Share this page!

hakan Profile picture
@hatr
Mar 31 11 tweets 5 min read Twitter logo Read on Twitter
Part of the #VulkanFiles is “Scan-V”, a framework to conduct cyberoperations with greater speed, scale and efficiency. Basically, it's purpose is helping the GRU to achieve its mission. One of the indended end-users seems to be #Sandworm.

sueddeutsche.de/projekte/artik… Image
At its heart, Scan-V is designed to scour the web for vulnerabilities that are then stored in an “ultra-large” database. When a new operation starts, things like identifying targets and initial entry supposed to be already at the hackers’ fingertips
derstandard.de/story/20001449… Image
The docs also describe the ability to store e-mails (pst-files), pcaps (network traffic) and network-layouts. Stuff you can’t just scan for externally. Storing info on previously breached targets in case your next task is to hack them again

blog.sekoia.io/sekoia-io-anal… Image
After having poured through the docs @gabby_roncone said she was reminded of old military movies where commanders place “their artillery and troops on the map … to understand where the enemy tanks are and where they need to strike first to break through enemy lines.”
Described In one of the documents is a chain of command when using Scan. This, to me, is one of the most interesting pieces of info.
The head of operations decides who to target. This info gets passed on to "regional centers", who carry out the mission, report back the results.
For this to make sense, it helps to know that some years ago pre-existing units within the GRU were brought together under a new org-structure called VIO. Cyberoperations are one part, alongside info-ops, espionage and psychological effects.
(According to our sources). There's been talk that specific hacking units are geographically distinct and the way Scan is supposed to work reflects that. Central tasking to regional units. Notably, units like #APT28 and #Sandworm are in Moscow, and are operating on higher level.
Scan “fits comfortably into the organizational structure and the strategic approach of the GRU”, according to an analyst at a european intel agency. “It makes sense to pay attention. Because you then understand way better what the GRU is trying to do”
According to one email, a team from Vulkan visited a military facility in Khimki, the same Moscow suburb where the #Sandworm is based. Sandworm also appears to be “approval party” on a technical document related to Scan, referred to by their unit number, 74455 Image
While it is evident that a tool like Scan would be helpful for (not only) Sandworm, we do not know whether the project is actively used. We do have payments indicating the project was being developed at least until mid-2020.
spiegel.de/international/…
/end
For more on the VIO I recommend reading this article by @gavinbwilde

carnegieendowment.org/2022/12/12/cyb…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with hakan

hakan Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hatr

hakan Profile picture
Apr 1
In 2019, a mysterious account called @m4lwatch started dumping extremely relevant information on #Sandworm. Shortly thereafter, they mentioned a company: NTC Vulcan. Fast-forward three years and that company is in the spotlights #VulkanFiles
spiegel.de/netzwelt/web/v…

Short thread
Almost every researcher tracking Russian APTs was following @m4lwatch. This screenshot tells you why: m4lwatch is talking about infrastructure related to #Sandworm almost six months before it showed up in an advisory sent out by the NSA (PDF).

media.defense.gov/2020/May/28/20… Image
(h/t to @jfslowik who alerted us to this piece of information and helped us understand big chunks of the files.) Anyway, m4lwatch started publishing information on "NTC Vulkan". He even posted diagrams on a supposed exploitation framework called "Znatok" Image
Read 9 tweets
hakan Profile picture
Mar 31
Now to the most hilarious bit of the #VulkanFiles: The curious case of "Secret Party NTC Vulkan" and APT #MagmaBear Image
The documents contained in the leak are not only intricate, with a few exceptions like hardware specs and disinfo-related pieces (see this thread: ) there's not much infosec-professionals can quickly utilize. Think IP-addresses, hashes, source code etc.
But during our research we were told about a file. It's an excel file, and it is on Virustotal. The filename is in Russian and translates to "Secret Party NTC Vulkan". We obtained the file, since it was an xls-file I used a thing called oletools blog.didierstevens.com/programs/oledu…
Read 10 tweets
hakan Profile picture
Mar 30
Shortly after Russia invaded Ukraine, @h_munzinger got in touch with a source. Over the span of several weeks, Hannes got hold of more than 5000 pages of documents. This secret trove forms the basis of the investigation we’re releasing today #VulkanFiles

spiegel.de/politik/deutsc…
This is a fascinating (and rare!) look into the ambitions of the Russian state. This rather small company of about 135 people was working for the #GRU, the #SVR and the #FSB.

washingtonpost.com/national-secur…
I will highlight some of the takeaways in the coming hours and days but we have spent many months verifying the details contained within the documents, together with many partners, among others the @guardian

theguardian.com/technology/202…
Read 8 tweets
hakan Profile picture
Feb 17, 2022
New:

#Turla is one of the most skilled hacker groups operating.

@FlorianFlade, Lea Frey and I've spent close to a year chasing down leads. We were able to identify, we think, two developers, their employers, and from there, their ties to the FSB.

interaktiv.br.de/elite-hacker-f… Image
This marks the 1st time, to our knowledge, that an #osint-based investigation is able to tie Turla to the intelligence service FSB. The clues we were able to find date back up two ~two decades.

tagesschau.de/investigativ/b…
In essence, two companies come into focus: Atlas and Center-Inform. Both have a history rooted in Russian intelligence. Between 2004 and 2007, Atlas would officially be known as "Atlas of the FSB", as can be seen in press releases by the FSB itself. Image
Read 7 tweets
hakan Profile picture
Jul 2, 2021
New:

For the last couple of years, a secretive startup in the heart of Berlin developed offensive cyber-capabilities, also referred to as "strategic cyberweapons". Together w/ @derspiegel we shed light on Go Root, a company only few have heard of.

br.de/nachrichten/ne…
Go Root only wanted to sell to democracies: Europe, Israel, USA. It's CEO was Sandro Gaycken. If you've been around in this space, you've heard his name. One of the few voices in 🇩🇪 publicly talking about the need for an offensive mindset (and tools).

spiegel.de/netzwelt/netzp…
Go Root was able to attract top-talent, with decade-long expertise in exploitation. Some had worked for Azimuth and Immunity in the past. Strong focus on Linux/Unix, servers and embedded systems, developing full-chains and providing training.
Read 14 tweets
hakan Profile picture
Apr 24, 2021
Short thread on episode 1 of our podcast

a.) who alerted the Germans to the Bundestag and
b.) being (not so) careful during backups

br.de/mediathek/podc…
For years there has been an ongoing discussion as to who alerted the Germans to the Bundestag-hack. It was BAE Systems. Quite often people would follow up with how "embarassing" it would be for german agencies to not having catched the hackers but having had to be alerted to it.
Adrian Nish (and BAE) had been monitoring APT28 and came across a server in "another european country" that was very likely operated by the hackers. BAE has a "close relationship with the relevant security agency" there, so they alerted them to the server and got a forensic copy.
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(