The Hacker Mind Podcast: The Vulkan Files

Imagine a data dump of files similar to the Snowden Leaks in 2013, only this it’s not from the NSA but from NT Vulkan, a Russian contractor. And it’s a framework for targeting critical IT infrastructures. In a talk at DEF CON 31 Joe Slowick, from Huntress, shares what a Russian whistleblower released in the form of emails and documents, and how we can tie some of that back information to some of the Sandworm campaigns and recent attacks against Ukraine.

‍

‍

[Heads Up: This transcription was autogenerated, so there may be errors.]

The Snowden Leaks. I remember where I was when I first heard about it and I remember how mad I was about it. I’m going to say up front that I’m one of those people who feel that governments should have some secrets, particularly in the best interests of national security. I didn’t feel then nor do I feel now that what Edward Snowden did in 2013 was in the best interests of US interests. I think the Snowden leaks were designed  more to embarrass the US on the world stage than anything else. 

Flash forward to today, ten years later, and you see how other countries have spent millions developing their own tools to bug the phones of reporters and human rights individuals. I’m not saying these recently revealed tools are a direct result; I’m just saying what Snowden revealed about US secrets showed other countries that it was okay for them to develop their own weapons.

Snowden is in Russia, which is interesting. He’s a full Russian citizen today. And in the next few minutes I’m going to be discussing a leak of data that reveals some of the secret tools. It’s in some ways the equivalent of the Snowden leaks, only the leaks came from Russian. Ironic, huh?  Stay tuned.

[music]

VAMOSI: Welcome to The Hacker Mind, an original podcast from the makers of Mayhem Security. It’s about challenging our expectations about the people who hack for a living. I’m Robert Vamosi and in this episode I’m discussing documents leaked to German journalists outlining a Russian defense contractor’s program in development for certain tools used by Russian security services for various purposes.

‍[music]

VAMOSI: I do everything on this podcast -- I don’t have a crew people to write the episode, to do the sound design, to create the music -- okay, I use a music service. I do everything else by myself. So I’d like to point out that Joe was at a crowded cafe when we talked. It was a great conversation and I didn’t want to redo it because the sound initially wasn’t great. Fortunately I heard that Adobe had a beta out for sound engineering. In other words, Adobe used Machine LEarning to do what I would have to spend hours doing manually to isolate Joe’s voice. Adobe did that work in a matter of minutes. Say what you will about this supposed AI revolution; really, it’s not happening soon, I promise. But there are these menial tasks -- like sound design -- which can now be automated so, you, the listener can get a crisp recording, and I can spend my time working on the next episode of The Hacker Mind.

[BREAK]

VAMOSI: I don’t normally wade into international politics. This is an information security podcast. However, the pedigree on this was worth it. I’ve talked with the CEO of Huntress, and with John Hammond, lead researcher. So when I presented with the lead threat intelligence manager at Huntress, how could I refuse?

‍

SLOWICK: Yes, certainly. Hello, my name is Joe Slowick I am a threat intelligence manager working at Huntress in developing for Intel as well as threat hunting or detection engineering mechanisms.

VAMOSI: For those of you who don’t know about Huntress, I’ll let Joe explain.

SLOWICK: Hunteress is a security company dedicated to defending but 99% providing a affordable and scalable security solution aimed at small and medium sized businesses.

VAMOSI: So we’re to be talking about the vulkan Files. What re they? They are a set leaked of emails, and other documents, implicating the Russian company NTC Vulkan in acts of cybercrime, political interference such as influencing the 2016 U S presidential election. And this contractor was doing all this in collusion with Russia's Federal Security Service (FSB), their armed forces (GOU and GRU); and Foreign Intelligence Service (SVR). Rather than a specific tool this is a framework, a way of gaining intelligence. 

