A Russian Smartwatch-Enabled Assassination & US Army Apple Watch Warning

Ukrainian Intelligence Services used smartwatch data to assassinate a Russian naval commander during his morning jog. The US Army released a Counterintelligence warning to the US Military.

Last week, the US Army issued a warning to Department of Defense (DOD) personnel on the counterintelligence (CI) risks of smartwatches with a social media campaign entitled, “What’s wrong with this picture?” with a photo of a soldier typing on a computer wearing an Apple Watch.

It reads: “Smartwatches can transmit sensitive information. Don’t be an insider threat - Think before you use a smartwatch in the field or on deployment.”

If you are a regular reader of W.O.E., this should come as no surprise. We have written about “CIA Officers and Apple Watches” (Read HERE) including the 2017 Strava fitness app heatmaps and threats from “Ubiquitous Technical Surveillance” or UTS—the collection and long-term storage of data to analyze and connect individuals with other people, activities, and organizations. The campaign appears to highlight hostile services leveraging smartwatches to access computer networks as well as the sensitivities of wearing them “in the field.”

A former Russian submariner commander, Stanislav Rzhitsky was killed after assailants learned his movements from the Strava fitness app.

Smartwatch Assassination

As a real-world example of a hostile service leveraging smartwatch data to enable a kinetic operation, in June 2023, Russian submarine commander Stanislav Rzhitsky was shot to death while on an early morning jog in the southern Russian city of Krasnodar.  According to Russian state-owned media, the assailant reportedly used Strava fitness tracker data to carry out the attack.

Surprisingly, Rzhitsky maintained a public profile with the fitness tracker Strava tied to his real name, using data from his GPS-enabled Garmin Fenix 6X smartwatch to catalog running and cycling routes which regularly passed through a park where an unknown assailant ultimately shot him. The profile even contained publicly accessible pictures of Rzhitsky before and after workouts and even his shoe type, providing a valuable resource to the assassin for positive identification.

While Ukrainian services denied involvement in the hit, Ukrainian Defense Intelligence did make a suspiciously detailed statement over Telegram shortly after the assassination:

“The submariner was jogging in the ’30th Anniversary of Victory’ park in Krasnodar. Around 6 a.m., he was shot seven times with a Makarov pistol. As a result of the gunshot wounds, Rzhitsky died on the spot, Due to heavy rain, the park was deserted, so there were no witnesses who could provide details or identify the attacker.”

According to press reporting, Rzhitsky was followed on his morning run by an individual on a bike into the 30th Anniversary of Victory Park. He was killed in a secluded area of the park in the early morning hours. Rzhitsky’s Garmin Fenix smartwatch was recovered at the scene.

The submarine Krasnodar—commanded by Rzhitsky—was allegedly responsible for a 2022 missile strike killing Ukrainian civilians. (Photo Credit: USNI)

If the attack was orchestrated by Ukrainian intelligence, the motive likely stems from a missile attack on the city of Vinnytsia in July 2022, which killed 28 people, including three children. Ukrainian media indicated the missiles were fired by a submarine called the Krasnodar which Rzhitsky commanded at the time. Of course, we have to be skeptical of all narratives from the Russian and Ukrainian press given the covert influence in this conflict.

(Photo Credit: Strava)

US Military & Smartwatches

In recent years, there has been an explosion of US uniformed personnel wearing Apple Watches and other “wearables,” with many servicemen purchasing them on the open market and wearing them while in uniform. The health and physical fitness benefits are legitimate and can result in a more effective warfighter. The DOD has even gone as far as to issue Garmin Fenix 6S and other smartwatches in an “effort to help future leaders be better, faster.” (Ironically, this is the same watch worn by the Russian commander.)

But the risks are real and according to an Army Criminal Investigation Division (CID) bulletin from June 2023, service members across the military received unsolicited smartwatches in the mail, devices that auto-connected to wifi and other nearby devices. According to the report, the devices included malware that “accesses both voice and cameras, enabling actors to access conversations and accounts tied to smartwatches.” A report from Kaspersky, a cybersecurity company, suggests that the accelerometer data that tracks the movement of your wrist can be analyzed to determine passwords and credit card numbers.

June 2023 Army CID Bulletin

New Apple Watch Series 10

The timing of the more recent statement is fortuitous. Apple just unveiled the Apple Watch Series 10 the same week, on the 10th anniversary of the original Apple Watch. While we won't rehash the updates, suffice it to say the device still has a microphone, cellular and Bluetooth capabilities, and updated software to collect biometrics and track your every move.  Intelligence services around the globe were likely analyzing this release closely, in an effort to identify vulnerabilities for exploitation.

According to publicly available data, an estimated 1.3 million Americans maintain a Top Secret security clearance and a total of 4.2 million people have access to classified information. Industry estimates suggest 10 to 20% of all Americans use a smartwatch or fitness tracker, which—if this percentage holds for members of the intelligence community and military—creates significant attack vectors to be exploited for pattern-of-life tracking and to attempt to access classified and Sensitive But Unclassified (SBU) networks.

A Delta Force operator wearing an Apple Watch in Afghanistan in 2019.

But I Am Not A Spy, Why Should I Care?

Of course, most people will say, “I am not a super spy, why do I care if someone tracks me?” The 2023 Army CID report indicated the malware could access credit card information and potentially report that back to a home base to be exploited.

Further, it doesn't matter if you are a Russian submarine commander or just a regular person. In 2022, Moriah Wilson, a 25-year-old elite cyclist, was tracked using Strava data and murdered in Texas by another woman who was involved with the same man as Wilson. After Wilson’s death, Strava reportedly added functionality obscuring start and end locations for fitness activities and further privacy-enhancing features, but the app still risks sharing significant information about a person’s location and routes that could be exploited by bad actors.

What Can I Do About It?

The simplest solution is to go analog. Don’t be a fool, use a real tool. Even the best state hackers (APTs) can’t hack a Seiko. Save the smartwatches for fitness-only activity and ensure your settings on the data are as restricted and “private” as possible.

That said, we understand some W.O.E. professions require a GPS-enabled timepiece to effectively carry out specific tasks. In this case, we encourage you to explore some of the privacy-conscious models like Garmin that contain a “Stealth Mode” that (supposedly) disables tracking technology and a “kill switch” to delete all of your data. However, these functions are only as good as the provider, and Garmin has been the subject of several targeted attacks, including a 2020 ransomware hack where the company reportedly paid Russian cyber criminals $10 million to regain access to systems.

If you work for an elite unit, make sure you pass this watch to your tech specialists to see if it really does what it claims to do. Given my background, I am always skeptical of technical solutions for technical problems… sometimes it's best to do things the old-fashioned way.

If you enjoyed this article, please consider signing up for our weekly free newsletter for further updates HERE.

Read Next: CIA Officers and Apple Watches