New:

During our latest investigation, we were able to get access to a Github repository used by 🇰🇵 hackers (#Kimsuky) for storing "victim". What Kimsuky apparently did not know (or didn't care about) was this. If you have the repo, you have access to everything done within it Some context:

🇰🇵 hackers have been mostly cut off from the flow of information due, among other things, closing down a lot of embassies etc. Hackers have to step up and get access to strategic intel



w/ @MarcelRosenbach @h_munzinger and Jaya Miranispiegel.de/politik/deutsc…

In 2019, a mysterious account called @m4lwatch started dumping extremely relevant information on #Sandworm. Shortly thereafter, they mentioned a company: NTC Vulcan. Fast-forward three years and that company is in the spotlights #VulkanFiles
spiegel.de/netzwelt/web/v…

Short thread Almost every researcher tracking Russian APTs was following @m4lwatch. This screenshot tells you why: m4lwatch is talking about infrastructure related to #Sandworm almost six months before it showed up in an advisory sent out by the NSA (PDF).

media.defense.gov/2020/May/28/20…

Now to the most hilarious bit of the #VulkanFiles: The curious case of "Secret Party NTC Vulkan" and APT #MagmaBear The documents contained in the leak are not only intricate, with a few exceptions like hardware specs and disinfo-related pieces (see this thread:

https://twitter.com/christo_buschek/status/1641457689279729664

) there's not much infosec-professionals can quickly utilize. Think IP-addresses, hashes, source code etc.

Part of the #VulkanFiles is “Scan-V”, a framework to conduct cyberoperations with greater speed, scale and efficiency. Basically, it's purpose is helping the GRU to achieve its mission. One of the indended end-users seems to be #Sandworm.

sueddeutsche.de/projekte/artik… At its heart, Scan-V is designed to scour the web for vulnerabilities that are then stored in an “ultra-large” database. When a new operation starts, things like identifying targets and initial entry supposed to be already at the hackers’ fingertips
derstandard.de/story/20001449…

Shortly after Russia invaded Ukraine, @h_munzinger got in touch with a source. Over the span of several weeks, Hannes got hold of more than 5000 pages of documents. This secret trove forms the basis of the investigation we’re releasing today #VulkanFiles

spiegel.de/politik/deutsc… This is a fascinating (and rare!) look into the ambitions of the Russian state. This rather small company of about 135 people was working for the #GRU, the #SVR and the #FSB.

washingtonpost.com/national-secur…

New:

#Turla is one of the most skilled hacker groups operating.

@FlorianFlade, Lea Frey and I've spent close to a year chasing down leads. We were able to identify, we think, two developers, their employers, and from there, their ties to the FSB.

interaktiv.br.de/elite-hacker-f… This marks the 1st time, to our knowledge, that an #osint-based investigation is able to tie Turla to the intelligence service FSB. The clues we were able to find date back up two ~two decades.

tagesschau.de/investigativ/b…

New:

For the last couple of years, a secretive startup in the heart of Berlin developed offensive cyber-capabilities, also referred to as "strategic cyberweapons". Together w/ @derspiegel we shed light on Go Root, a company only few have heard of.

br.de/nachrichten/ne… Go Root only wanted to sell to democracies: Europe, Israel, USA. It's CEO was Sandro Gaycken. If you've been around in this space, you've heard his name. One of the few voices in 🇩🇪 publicly talking about the need for an offensive mindset (and tools).

spiegel.de/netzwelt/netzp…

Short thread on episode 1 of our podcast

a.) who alerted the Germans to the Bundestag and
b.) being (not so) careful during backups

br.de/mediathek/podc… For years there has been an ongoing discussion as to who alerted the Germans to the Bundestag-hack. It was BAE Systems. Quite often people would follow up with how "embarassing" it would be for german agencies to not having catched the hackers but having had to be alerted to it.

Short thread on
a.) digital forensics &
b.) how people analyzing the Bundestag-hack came to see that the hackers were already in another network at the same time.

As part of the podcast "Der Mann in Merkels Rechner" ardaudiothek.de/der-mann-in-me… (for those folks, who don't speak 🇩🇪) .@nunohaien is one of the most respected people I've come across covering this beat. I've written about his work before (sueddeutsche.de/digital/it-sic…). I'd also recommend this article (by @vermontgmg) on the "GameOver Zeus" takedown: wired.com/2017/03/russia…

Hi!

For the past six months, @FlorianFlade and I've been working on a podcast. Today is release day of "Der Mann in Merkels Rechner". At its core, we wanted to answer one question: How exactly can you find out who is behind a hacking operation?

br.de/mediathek/podc…

(1/6) We chose to focus on the intrustion of the 🇩🇪parliament in 2015. Hacked by #FancyBear/#APT28. Since there's an arrest warrant, you can tell the story front to back. The podcast has five episodes and is in German. I'm going to summarize key bits here, one thread per episode
(2/6)

For the U.S. crowd:

I obtained a chat between ransomware group Revil and a german copper manufacturer. Revil demanded 7.5 million but settled for 1.27 USD.

(I got access to 240 Revil-samples. Only the minority had still live-chats in place.)

tagesschau.de/wirtschaft/ran… Reuters had a story about these negotiations here: reuters.com/article/uk-cyb… (by @jc_stubbs), @ValeryMarchive detailed them here lemagit.fr/actualites/252…