SLOWICK:  Yes, this is a full-fledged government research program like what you would expect coming out of a DARPA or a contract that goes to Raytheon to be valid, or building a documents are quite interesting. They are also all unfortunately, the Russians, everyone expects, but just defining what are the capabilities, the deliverables? How will the contract be judged as a success or failure and all sorts of other very interesting elements about sort of not just development, but even a purely process behind it? There's adoption.

VAMOSI: Joe presented this talk at DEF CON 31 and I spoke to him at that time (hence the background noise). The topic is very relevant as another researcher, Marina Krotofil, is presenting a similar talk at SECTOR 2023 in Toronto, so there are people talking about these leaked files and what they hold. 

So how did we get these documents in the first place? 

Within days of the Russian invasion of Ukraine, these files were leaked to the German newspaper Süddeutsche Zeitung by a whistleblower who opposed that war. As with any leakage of this size, multiple media sites worked together and The consortium had these thoroughly vetted and authenticated by Western analysts. The final published result, known as the vulkan files, appeared in several newspapers worldwide on March 30,  2023.  Joe walks us through all of this. 

SLOWICK:  is a narrative thread that goes through this. So kick things off in our earlier this year. A few times journalists encounter TRT and that's like can't remember the gentleman's name right. I feel terrible hanus and I can't remember his surname now to save my life. Anyway, you can check that in later. But German journalists working for the German state broadcasting at acquired to source sensitive documents and project cited documents relating to the style of warfare mechanisms for Russian intelligence agencies, the GRU SBIR and STTR and in reviewing these documents revealed quite astounding capabilities in scaling and automating both intrusion operations and information collection as well as information operations and disinformation campaigns in addition to collection. So really seeing the nuts and bolts for how a state sponsored state directed signals intelligence and cyber program get developed. The German journalist had worked with through a organization called Papertrail media and will then share that research with other organizations ranging from the Washington Post, The Guardian, and other global journalists and entities and then after the documents were posted while there was an initial burst of activities, some security companies such as Mandiant, Draco's, and others events seem like promptly fading away from the everyone's attention or whether that's because people were focused on the Taylor Swift Eras Tour or Donald Trump getting indicted or who knows what. It just seemed that that data never got the recognition it should have because if you start looking at the programs in question, they provide for some very interesting abilities in real estate. Outside with operations, you will see an item that I'm focused on within the presentations this is a lot of material that's been released related to this is a program called Scan-V. Scan dash V is the name given to the project documentation.

VAMOSI: I did some digging and found that Scan-V is used for searching for weak spots in systems to be targeted. It’s a reconnaissance tool.

SLOWICK:  Scan dash V is the name given to the project documentation. It's associated with an entity tracked by Western private sector intelligence companies at Sandworm.

VAMOSI: Sandworm is the Western name for a group of Russian hackers that are associated with some of the biggest hackers in recent years. NotPetya, for example, in May of 2018. And then the attack on the South Korean Olympics later that same year. The group gained it’s name from the Frank Herbert book Dune, where Paul Attraidies is battling the Sandworms (among other forces).  The group got the name because comments in the code, they  kept referencing the book. 

SLOWICK:  So Sandworm is the entity responsible for events ranging from numerous wiper malware and Ukraine to both three known at this point attempts at disrupting the electricity distribution or transmission within rephrase, definitely  a very concerning actor. And the platform in question is interesting because it provides a way of creating a system for evaluating the influence of scanning and effectively looking for the applicability of publicly known or excitedly researched vulnerabilities and then harvesting these items into a network of advocates administered communication notes. And what's interesting about this was that adversaries use Command and Control infrastructure all the time. They can do this either by renting or buying a server from some virtual private server entity like a Digital Ocean online. Or they can leverage compromised infrastructure through a wordfence vulnerability or a vulnerability in network devices and such to proxy traffic to third party applications. 

VAMOSI: .One of the things that interested me was the connection of the Vulkan Files to Sandworm.  

SLOWICK: What's interesting about skin V is that it enables Sandworm effectively if this program is successful, to do this in a way that scales and automate a lot of the activity to build. Actually vast networks are both information collection as well as we're proxying traffic to Victor nodes to obfuscate where that traffic is coming from, and build a more resilient command and control phone so that's very interesting. 

