coordination application, Groza, suffered an embarrassing hack stemming from a so-far unclaimed cyber attack. Our colleagues began an investigation into Groza and what this means for the owners and the Russian military. The full data is available at our Proton Drive here:
https://drive.proton.me/urls/RQPY6YNC50#hIDatVjesTH9
The application, which means ‘Thunderstorm’, works hand-in-hand with another system called Glaz, or ‘Eye’. Glaz utilizes drones to identify targets on the battlefield, which can then be transmitted to commanders and fire teams who use Groza devices, to prioritize and attack targets, minimizing time delays in what is known as the Russian Reconnaissance Fire Complex (RFC).
The aim of the coordination between the systems is to drop the RFC response time for artillery, mortars, MLRS and tank crews down to 2-4 minutes - far less than manual shot adjustment would previously have taken. This unified system takes drone operators with the Glaz application and directly links them to decision makers, fires coordinators and specialist ground units employing Groza systems, in real time, allowing near-seamless target transmission and integration.
An important feature of the Groza application, is the operator’s ability to plot both friendly and enemy positions on the software mapping tool. This aids situational awareness alongside its core function of fire control and coordination. It is this mapping which appears to have been subject to the cyber attack.
The application appears to be administered largely through Telegram groups, where admins provide support to end users and provide software updates for download.
From the information we received about the Telegram groups, a defacement occurred within Groza, covering Ukraine with Ukrainian colors, along with the message ‘Groza200’ - certainly a reference to the Russian military code for KIA and surely to highlight the fact that the app functionality was ‘being killed’ in the cyber attack. Alongside these defacements was a crude anatomical drawing, strategically placed facing Moscow - a sure-fire way to make a point.
It is worth noting however, that this map graffiti is far more than decoration. Users were seen complaining that they could not remove them, as the images appeared to have been layered. This likely means that the Russian end users could also not see any of their inputted targeting data within the app, due to the layering. Users were noted as complaining that they could not remove the inputs from the map, and when they did, more kept coming back, suggesting some kind of persistent access. One user was also seen suggesting they were coming under a psychological attack.
Here, a sad-looking Russian soldier is clearly unimpressed with being subject to repeat interference.
These repeat instances of this occurring to multiple users, whilst admins struggle to remedy the situation, highlights significant insecurity concerning the application, especially given that Russia places such emphasis on its employment in their armed forces, and Groza’s extensive use in Ukraine.
When our team investigated the situation further, it became clear that whilst the discussion of development and ownership of Groza is avoided in news articles, the information is there for those who wish to find it.
On the RosPatent website, the patent for Groza explains in reasonable detail what Groza does, who it would be used by, and lists the equipment and systems that it works in coordination with. Further listed is the company that owns the patent, Russian software development company, Media Effect LLC. Media Effect is based in Moscow and is headed up by General Director Andrey Yuryevich Shlishevsky.
Buried within Yandex Docs, colleagues found manuals for Groza. The documents comprise of way over a hundred pages of in-depth user guides for the application, covering its operation, the equipment it uses, the associated systems which enable Groza and troubleshooting guides.
Our team also found an instructional video showcasing the relationship between Glaz and Groza. The five minute video shows the screens of a Glaz device, a commanders Groza device and a mortar team’s Groza device working in real time, with firing orders, calculations and shot correction.
This cyber attack clearly succeeded in breaching and compromising Groza’s systems, in what will be a deeply embarrassing situation for Media Effect and the Russian MOD. The fact that attackers were able to exploit obvious technical flaws, coupled with detailed manuals and videos being freely available online, highlights their casual approach to security. This is surprising, given the widespread use and emphasis placed on Groza, but is possibly an indicator of a culture where security practices are disregarded, providing the system looks sleek and capable for decision makers.
