Share this page!

hakan Profile picture
@hatr
Mar 30 8 tweets 5 min read Twitter logo Read on Twitter
Shortly after Russia invaded Ukraine, @h_munzinger got in touch with a source. Over the span of several weeks, Hannes got hold of more than 5000 pages of documents. This secret trove forms the basis of the investigation we’re releasing today #VulkanFiles

spiegel.de/politik/deutsc…
This is a fascinating (and rare!) look into the ambitions of the Russian state. This rather small company of about 135 people was working for the #GRU, the #SVR and the #FSB.

washingtonpost.com/national-secur…
I will highlight some of the takeaways in the coming hours and days but we have spent many months verifying the details contained within the documents, together with many partners, among others the @guardian

theguardian.com/technology/202…
Five intelligence agencies said they believe the documents to be authentic, as did cybersecurity companies and experts we reached out to (special thanks to @gabby_roncone, who has been incredibly helpful).

You can find @Mandiant's writeup here
mandiant.com/resources/blog…
And here is her thread
Among the many fascinating details:

Google's "Threat Analysis Group" has seen NTC Vulkan being used by none other than #APT29/#MiniDuke back in 2012 (!).

Somebody set up a mail address from a C2 (tied to Miniduke) and then sent a test-mail to a Vulkan-owned domain.
In case you rather want to watch, here's a 30-min documentary with english subtitles
If you're interested in the disinfo-part of these systems, make sure to check out this thread by the inimitable @christo_buschek

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with hakan

hakan Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hatr

hakan Profile picture
Feb 17, 2022
New:

#Turla is one of the most skilled hacker groups operating.

@FlorianFlade, Lea Frey and I've spent close to a year chasing down leads. We were able to identify, we think, two developers, their employers, and from there, their ties to the FSB.

interaktiv.br.de/elite-hacker-f… Image
This marks the 1st time, to our knowledge, that an #osint-based investigation is able to tie Turla to the intelligence service FSB. The clues we were able to find date back up two ~two decades.

tagesschau.de/investigativ/b…
In essence, two companies come into focus: Atlas and Center-Inform. Both have a history rooted in Russian intelligence. Between 2004 and 2007, Atlas would officially be known as "Atlas of the FSB", as can be seen in press releases by the FSB itself. Image
Read 7 tweets
hakan Profile picture
Jul 2, 2021
New:

For the last couple of years, a secretive startup in the heart of Berlin developed offensive cyber-capabilities, also referred to as "strategic cyberweapons". Together w/ @derspiegel we shed light on Go Root, a company only few have heard of.

br.de/nachrichten/ne…
Go Root only wanted to sell to democracies: Europe, Israel, USA. It's CEO was Sandro Gaycken. If you've been around in this space, you've heard his name. One of the few voices in 🇩🇪 publicly talking about the need for an offensive mindset (and tools).

spiegel.de/netzwelt/netzp…
Go Root was able to attract top-talent, with decade-long expertise in exploitation. Some had worked for Azimuth and Immunity in the past. Strong focus on Linux/Unix, servers and embedded systems, developing full-chains and providing training.
Read 14 tweets
hakan Profile picture
Apr 24, 2021
Short thread on episode 1 of our podcast

a.) who alerted the Germans to the Bundestag and
b.) being (not so) careful during backups

br.de/mediathek/podc…
For years there has been an ongoing discussion as to who alerted the Germans to the Bundestag-hack. It was BAE Systems. Quite often people would follow up with how "embarassing" it would be for german agencies to not having catched the hackers but having had to be alerted to it.
Adrian Nish (and BAE) had been monitoring APT28 and came across a server in "another european country" that was very likely operated by the hackers. BAE has a "close relationship with the relevant security agency" there, so they alerted them to the server and got a forensic copy.
Read 9 tweets
hakan Profile picture
Apr 23, 2021
Short thread on
a.) digital forensics &
b.) how people analyzing the Bundestag-hack came to see that the hackers were already in another network at the same time.

As part of the podcast "Der Mann in Merkels Rechner" ardaudiothek.de/der-mann-in-me… (for those folks, who don't speak 🇩🇪)
.@nunohaien is one of the most respected people I've come across covering this beat. I've written about his work before (sueddeutsche.de/digital/it-sic…). I'd also recommend this article (by @vermontgmg) on the "GameOver Zeus" takedown: wired.com/2017/03/russia…
Werner told us that there has been a shift within the industry, going back to 2011-ish. Where people were just looking at malware before, they now paid attention to who it was that wrote all these trojans, droppers etc.
Read 7 tweets
hakan Profile picture
Apr 22, 2021
Hi!

For the past six months, @FlorianFlade and I've been working on a podcast. Today is release day of "Der Mann in Merkels Rechner". At its core, we wanted to answer one question: How exactly can you find out who is behind a hacking operation?

br.de/mediathek/podc…

(1/6)
We chose to focus on the intrustion of the 🇩🇪parliament in 2015. Hacked by #FancyBear/#APT28. Since there's an arrest warrant, you can tell the story front to back. The podcast has five episodes and is in German. I'm going to summarize key bits here, one thread per episode
(2/6)
We spoke with dozens of people, if possible, on-record, e.g.:
Adrian Nish (BAE Systems), he alerted the Germans
@nunohaien of Crowdstrike
Adam Hickey, Deputy Assistant Attorney General at DoJ
Dutch intel agency MIVD
Michael Hange, former head of @BSI_Bund
@ciaranmartinoxf
Read 13 tweets
hakan Profile picture
Nov 11, 2020
For the U.S. crowd:

I obtained a chat between ransomware group Revil and a german copper manufacturer. Revil demanded 7.5 million but settled for 1.27 USD.

(I got access to 240 Revil-samples. Only the minority had still live-chats in place.)

tagesschau.de/wirtschaft/ran…
Reuters had a story about these negotiations here: reuters.com/article/uk-cyb… (by @jc_stubbs), @ValeryMarchive detailed them here lemagit.fr/actualites/252…
I reached out to the hackers in two separate chats, but they fairly quickly deleted my messages. Sort of rude.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(