VAMOSI: In addition to Snowden, there was also the Shadow Brokers who sold a number of offensive security tools as well. So one has to ask, are any of the vulkan Files tools new? 

SLOWICK:  Certain elements of this we see this sort of activity before, and it seems certain elements of this in Russian operations including some of the same words such as a couple of Internet of Things network device, botnets, such as VPN Filter, and Cyclops Blink, which were focused on compromising routers and similar devices for the same sorts of purposes but without evidence and seeing the back end infrastructure that is available in scan of managing, monitoring and configuring 1000s of endpoints together. So the exploit portion we've seen from Russia and x as accurately as for the last five years, but getting a glimpse at that back end. management infrastructure, including both unclassified and classified enclaves in documentation that was released along with we disclosed documents, it was very interesting to start showing the administrative overhead that lies behind creating a capability that exists on this scale. But it's not just the Russians who have done this, we can look at other examples. Going into the mid 2010s. Like the great canon associated with Chinese network monitoring capabilities. Everyone's pretty familiar with the Great Firewall liberating information coming in. The Munk School and Citizen Lab published an interesting paper on the great canon and trials that the team how that same capability of deep packet inspection and network monitoring was used to sort of flip the script for offensive purposes, deliver exploits to traffic that was going through monitored nodes to again create massive or mass widespread exploitation or an automated global like VPN F ilter and Cyclops Blink we don't have an idea of what the backend infrastructure look like, for this activity, but certainly that idea of automated exploitation, and doing so based upon the program selectors and similar was there that leads to a third previous example which is where things get really interesting. We have to go back to the Snowden leaks for this, and I can neither confirm nor deny these are sad or accuracy of the information disclosed by Mr. Snowden brothers, but based upon the analysis of such data from other parties, one tool that caught some interest but not anywhere near as much as I think it is proper that didn't see as much interest is a program called Quantum. 

VAMOSI: So the Snowden leak was a series of tools ostensibly used by the United States Government’s National Security Agency or NSA. These tools had specific names like PRISM and TURBINE with specific purposes. QUANTUM, then, is a tool which spends various attacks ranging from spam messages to instant messaging compromise to taking control of botnets.

SLOWICK:   So everyone looks like PRISM, from other things and for the very legitimate human rights and privacy concerns allow those, but this quantum program which was described in publications, such as ryer thoughts, it and other security vendors was very interesting, because we see in the late 2000s, early, early Oxford, including the late aughts, etc, that it appears that Western intelligence agencies had developed and deployed a mechanism similar to what scan looks like today of having a system set up to automatically scan traffic or profile devices and then deliver an export capability based upon the profile related to the automated way to build out a network of compromised so we follow the story here but okay, scan doesn't look all that novel, but what we can see is a learning over time of adversaries going potentially as far back as the Snowden leaks, where adversaries are paying attention when these things get disclosed, even if in the pocket of the media. Some of these stories seem to fall off the radar quite quickly. And one of the stories that runs through this entire thread of one particular program have to scan to is there's a popular conception that hacking operations is one person on one computer doing bad stuff to a target, whereas modern scalable, state sponsored cyber operations are more likely to be reflected in the cube farm that you'd see or whatever in a call center or similar environment where you have 10s maybe hundreds of personnel working in different phases of an operation and trying to gain efficiencies through that operation wherever possible. So that those operations can scale effectively towards regional and global ambitions. And I think that's the real story that we see that it's supported by confirmed by the Balkan leaks is that we see programs like scan as well as Amazon, which is an information operations capability that similarly offers for semi automated profiling, traffic and delivery of things like SMS messaging and your man in the middling communications and such to deliver specific messages into targets and victims and so forth. That the real players any information warfare space, or those that can automate to create tools and mechanisms that allow an individual operator to conduct dozens if not hundreds of missions simultaneously, through the tooling and back end processing enabled by tools like scan and join back all the way to the alleged quantum program disclosed in the early 2010s. And that's really where the future of cyber operations lie and that makes things problematic for defenders because it means that for a defenders perspective, or even from an outfit a someone who wants to emulate offensive operations perspective, our high end threat actors are no longer operate in a way where I can say like oh, if I block this IP, I can ensure that I'm saving myself and potential activity from this adversary. That adversary really has a entire suite of potential endpoints so they could use as their next hop traffic stop to where it is that they want to go or for excellent information that they can adapt those routes as different response individual nodes by using potentially vast network to maintain operational security and to build resilient operations. That would not be very easy to take down, like we've seen with certain operations. Or botnets, and so forth, that this would be a much more difficult animal to tackle to try to defeat at Facebook. So that's the story is just telling how, based upon some really interesting leaks that get us into the nitty gritty and behind the scenes look at how Russia sources its cyber warfare tools that you can see that this is not a unique feature, but something that we've seen echoes of going back almost 20 years, actually over 20 years at this point for how high profile high end, state sponsored operators had grown and adapted their cyber warfare programs over the years. To build that into efficient, semi automated, scalable and resistant systems.

