Share this page!

hakan Profile picture
@hatr
Mar 31 10 tweets 3 min read Twitter logo Read on Twitter
Now to the most hilarious bit of the #VulkanFiles: The curious case of "Secret Party NTC Vulkan" and APT #MagmaBear
The documents contained in the leak are not only intricate, with a few exceptions like hardware specs and disinfo-related pieces (see this thread: ) there's not much infosec-professionals can quickly utilize. Think IP-addresses, hashes, source code etc.
But during our research we were told about a file. It's an excel file, and it is on Virustotal. The filename is in Russian and translates to "Secret Party NTC Vulkan". We obtained the file, since it was an xls-file I used a thing called oletools blog.didierstevens.com/programs/oledu…
With this tool, you can see what is happening inside of macros. Anyway, this file apparently reached out to a domain to grab a DLL-file from there. This is where the bear showed up, the one you see at the top of this thread.
Virustotal has a "Community"-tab. In it, sometimes researchers, sometimes automated entries describe the files and if they're malicious. This one had the reference "APT Magma Bear". (Magma, as in what's inside a Volcano).
I immediately thought: Oh, this could've been a name Crowdstrike gave this company. (Crowdstrike calls these state-sponsored groups "bears": Fancy Bear, Cozy Bear, Voodoo Bear. So why not Magma Bear?)
Turns out though: When I looked at the file, I should have increased the size of my screen. Because apparently the person who developed this tool was the one who gave the name. As seen in this picture.
The file itself isn't really malicious. It's s a simple prank. Somebody sent this invitation, around New Years and who ever opened it was greeted with this APT Bear (and also the Soviet March from Red Alert 3 was playing).
We reached out to the developer (some info wasn't deleted so we were able to corroborate he worked for the company at that time) and asked them why they did it. Here's their response.
They also confirmed the Red Alert 3 information (the DLL had it stored as a MIDI). If you want to listen to it, here you go.

Again: Nothing malicious, but hilarious.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with hakan

hakan Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hatr

hakan Profile picture
Apr 1
In 2019, a mysterious account called @m4lwatch started dumping extremely relevant information on #Sandworm. Shortly thereafter, they mentioned a company: NTC Vulcan. Fast-forward three years and that company is in the spotlights #VulkanFiles
spiegel.de/netzwelt/web/v…

Short thread
Almost every researcher tracking Russian APTs was following @m4lwatch. This screenshot tells you why: m4lwatch is talking about infrastructure related to #Sandworm almost six months before it showed up in an advisory sent out by the NSA (PDF).

media.defense.gov/2020/May/28/20… Image
(h/t to @jfslowik who alerted us to this piece of information and helped us understand big chunks of the files.) Anyway, m4lwatch started publishing information on "NTC Vulkan". He even posted diagrams on a supposed exploitation framework called "Znatok" Image
Read 9 tweets
hakan Profile picture
Mar 31
Part of the #VulkanFiles is “Scan-V”, a framework to conduct cyberoperations with greater speed, scale and efficiency. Basically, it's purpose is helping the GRU to achieve its mission. One of the indended end-users seems to be #Sandworm.

sueddeutsche.de/projekte/artik… Image
At its heart, Scan-V is designed to scour the web for vulnerabilities that are then stored in an “ultra-large” database. When a new operation starts, things like identifying targets and initial entry supposed to be already at the hackers’ fingertips
derstandard.de/story/20001449… Image
The docs also describe the ability to store e-mails (pst-files), pcaps (network traffic) and network-layouts. Stuff you can’t just scan for externally. Storing info on previously breached targets in case your next task is to hack them again

blog.sekoia.io/sekoia-io-anal… Image
Read 11 tweets
hakan Profile picture
Mar 30
Shortly after Russia invaded Ukraine, @h_munzinger got in touch with a source. Over the span of several weeks, Hannes got hold of more than 5000 pages of documents. This secret trove forms the basis of the investigation we’re releasing today #VulkanFiles

spiegel.de/politik/deutsc…
This is a fascinating (and rare!) look into the ambitions of the Russian state. This rather small company of about 135 people was working for the #GRU, the #SVR and the #FSB.

washingtonpost.com/national-secur…
I will highlight some of the takeaways in the coming hours and days but we have spent many months verifying the details contained within the documents, together with many partners, among others the @guardian

theguardian.com/technology/202…
Read 8 tweets
hakan Profile picture
Feb 17, 2022
New:

#Turla is one of the most skilled hacker groups operating.

@FlorianFlade, Lea Frey and I've spent close to a year chasing down leads. We were able to identify, we think, two developers, their employers, and from there, their ties to the FSB.

interaktiv.br.de/elite-hacker-f… Image
This marks the 1st time, to our knowledge, that an #osint-based investigation is able to tie Turla to the intelligence service FSB. The clues we were able to find date back up two ~two decades.

tagesschau.de/investigativ/b…
In essence, two companies come into focus: Atlas and Center-Inform. Both have a history rooted in Russian intelligence. Between 2004 and 2007, Atlas would officially be known as "Atlas of the FSB", as can be seen in press releases by the FSB itself. Image
Read 7 tweets
hakan Profile picture
Jul 2, 2021
New:

For the last couple of years, a secretive startup in the heart of Berlin developed offensive cyber-capabilities, also referred to as "strategic cyberweapons". Together w/ @derspiegel we shed light on Go Root, a company only few have heard of.

br.de/nachrichten/ne…
Go Root only wanted to sell to democracies: Europe, Israel, USA. It's CEO was Sandro Gaycken. If you've been around in this space, you've heard his name. One of the few voices in 🇩🇪 publicly talking about the need for an offensive mindset (and tools).

spiegel.de/netzwelt/netzp…
Go Root was able to attract top-talent, with decade-long expertise in exploitation. Some had worked for Azimuth and Immunity in the past. Strong focus on Linux/Unix, servers and embedded systems, developing full-chains and providing training.
Read 14 tweets
hakan Profile picture
Apr 24, 2021
Short thread on episode 1 of our podcast

a.) who alerted the Germans to the Bundestag and
b.) being (not so) careful during backups

br.de/mediathek/podc…
For years there has been an ongoing discussion as to who alerted the Germans to the Bundestag-hack. It was BAE Systems. Quite often people would follow up with how "embarassing" it would be for german agencies to not having catched the hackers but having had to be alerted to it.
Adrian Nish (and BAE) had been monitoring APT28 and came across a server in "another european country" that was very likely operated by the hackers. BAE has a "close relationship with the relevant security agency" there, so they alerted them to the server and got a forensic copy.
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(