Shortly after Russia invaded Ukraine, @h_munzinger got in touch with a source. Over the span of several weeks, Hannes got hold of more than 5000 pages of documents. This secret trove forms the basis of the investigation we’re releasing today #VulkanFiles
This is a fascinating (and rare!) look into the ambitions of the Russian state. This rather small company of about 135 people was working for the #GRU, the #SVR and the #FSB.
I will highlight some of the takeaways in the coming hours and days but we have spent many months verifying the details contained within the documents, together with many partners, among others the @guardian
Five intelligence agencies said they believe the documents to be authentic, as did cybersecurity companies and experts we reached out to (special thanks to @gabby_roncone, who has been incredibly helpful).
#Turla is one of the most skilled hacker groups operating.
@FlorianFlade, Lea Frey and I've spent close to a year chasing down leads. We were able to identify, we think, two developers, their employers, and from there, their ties to the FSB.
This marks the 1st time, to our knowledge, that an #osint-based investigation is able to tie Turla to the intelligence service FSB. The clues we were able to find date back up two ~two decades.
In essence, two companies come into focus: Atlas and Center-Inform. Both have a history rooted in Russian intelligence. Between 2004 and 2007, Atlas would officially be known as "Atlas of the FSB", as can be seen in press releases by the FSB itself.
For the last couple of years, a secretive startup in the heart of Berlin developed offensive cyber-capabilities, also referred to as "strategic cyberweapons". Together w/ @derspiegel we shed light on Go Root, a company only few have heard of.
Go Root only wanted to sell to democracies: Europe, Israel, USA. It's CEO was Sandro Gaycken. If you've been around in this space, you've heard his name. One of the few voices in 🇩🇪 publicly talking about the need for an offensive mindset (and tools).
Go Root was able to attract top-talent, with decade-long expertise in exploitation. Some had worked for Azimuth and Immunity in the past. Strong focus on Linux/Unix, servers and embedded systems, developing full-chains and providing training.
For years there has been an ongoing discussion as to who alerted the Germans to the Bundestag-hack. It was BAE Systems. Quite often people would follow up with how "embarassing" it would be for german agencies to not having catched the hackers but having had to be alerted to it.
Adrian Nish (and BAE) had been monitoring APT28 and came across a server in "another european country" that was very likely operated by the hackers. BAE has a "close relationship with the relevant security agency" there, so they alerted them to the server and got a forensic copy.
Short thread on
a.) digital forensics &
b.) how people analyzing the Bundestag-hack came to see that the hackers were already in another network at the same time.
Werner told us that there has been a shift within the industry, going back to 2011-ish. Where people were just looking at malware before, they now paid attention to who it was that wrote all these trojans, droppers etc.
For the past six months, @FlorianFlade and I've been working on a podcast. Today is release day of "Der Mann in Merkels Rechner". At its core, we wanted to answer one question: How exactly can you find out who is behind a hacking operation?
We chose to focus on the intrustion of the 🇩🇪parliament in 2015. Hacked by #FancyBear/#APT28. Since there's an arrest warrant, you can tell the story front to back. The podcast has five episodes and is in German. I'm going to summarize key bits here, one thread per episode
(2/6)
We spoke with dozens of people, if possible, on-record, e.g.:
Adrian Nish (BAE Systems), he alerted the Germans @nunohaien of Crowdstrike
Adam Hickey, Deputy Assistant Attorney General at DoJ
Dutch intel agency MIVD
Michael Hange, former head of @BSI_Bund @ciaranmartinoxf