VAMOSI: So the end goal is always intelligence.

SLOWICK: So that's the other thing that makes it interesting with scan and its association with Spanner because Sandworm is one of the few entities that we know has conducted multiple offensive disrupted operations in the cyber realm. So one thing that is notable about sandworm or operations going back at least as far back as 2015 is they are notorious for using compromised illegitimate infrastructure for community control purposes. For example, in the Industroyer event in 2016.

VAMOSI: You may already be familiar with Industroyer by it’s other name, CrashOveride. Industoryer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016.

SLOWICK: the command and control nodes that were used to deploy and then trigger the industry or payload that led to the 2016 electric utility disruption. We're Tor nodes, but they were Tor nodes that what appeared to have been compromised by sin were to serve as intermediate nodes for launching this operation. Similarly with VPN filter. While it appears that that could have been used for intelligence collection purposes because there are various modules for sniffing traffic and providing ways to collect on it. There are also modules that were capable of reading Modbus traffic which is associated with industrial control systems, which while there's no evidence that there was any sort of offensive capability tied to that Modbus module, if it's at least a desire or a possibility, that same word given a history could have shifted that module into something more active than just passively looking at Margot's traffic for potential industrial disruption through physics.

VAMOSI: Ah, sp It's not just gathering intelligence. It has the potential to cripple parts of the infrastructure by going after operational technology or OT. These are devices that have not traditionally been attached to the internet. Such as the Iranian centrifuges that were the target of Stuxnet. To work, Stuxnet had to worm it’s way into an industrial control facility and then, and only then, attack the Siemens System Seven PLCs. It did so by first burning a few Windows Zero days to get there. So are these tools targeting OT systems in a similar way?

SLOWICK:  Yes, potentially, or even just it. So another facet of this is that we've seen throughout the current Ukraine conflict, but there have been denial of service distributed denial of service attacks against Ukrainian services. And they often shrug goes off as being cyber network annoyance as a function of cyber attack, so to speak, that it's a DDOS you pay from service, it gets mitigated. It goes in waves. Well, if you're operating in a degraded environment, you're under physical and virtual attack. As the Ukrainians are and we start removing sources of communication to populace by bringing down certain services, problems. And if you look at something like the infrastructure that could be set up via scan, it's not just the idea of building up that infrastructure but also tasking that infrastructure. To do something which could range from something seemingly as simplistic but at a very large scale, as targeted disruptive activity through you know, service techniques to leveraging those nodes as next age of Paxos or whatever network they're associated with, or similar items based on the profile at the compromise, no suggestion.

VAMOSI: So I'm familiar in the Russian Ukraine conflict with malicious code that went after the VPNs not VPN, the routers excuse me and use them for various denial of service attacks associated with the invasion. It seems like Russia is developing or entities associated with Russia or developing a more diverse as you said, playing field. it's doing DDoS in associated with something else.

