The so-called volcano files are currently being reported in the media. In this article, we provide information about the content of these files and their importance for German companies and authorities. We also provide recommendations for action from our point of view as penetration testers and IT security consultants.
The so-called Vulkan files are internal data from a Russian software company. The leak made it public knowledge how Russian secret services, with the support of private companies, are trying to plan and carry out worldwide hacking operations. (Source: Tagesschau)
Since the beginning of the Russian war of aggression against Ukraine, the number of Russian hacking attacks against Ukraine has increased sharply. Critical infrastructures (KRITIS) were often affected. This war of aggression is said to be the trigger for the sensational leak of the so-called Vulkan Files, the contents of which are intended to provide insights into Russia's military-industrial complex and its way of thinking. The authenticity of the Vulkan files had been confirmed by several Western news services, reported the Tagesschau.
The Moscow-based company NTC Vulkan deals with information technologies and counts among others the FSB (domestic secret service), the SWR (foreign secret service) and the GRU (military secret service) among its customers and clients. The leaks indicate that the notorious hacking group Sandworm, which is part of the GRU, could also be connected to NTC Vulkan.
Google's Threat Analysis Group reportedly made serious allegations against NTC Vulkan back in 2012. According to analysts, NTC Vulkan was involved in a malware campaign by a Russian hacker group now known as APT29 "Cozy Bear". Cozy Bear has penetrated US Department of Defense systems in the past.
(Source: The basic)
The Vulkan files are several thousand pages of secret data containing project plans, software descriptions, instructions and internal emails from the heart of the Russian software company NTC Vulkan. The documents show how Russian secret services plan and carry out worldwide hacking operations with the help of private companies, as reported by “Spiegel”, “ZDF” and “Süddeutsche Zeitung”.
(Source: Tagesschau)
The leak mainly describes the two products “Scan-V” and “Amezit”. Both are classified by experts as offensive.
For example, the Scan-18 component is responsible for detecting known vulnerabilities and security gaps. For this purpose, publicly accessible sources are used in which these security gaps are documented. The security gaps found are automatically archived by Scan-18 in databases and stored permanently accessible.
Scan-V is also to be used to obtain information about the target. Targets can be the IT infrastructure, departments and associated employees. The focus should be on the network infrastructure.
"Amezit" is a collection of different tools that serve the purpose of censorship, surveillance and the distribution of disinformation.
According to the leaks, the tool, dubbed PAS, is designed to redirect Internet traffic and take control of it by attacking telecommunications equipment such as routers. A database of existing vulnerability exploits can be accessed via PAS. The attacker can then take over the device and redirect, monitor, block or even censor the data traffic.
Crystal-2V documents contain information on attacks on critical infrastructure, including attack scenarios on rail and air traffic as well as power and water supplies. According to media reports, however, these are "only" simulations that are carried out on a training platform.
In summary, it can be said at this point that the leak of the Vulkan files does not result in any change in the threat situation in the area of IT and cyber security. The risk level remains high. As early as 2022, the Federal Office for Information Security (BSI) identified an increased threat to Germany in the context of the war in Ukraine. (Source: BSI)
However, the information that has now become known gives further insight into the motivation and techniques of certain actors.
Due to this current development, we would like to share recommendations for action with you below from our side already existed for some time. We continue to encourage our customers to focus on, identify, assess, and remediate known vulnerabilities and vulnerabilities. What this means in concrete terms is clearly listed in the following section.
We use cookies, and Google reCAPTCHA, which loads Google Fonts and communicates with Google servers. By continuing to use our website, you agree to the use of cookies and our privacy policy.