Insights into Russian plans for cyber attacks and leak of the Vulkan files

The so-called volcano files are currently being reported in the media. In this article, we provide information about the content of these files and their importance for German companies and authorities. We also provide recommendations for action from our point of view as penetration testers and IT security consultants.

Leak of the Vulkan files

The so-called Vulkan files are internal data from a Russian software company. The leak made it public knowledge how Russian secret services, with the support of private companies, are trying to plan and carry out worldwide hacking operations. (Source: Tagesschau)

Since the beginning of the Russian war of aggression against Ukraine, the number of Russian hacking attacks against Ukraine has increased sharply. Critical infrastructures (KRITIS) were often affected. This war of aggression is said to be the trigger for the sensational leak of the so-called Vulkan Files, the contents of which are intended to provide insights into Russia's military-industrial complex and its way of thinking. The authenticity of the Vulkan files had been confirmed by several Western news services, reported the Tagesschau.

The company NTC Vulkan

The Moscow-based company NTC Vulkan deals with information technologies and counts among others the FSB (domestic secret service), the SWR (foreign secret service) and the GRU (military secret service) among its customers and clients. The leaks indicate that the notorious hacking group Sandworm, which is part of the GRU, could also be connected to NTC Vulkan.

Google's Threat Analysis Group reportedly made serious allegations against NTC Vulkan back in 2012. According to analysts, NTC Vulkan was involved in a malware campaign by a Russian hacker group now known as APT29 "Cozy Bear". Cozy Bear has penetrated US Department of Defense systems in the past.
(Source: The basic)

What are the Vulkan Files about?

The Vulkan files are several thousand pages of secret data containing project plans, software descriptions, instructions and internal emails from the heart of the Russian software company NTC Vulkan. The documents show how Russian secret services plan and carry out worldwide hacking operations with the help of private companies, as reported by “Spiegel”, “ZDF” and “Süddeutsche Zeitung”.
(Source: Tagesschau)

The leak mainly describes the two products “Scan-V” and “Amezit”. Both are classified by experts as offensive.

scan v

"Scan-V" is a type of reconnaissance software that the Russian military can use to automatically prepare for cyber attacks. "Scan-V" is used, among other things, to detect digital weaknesses, security gaps and other points of attack. Various components are combined under a uniform interface, all of which can be coordinated from an operations center. Using a kind of integrated ticket system, Scan-V can be used to coordinate internal processes and distribute tasks.

For example, the Scan-18 component is responsible for detecting known vulnerabilities and security gaps. For this purpose, publicly accessible sources are used in which these security gaps are documented. The security gaps found are automatically archived by Scan-18 in databases and stored permanently accessible.

Scan-V is also to be used to obtain information about the target. Targets can be the IT infrastructure, departments and associated employees. The focus should be on the network infrastructure.

Amesite

"Amezit" is a collection of different tools that serve the purpose of censorship, surveillance and the distribution of disinformation.

According to the leaks, the tool, dubbed PAS, is designed to redirect Internet traffic and take control of it by attacking telecommunications equipment such as routers. A database of existing vulnerability exploits can be accessed via PAS. The attacker can then take over the device and redirect, monitor, block or even censor the data traffic.

Other tools included in Amezit for specific tasks

Detect software gaps in telecom equipment (PTT)
Information Movement Tracking (PMS)
Monitoring of data flow at network level (PPA and PKS)
Data storage for PMS and PKS, as well as templates for scraping (methodical information gathering) (PHD)
Network traffic disruption (PPA)
Brute-forcing password-protected documents
Use of VPN tunnels and Tor networks for anonymous material procurement (PRD)
Distribution of disinformation through mass creation of fake profiles and hashtag pushing (PRR)
Mass information analysis of social media (fraction)

Crystal 2V

Crystal-2V documents contain information on attacks on critical infrastructure, including attack scenarios on rail and air traffic as well as power and water supplies. According to media reports, however, these are "only" simulations that are carried out on a training platform.

ProSec recommendation for action

threat

In summary, it can be said at this point that the leak of the Vulkan files does not result in any change in the threat situation in the area of IT and cyber security. The risk level remains high. As early as 2022, the Federal Office for Information Security (BSI) identified an increased threat to Germany in the context of the war in Ukraine. (Source: BSI)

However, the information that has now become known gives further insight into the motivation and techniques of certain actors.

Due to this current development, we would like to share recommendations for action with you below from our side already existed for some time. We continue to encourage our customers to focus on, identify, assess, and remediate known vulnerabilities and vulnerabilities. What this means in concrete terms is clearly listed in the following section.

Proactive measures

Keep the external attack surface as small as possible and only make services that are necessary for operation visible/available.
Check and evaluate the potential attack surface through externally accessible services and endpoints regularly independently and with external support.
Eliminate known vulnerabilities/security gaps (e.g. findings from penetration tests carried out, results of automated vulnerability scans).
When new vulnerabilities become known, check whether your own organization is/could be affected by them.
Make your employees aware of phishing attacks, as this is one of the most common techniques used by attackers to gain initial access to IT networks.
Take specific technical measures against phishing and identity theft (e.g. multi-factor authentication, email gateways, conditional access policies)
Also consistently harden internal IT services in order to keep the effects of initial access by attackers as low as possible. These include e.g. e.g.:
- Securing and hardening of identity management/ directory services (e.g. MS Active Directory or AzureAD)
- Hardening of the e-mail infrastructure used or other services for the transmission of messages and in particular file attachments
- Securing and hardening of IT networks by implementing network separation and segmentation, using intrusion detection and network access control, etc.
- Comprehensive use of tools to detect attempts or ongoing attacks or compromises, such as endpoint protection tools (DER), ideally supplemented by other detection tools (NDR/XDR or classic IDS/IPS solutions)
To protect against ransomware or the destruction of business-critical data, a functioning backup concept for your own IT infrastructure is absolutely necessary, which is operated outside of the usual IT infrastructures and services and should therefore be protected against compromise as far as possible. Ideally, such a concept is implemented in defined processes for emergency management (incident response & disaster recovery) or even part of a comprehensive business continuity management (BCM)
A sensible next step: The integration of this and other information and information sources into a central overview in a Security Information and Event Management (SIEM) or Security Operations Center (SOC).