SLOWICK:  Right. And it's interesting that if you see the Ukraine conflict, some like look at this as throwing stuff against the wall and seeing what sticks in terms of the variety of activities that have been leveraged, but a very consistent especially from a Sandworm or GRU perspective, desire to deploy and leverage disruptive capabilities like even for example, the industry or to events. If we look at that, it appears that Ukrainian authorities are able to with cooperations analysis and Microsoft, to get ahead of that event. And stop it from happening. But looking at the capabilities that were deployed, yes, there was this industrial control system mechanism in your story too, but also a series of wipers going against Windows system these Solaris systems that are still found in operational technology environments. And similar have really going after in quite blunt in, you know, to the extent we could use the word violence in the cyber landscape but violent way of network infrastructure and that's been a very consistent mechanism over time is getting into networks and deploying a wiper or something might look like ransomware but really is just essentially a whiteboard of some sort. For cyber disruptive purposes, and tying this back into the Volcom documents, they can easily be seen off something like infrastructure, maintenance and management system and built by scan can be leveraged to build a resilient shooting platforms so to speak, in cyber films. I hate using these analogies sometimes, but it works in this case, by developing a array of their executive units to then pursue infrastructure for all purposes, and they can get very much guesswork from the side of defenders and where these sorts of intrusions are the sorts of payments that come from.

VAMOSI: So is there sophistication or a lack of sophistication with these tools?

SLOWICK: Yeah, there's definitely thought behind this. And while we can't prove that these tools have actually been deployed at this point in time, that's been something I've been trying to do for the last year or so. But I'm looking at one of the other tools that leaked something called emesis. This is the Information Operations platform I referenced earlier. And it's designed as a way to build a mobile mechanism of deploy into say, occupied territory, that with physical access to cell phone towers and similar infrastructure that you plug this system in and allows for you to profile connect and source information on an SMS messages and other similar communications building over that network, but also to insert mechanisms into it. And if we look at things like the current Ukraine conflict, that sort of capability because we've already seen evidence of Russia doing things like rerouting network connections in Ukraine to work towards Russia, restructure to physically reroute running communication lines, so that occupied areas of Ukraine are getting the luxury version of the internet and all that comes back. So on and so many other things are looking at a platform like this, which these documents go back a couple of years at this point. It appears to be a tool that perfectly aligns with that idea of like, okay, we've entered an area and we want to do some sort of population control and messaging, and this would be a perfect mechanism to insert into civilian communication networks for that information operation perspective.

VAMOSI: So the Vulkan Files refer to a framework for gathering intelligence and launching malware. For the intelligence gathering, how would that look? Joe uses an analogy. What if Washington DC was under siege from a hostile entity? That entity could use the vulkan files to burrow deep into the communications channels we all take for granted. They could gather intelligence about where people were, and they could also plant misinformation so that people could be identified and arrested. Scary stuff.

SLOWICK: Correct. So for example, this would be like say, definitely falls in Washington, DC and all of a sudden, was occupied or martial law or something. And I wanted to send you a text message about like, hey, there's a checkpoint here, or some other information, or that potential communication string never was intercepted. To figure out who's talking to do start building up a network of like, who are the people need to be worried about as far as potential resistance who similar, but also to inject into that communication stream to say that checkbox actually will be there. And this leads someone to get captured or to deliver a Information Operations payload like our you know, be authorities are benign and there is no reason to rise against them or similar facilities. But during the way that scales and they'll be tied directly into the infrastructure in question, so that becomes difficult to detect it is almost impossible to defeat because it's tied into the Volta physical communication infrastructure.

VAMOSI: So when you said it was sophisticated, I would suspect that they're doing something around like a S-7 communications. Okay. Pretty deep in the telecommunications network.

SLOWICK:  Yes. What's your physical access to the equipment? It's just a case of plugging in the box here, and then what we'll be covering in a deep packet inspection, intersection, if you allow these other capabilities to then be brought to bear.

