hakan Profile picture
Feb 17, 2022 7 tweets 4 min read Read on X
New:

#Turla is one of the most skilled hacker groups operating.

@FlorianFlade, Lea Frey and I've spent close to a year chasing down leads. We were able to identify, we think, two developers, their employers, and from there, their ties to the FSB.

interaktiv.br.de/elite-hacker-f… Image
This marks the 1st time, to our knowledge, that an #osint-based investigation is able to tie Turla to the intelligence service FSB. The clues we were able to find date back up two ~two decades.

tagesschau.de/investigativ/b…
In essence, two companies come into focus: Atlas and Center-Inform. Both have a history rooted in Russian intelligence. Between 2004 and 2007, Atlas would officially be known as "Atlas of the FSB", as can be seen in press releases by the FSB itself. Image
We have no indication that the suspected developers are still working with Turla. Which is one of many reasons why we chose not to name them. We stick to their developer handles left in the malware. The illustrations are based on real images, but have been altered. Image
We have also seen non-public intel reports produced by Crowdstrike and BAE Systems. They've been tracking Turla for years, obviously. The many findings described in their reports serve as additiional, and crucial, corroboration.
We've decided to tell this story visually. You can follow along, from one clue to the next. Immensely grateful to be working with a team this talented and this thorough (@stekhn, @BayerlSebastian, @nierlev, @robschoeffel, @FlorianFlade, Max Brandl, Lea Frey, Monika Wagener.)
Some people expressed interest in the cards, so here you go

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with hakan

hakan Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hatr

Feb 19
New:

During our latest investigation, we were able to get access to a Github repository used by 🇰🇵 hackers (#Kimsuky) for storing "victim". What Kimsuky apparently did not know (or didn't care about) was this. If you have the repo, you have access to everything done within it
Some context:

🇰🇵 hackers have been mostly cut off from the flow of information due, among other things, closing down a lot of embassies etc. Hackers have to step up and get access to strategic intel



w/ @MarcelRosenbach @h_munzinger and Jaya Miranispiegel.de/politik/deutsc…
@MarcelRosenbach @h_munzinger "If you're a PhD doing North Korea studies, you should fully expect to be on a target list for them", says Mandiant's @JumpforJoyce. We were able to speak to half a dozen people who were targeted.

derstandard.at/story/30000002…
Read 9 tweets
Apr 1, 2023
In 2019, a mysterious account called @m4lwatch started dumping extremely relevant information on #Sandworm. Shortly thereafter, they mentioned a company: NTC Vulcan. Fast-forward three years and that company is in the spotlights #VulkanFiles
spiegel.de/netzwelt/web/v…

Short thread
Almost every researcher tracking Russian APTs was following @m4lwatch. This screenshot tells you why: m4lwatch is talking about infrastructure related to #Sandworm almost six months before it showed up in an advisory sent out by the NSA (PDF).

media.defense.gov/2020/May/28/20…
(h/t to @jfslowik who alerted us to this piece of information and helped us understand big chunks of the files.) Anyway, m4lwatch started publishing information on "NTC Vulkan". He even posted diagrams on a supposed exploitation framework called "Znatok"
Read 9 tweets
Mar 31, 2023
Now to the most hilarious bit of the #VulkanFiles: The curious case of "Secret Party NTC Vulkan" and APT #MagmaBear
The documents contained in the leak are not only intricate, with a few exceptions like hardware specs and disinfo-related pieces (see this thread: ) there's not much infosec-professionals can quickly utilize. Think IP-addresses, hashes, source code etc.
But during our research we were told about a file. It's an excel file, and it is on Virustotal. The filename is in Russian and translates to "Secret Party NTC Vulkan". We obtained the file, since it was an xls-file I used a thing called oletools blog.didierstevens.com/programs/oledu…
Read 10 tweets
Mar 31, 2023
Part of the #VulkanFiles is “Scan-V”, a framework to conduct cyberoperations with greater speed, scale and efficiency. Basically, it's purpose is helping the GRU to achieve its mission. One of the indended end-users seems to be #Sandworm.

sueddeutsche.de/projekte/artik… Image
At its heart, Scan-V is designed to scour the web for vulnerabilities that are then stored in an “ultra-large” database. When a new operation starts, things like identifying targets and initial entry supposed to be already at the hackers’ fingertips
derstandard.de/story/20001449… Image
The docs also describe the ability to store e-mails (pst-files), pcaps (network traffic) and network-layouts. Stuff you can’t just scan for externally. Storing info on previously breached targets in case your next task is to hack them again

blog.sekoia.io/sekoia-io-anal… Image
Read 11 tweets
Mar 30, 2023
Shortly after Russia invaded Ukraine, @h_munzinger got in touch with a source. Over the span of several weeks, Hannes got hold of more than 5000 pages of documents. This secret trove forms the basis of the investigation we’re releasing today #VulkanFiles

spiegel.de/politik/deutsc…
This is a fascinating (and rare!) look into the ambitions of the Russian state. This rather small company of about 135 people was working for the #GRU, the #SVR and the #FSB.

washingtonpost.com/national-secur…
I will highlight some of the takeaways in the coming hours and days but we have spent many months verifying the details contained within the documents, together with many partners, among others the @guardian

theguardian.com/technology/202…
Read 8 tweets
Jul 2, 2021
New:

For the last couple of years, a secretive startup in the heart of Berlin developed offensive cyber-capabilities, also referred to as "strategic cyberweapons". Together w/ @derspiegel we shed light on Go Root, a company only few have heard of.

br.de/nachrichten/ne…
Go Root only wanted to sell to democracies: Europe, Israel, USA. It's CEO was Sandro Gaycken. If you've been around in this space, you've heard his name. One of the few voices in 🇩🇪 publicly talking about the need for an offensive mindset (and tools).

spiegel.de/netzwelt/netzp…
Go Root was able to attract top-talent, with decade-long expertise in exploitation. Some had worked for Azimuth and Immunity in the past. Strong focus on Linux/Unix, servers and embedded systems, developing full-chains and providing training.
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(