The cybersecurity firm tasked with investigating the hack of the Democratic National Committee has published a new report claiming that the group that hit the DNC also targeted Ukrainian military units. This connection increases the likelihood that the hackers — dubbed Fancy Bear by cybersecurity firm CrowdStrike — are a unit working for Russia’s military intelligence agency, the GRU.

The possible link between the GRU and Fancy Bear was made by tracking a piece of malware implanted in a Ukrainian military Android app. The app allows Soviet-era artillery units to process targeting data more quickly, while the implanted malware was found to siphon off communication and location data. CrowdStrike suggests the malware “may have facilitated reconnaissance against Ukrainian troops” over the last two years, and notes that more D-30 Howitzers have been lost in conflicts in the east of the country than any other artillery pieces.

The malware itself is known as X-Agent, and was also used in the DNC hack, says CrowdStrike. The firm says that the fact that no other hacking group has been seen using X-Agent, means it’s increasingly likely the Fancy Bear hackers are part of the Russian military.

President-elect Donald Trump has continued to dismiss connections between Russia and the DNC hack as “ridiculous,” even after US intelligence agencies including the CIA and FBI have stated that the Kremlin were involved. President Barack Obama has ordered an investigation into the hacks which will be finished before Trump takes office. In a press conference last week, Obama said: “My hope is that the president-elect is going to similarly be concerned with making sure that we don’t have potential foreign influence in our election process.”

The US reports do not suggest that Russian hackers attempted to tamper with the vote itself, but that they stole and helped to publish internal emails from the DNC with the aim of helping to elect Trump.