Official US Army App Has Russian ‘Pushwoosh Code’, Were We Hacked?
According to company documents obtained by Reuters, Pushwoosh is headquartered in Novosibirsk, Russia, and pays taxes there.
Pushwoosh has developed software for a number of clients worldwide.
The company developed an app for the US Army National Training Center in Fort Irwin, California. Fort Irwin is a critical training ground for units preparing for overseas deployments, according to C4ISRNET.
The Pushwoosh firm developed code used on the CDC’s main app and other CDC apps that track health data, for example. It has also been used by Unilever Plc, the Union of European Football Associations (UEFA), the National Rifle Association (NRA), and the United Kingdom’s Labor Party, among other Pushwoosh software users.
The location and office address of Pushwoosh is listed as Washington, DC on Twitter. The exact address is listed on the company’s Facebook and LinkedIn profiles.
An anonymous friend of Pushwoosh founder Max Konev is said to own the Kensington house. According to Reuters, the friend told the news service that he had nothing to do with the company and let Konev receive mail at his address.
In addition to creating LinkedIn accounts for two people pretending to live in DC, Pushwoosh also allegedly created accounts for two people who did not actually live there, according to the investigation. However, Konev told Reuters the accounts were not genuine. Konev says Pushwoosh hired a marketing agency in 2018 to create the fake accounts to promote Pushwoosh, but not to hide the company’s Russian connections.
Furthermore, Pushwoosh Inc. claims that they were never owned by any company registered in the Russian Federation.
“Pushwoosh Inc. used to outsource development parts of the product to the Russian company in Novosibirsk, mentioned in the article. But in February 2022, Pushwoosh Inc. terminated the contract,” the company announced.
Pushwoosh apparently operates in several countries, including Nuremberg, Germany and Washington DC, according to its statement.
Potential data breach in the military
According to Pushwoosh, their data policy is in line with the EU’s General Data Protection Regulation (GDPR) and governed by the European Commission’s Standard Contractual Clauses.
They also claim that none of their customers’ data has ever been transferred outside of Germany and the United States, including the Russian Federation, nor has the company ever been contacted by any government about customer data.
It’s true that Reuters has discovered no evidence that Pushwoosh mishandled consumer data. In addition, Jerome Dangu, who co-founded cybersecurity firm Confiant, commented that there are no obvious signs of deceptive or malicious activity in Pushwoosh’s actions.
“We have found no clear signs of deceptive or malicious intent in Pushwoosh’s activity, which certainly does not reduce the risk of app data leaking to Russia,” he said.
Reuters and Dangu found no signs that Pushwoosh engaged in fraudulent data handling, although Russian authorities have forced domestic companies to hand over user data to domestic security agencies.
Pushwoosh collects data from users, including precise geolocation on sensitive and government apps, adding that there is a risk of app data leaking to Russia as a result. Although he sees no signs of deceptive or malicious handling of app data, Dangu believes there is still a risk of data leakage to Russia.
The army told Reuters it removed the NTC app with Pushwoosh software in March due to “security concerns”. However, the Army did not say how much the app was used.
Around 2019, C4ISRNET reported that nearly 1,000 employees had downloaded the app and that it had become obsolete.
According to Reuters, Army spokesman Bryce Dubee said the Army suffered no “operational data loss” with the app. Further, Dubee noted that the app did not connect to the Army’s network.
CDC spokeswoman Kristen Nordlund told Reuters the agency had removed Pushwoosh software from its apps.
But with tough sanctions on Russia, “it shouldn’t be a surprise that with or without direct links to Russian state espionage campaigns, firms that handle data will be keen to play down their Russian roots,” said Keir Giles, a Russia expert. at the London think tank Chatham House