[MUSIC]

VAMOSI: So I understand what Snowden that obviously, the NSA is not going to acknowledge. Yeah. These are our tools and then we designed it this way. No that’s not happening. The trouble is the Snowden leak played out over months and months; there was much discussion about each new tool as they were released. And the media, they had specific stories that they planned to write on all of it. With the vulkan Files -- that didn’t happen. The release in March 2023 of the news wasn’t played out over months and months. And specific stories weren’t planned to run through the summer. Indeed, I first heard about all of this not in the spring, but at DEF CON 31.

SLOWICK: any interesting why that's the case. I don't know. I do know that I have talked with multiple people privately about these documents and their implications and so forth. So people within the security community, I realize the significance behind these. It is disappointing though, the lack of more general attention than it is really after the weekdays, republish I've not seen a mention of these again, and I'm a pretty devoted follower of various news sources on this productivity because I have so again, whether it's distraction, or it's like, oh, it's Russians, I don't care versus Oh, the US government. What if my Facebook said, There was definitely a more sense of like, this impacts me directly, whereas this appears to be a much more notional impact scenario for most western audiences.

VAMOSI: So I have some experience with writing a story and then having a troll army attack the story.  I wondered if Joe had thought about any sort of blowback from surfacing? This at DEF CON at DEF CON is a secure community and everything but once it gets out into the real world, any thoughts about like what might happen by talking about this?

SLOWICK: Before it has crossed my mind, it's really been more with associating this activity with some other historical items that I think people still don't want to talk about, like quantum and some of these other items as being potential inspirations for this. My response is that this is nothing that I'm presenting in my presentation is privately or, you know, sourced from some deep dark corner of or wherever some human has talked to me and is planning for me to secure the anonymity. I have a detailed reference section that outlines where you can find all the information I'm talking about. So it's all out there. It's just a question of putting it all together for what's the broader story being tethered. So if people want to get butthurt about this sort of thing, like it's going to happen one way or the other, right? But for more impactful consequences beyond me why social media gets screwed around with the tuners devalue Twitter these days, I mean, anyway, yeah. I'm not worried about that. Because this has all been out. There in some cases for over 15 years.

[MUSIC]

VAMOSI: So what are the takeaways from all this.

SLOWICK:  I think if there's one lesson or observation at a higher or meta level from this, it's really about placing events in context that cyber now is a realm that's existed for in some shape or form 30 years at this point, you're gonna roll it and really tracking it on a public level for me to be competent. And not knowing that history can blind us to how some of these items can be related or represent that. organizations trying to solve similar problems have evolved in similar ways. Because it's just the thing that works. The same reason why Balkans and fish are similarly fin structure is because it's just how it works and to be streamlined that Otto virus and it's been able to take a step back from immediately for him to say like, where, where else have I seen this? Where else is the supply of how this has an influence and drive future evolution within this space, and we start getting the really interesting stories of where cyber operations have been and where they're going.

VAMOSI: Joe reminded me of something. Russia, doing these things and throwing spaghetti on the wall and seeing what sticks and everything. There's also, as you pointed out earlier, commonality with stuff we saw from China and from other countries, Iran and others in the mix. I wonder, though, if they're stepping back, because they're seeing a lot of failures with what's going on with Russia. And, you know, that's a good thing in the short term, but it might not be in the long term because it just means that they're going to double down. I would think,

‍SLOWICK:  I think, if nothing else, the failures or perceived failures of a lot of Russian operations. If nothing else, we're providing a variety of other entities rather than North Korea to the five eyes. Oh, so this works this doesn't avoid this is providing like anything else. There will be analysts who review the ground war in a training setting in the rain for lessons on modern conflict between similarly if you have to address entities or entities functions. 510 15 years from now, people will look back to this event and we'll analyze the cyber component to see what worked what didn't and how we can learn from that moving forward, and no one's moving away from this area anytime soon. It's just too damn popular unfortunately.