Confirmed evidence of cyber-warfare using GPS history data

Confirmed cases? Yes, at least two. One is Strava, and the other is Polar.

When Strava updated its global heat map, it showed some areas in supposed desert areas full of activity. Who would go jogging, at night, on the desert? What about US soldiers?

An interactive map posted on the Internet that shows the whereabouts of people who use fitness devices such as Fitbit also reveals highly sensitive information about the locations and activities of soldiers at U.S. military bases, in what appears to be a major security oversight.

In war zones and deserts in countries such as Iraq and Syria, the heat map becomes almost entirely dark — except for scattered pinpricks of activity. Zooming in on those areas brings into focus the locations and outlines of known U.S. military bases, as well as of other unknown and potentially sensitive sites — presumably because American soldiers and other personnel are using fitness trackers as they move around.

Using fitness trackers will allow the enemy to detect the place, extrapolate the number of soldiers, the patrol patterns and path, and even identify the soldiers. If you can identify someone that lives somewhere in Montana, and suddenly spent 4 months on Pakistan, you can bet he is a soldier. And using the pace and heart rate, you can even say how fit the person is.

The Polar leak was even worse:

With two pairs of coordinates dropped over any sensitive government location or facility, it was possible to find the names of personnel who track their fitness activities dating as far back as 2014.

The reporters identified more than 6,400 users believed to be exercising at sensitive locations, including the NSA, the White House, MI6 in London, and the Guantanamo Bay detention center in Cuba, as well as personnel working on foreign military bases.

The Polar API allowed anyone to query any profile, public or private, without any rate limit. The user ID was pretty easy to predict, and 650k+ user profiles were downloaded, several GB of data. Just ask, and Polar would give all.

The post shows lots of sensitive places (nuclear facilities, military bases, NSA headquarters, Guantanamo Bay facilities, among others) and could identify the users on those places, and even their home addresses, Facebook pages and personal pictures.

You don't need to think too much to realize the damage that can be done with all that information.

Yes, exploitation of location data in combat: FancyBear Tracking Ukrainian artillery units

In short, Ukrainian artillery units used malware-infused app to compute shooting solutions for their D-30 122mm towed howitzer. It has been found that these units suffered suspiciously high losses.

Quoting more from the Crowdstrike report (emphasis mine):

• From late 2014 and through 2016, FANCY BEAR X-Agent implant was covertly distributed on Ukrainian military forums within a legitimate Android application developed by Ukrainian artillery officer Yaroslav Sherstuk.
• The original application enabled artillery forces to more rapidly process targeting data for the Soviet-era D-30 Howitzer employed by Ukrainian artillery forces reducing targeting time from minutes to under 15 seconds. According to Sherstuk’s interviews with the press, over 9000 artillery personnel have been using the application in Ukrainian military.
• Successful deployment of the FANCY BEAR malware within this application may have facilitated reconnaissance against Ukrainian troops. The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them.
• Open source reporting indicates that Ukrainian artillery forces have lost over 50% of their weapons in the 2 years of conflict and over 80% of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine’s arsenal.

I've stumbled across this article. It assumes that the Russian army in Ukraine uses equipment capable of detecting the location of cellphones — not even necessarily GPS-enabled smartphones, just anything that uses standard cell operators (quite often compromised).

The Future Of Information Warfare Is Here — And The Russians Are Already Doing It

_{(highlight mine)}

So reports Army Col. Liam Collins in the August issue of ARMY magazine. Here’s how it works:

“The Russians are adept at identifying Ukrainian positions by their electrometric signatures,” writes Collins. One would expect that, but the thing that impressed me what came next.

“In one tactic, [Ukrainian] soldiers receive texts telling them they are ‘surrounded and abandoned.’
Minutes later, their families receive a text stating, ‘Your son is killed in action,’ which often prompts a call or text to the soldiers.
Minutes later, soldiers receive another message telling them to ‘retreat and live,’
followed by an artillery strike to the location where a large group of cellphones was detected.”