m4lwatch Profile picture
Dec 30, 2019 24 tweets 24 min read Read on X
Znatok is fully featured has interface for “Commander” to assign tasking to a team. Look military. If #Sandworm is #GRU cyber then could fit
See BASHNYA as project name or user. Still work on functionality of framework. More soon #ThreatIntel #Sandworm
Bashnya is Башня. This translate from Russia is “Tower”. GTsST GRU Unit 74455 linked to Sandworm has HQ at the “Tower”, 22 Kirova Street in Khimki Moscow. Think Bashnya/Tower is code for end user of Znatok #ThreatIntel #Sandworm #GRU
Also see sign to Vulkan. Not sure what “Vulkan” mean. Did some look online and find Russia infosec company called “NTC Vulkan” #Threatintel #Sandworm Image
Has real website. Very active on Facebook. Look like commercial company not state? #ThreatIntel #Sandworm #NTCvulkan ntc-vulkan.ru facebook.com/ntc.vulkan
But has FSB licenses. Include “for the licensing, certification and protection of state secrets of FSB”, a license from Russia MOD and for weapons and military equipment #ThreatIntel #Sandworm #NTCvulkan
Vulkan profile on list-org.ru has Russia state contracts each with own contract ID #ThreatIntel #Sandworm #NTCvulkan
Zakupki.gov.ru is database of Russia contracts. No hit when search keyword Vulkan. But search on contract ID from list-org.ru and got more detail #ThreatIntel #Sandworm #NTCvulkan
Vulkan has state contracts on Zakupki for MOD and military. No see contracts for unit 74455 #ThreatIntel #Sandworm #NTCvulkan
So look like commercial company NTCvulkan develop tool Znatok for unit 74455 and look like hiding contact. Going to keep looking for more #ThreatIntel #Sandworm #NTCvulkan #GTsST
Company profile of NTC Vulkan shows has 50% shareholders Anton Vladimirovich Markov and Aleksandr Aleksandrovich Irzhavskij #ThreatIntel #Sandworm #NTCVulkan
Looking on Markov and Irzhavskij I find Irzhavskij linked to “Svobodnyy Prospekt Dom 4” in 2004 #ThreatIntel #Sandworm #NTCVulkan ImageImageImage
Look into Svobodnyy Prospekt on list-org.com. It address of FGUP “18 TsNII” of Russian MOD. TsNII has unit number 11135 and email 18CNII_GOZ@MIL.RU #ThreatIntel #Sandworm #NTCVulkan
Company profile on casebook.ru lists 18TsNII as doing science research and development in region of natural and technical sciences. Other company list websites list work on other things like “manufacturing starch products”, “tram sleepers” and “bookbinding”
But 18TsNII look suspicious on other sites like this unofficial website where it listed as part of GRU structure: gostevushka.ru/gb/gosudarstvo… #ThreatIntel #Sandworm
I think of shareholder Aleksandr Aleksandrovich Irzhavskij has link to closed military institute maybe he helped make Vulkan contract for GRU tool Znatok #ThreatIntel #Sandworm #NTCVulkan #GRU
I find court case between 18 TsNII and GRU in 2013. 18 TsNII called “closed” military institute in Russia news: iz.ru/news/546680 #ThreatIntel #Sandworm #GRU
Also I find 2017 court case between Vulkan and 18 TsNII. Vulkan, 18 TsNII and GRU all 3 connected for unknown projects #ThreatIntel #Sandworm #GRU #NTCVulkan #18TsNII Image
Look like 18 TsNII, Vulkan and GRU have contracts together. But only see them when they have court cases with each other. Suggest more going on with each other. Rest must be secret. Maybe Znatok secret? Want to find out more. #ThreatIntel #Sandworm #GRU #NTCVulkan #18TsNII
Vulkan try hard to hide link to Russia military and GRU. Not much there. In December 2019 they take part in military cyber competition “Cyber Patriot” by Russia “Department of information systems” and General Staff 8th Directorate #ThreatIntel #Sandworm #NTCVulkan #GRU ImageImage
Only sign of Vulkan in that competition is logo on presentation. No advertised on website or social media. I find it after looking at Echelon. Echelon is Russia company partner of Vulkan #ThreatIntel #NTCVulkan #NPOEchelon #Sandworm Image
Echelon is proud of Cyber Patriot competition. Not like Vulkan. I find press release #ThreatIntel #NTCVulkan #NPOEchelon #Sandworm press-release.ru/branches/exhib…
Echelon is technology testing lab and look suspicious. I find 2018 news about link to Russia military and FSB and its access to source code of western tech. Western companies like @symantec already worried #ThreatIntel #NTCVulkan #NPOEchelon #Sandworm #GRU venturebeat.com/2018/01/25/sap…
So @ntc_vulkan partner with Echelon which has close link to Russia military and FSB. But also work with @symantec @IBM @McAfee @HP @Cisco. Vulkan builds exploit tools for Russia GRU and works with global tech companies. Look strange! #ThreatIntel #NTCVulkan #Sandworm #GRU

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with m4lwatch

m4lwatch Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(