At a glance.
- The Vulkan papers.
- 3CXDesktopApp vulnerability and supply chain risk.
- XSS flaw can lead to remote code execution.
- AlienFox targets misconfigured servers.
The Vulkan papers.
NTC Vulkan, a Moscow-based IT consultancy, has been exposed as a major contractor to all three of the principal Russian intelligence services, the GRU, the SVR, and the FSB. Vulkan's specialty is the development of tools for cyberattack. Der Spiegel, one of a group of media outlets that broke the story, sources it to a major leak. "This is all chronicled in 1,000 secret documents that include 5,299 pages full of project plans, instructions and internal emails from Vulkan from the years 2016 to 2021," Spiegel writes. "Despite being all in Russian and extremely technical in nature, they provide unique insight into the depths of Russian cyberwarfare plans. In a militarized country that doesn’t just fight with warplanes, tanks and artillery, but with hackers and software."
The Vulkan papers reveal that the company is engaged in supporting a full range of offensive cyber operations. Its services and products extend to espionage, disinformation, and disruptive attacks intended to sabotage infrastructure, and the company also provides training to its customers in the security and intelligence organs. The Washington Post, another recipient of the leaks, ascribes them to a disaffected insider who's motivated by opposition to Mr. Putin's war against Ukraine. "An anonymous person provided the documents from the contractor, NTC Vulkan, to a German reporter after expressing outrage about Russia’s attack on Ukraine," the Post reports. "The leak, an unusual occurrence for Russia’s secretive military industrial complex, demonstrates another unintended consequence of President Vladimir Putin’s decision to take his country to war." The anonymous leaker (who told his German contact, when declining to provide identification, that he or she intended to "vanish like a ghost" for obvious reasons of personal security) explained the motivation of his or actions: “The company is doing bad things, and the Russian government is cowardly and wrong.... I am angry about the invasion of Ukraine and the terrible things that are happening there. I hope you can use this information to show what is happening behind closed doors.”
The Post outlines what it takes to be the major takeaways from the documents:
- "Russia’s military has been looking to scale cyberattacks, using new technologies and platforms." It's a well-organized effort, not a contribution to a slapdash hacktivist program.
- "Vulkan’s software combs internet networks for targets and intrusion points." The leaked files show extensive cyber battlespace preparation.
- "War has unintended consequences." One of those consequences may have been the creation of a Russian insider threat.
- "One of Vulkan’s clients appears to be Russia’s most notorious hacking group, dubbed Sandworm by Western cybersecurity analysts." Sandworm is believed to have been behind the attacks on Ukraine's power grid, on the 2018 Winter Olympics, and the NotPetya pseudoransomware.
- "Disinformation campaigns also can be put on automatic pilot, at least in part." Vulkan automates influence operations to achieve coordinated inauthenticity at scale.
- "Hacking can go beyond the digital world," that is, some of Vulkan's services include support of attacks with physical consequences for adversaries' infrastructure, including "systems for controlling air, sea and rail operations."
Among the more interesting revelations in the files are descriptions of Vulkan's tools. Security firm Mandiant sifted through the leaked files for the Post, and, while they're reticent about authentication, they offer an appreciation of three of Vulkan's more striking products:
- Scan (or "Skan"): "A comprehensive framework likely used to enable cyber operations. Scan consists of a variety of methods for large-scale data collection and contains comprehensive documentation on how to structure databases to store and handle such information. Based on the signatories, Scan documentation was contracted (at least in part) by GRU Unit 7445, or Sandworm Team."
- Amesit (or "Amezit"): "A framework used to control the online information environment and manipulate public opinion, enhance psychological operations, and store and organize data for upstream communication of efforts. Information confrontation and psychological operations in Amesit are designed to support IO and OT-related operations."
- Krystal-2B: "A training platform for exercising coordinated IO/OT attacks against transportation and utility industries using Amesit. The exercise’s program highlights particular scenarios against OT environments and Russian infrastructure. Krystal-2B may be a red teaming or defensively focused exercise, but demonstrates interest in coordinating IO/OT attacks." Krystal-2B relies on tooling from Amesit, and documents associated with it show some of the specific interest Russian operators have in attacks against process-level systems. "For rail systems, this includes manipulating the speed of trains, creating unauthorized track transfers, causing car traffic barriers to fail, and causing combined heat and power (CHP) units to fail, with the explicit objective of causing train collisions and accidents. For pipeline systems, this includes closing valves, shutting down pumps, overfilling tanks, spilling materials, and causing pump cavitation and overheating."
Taken as a whole, the documents show that Russia is devoting considerable attention to cyber battlespace preparation.
The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.