Leaked IT contractor files detail Kremlin's stockpile of cyber-weapons An unidentified whistleblower has provided several media organizations with access to leaked documents from NTC Vulkan – a Moscow IT consultancy – that allegedly show how the firm supports Russia's military and intelligence agencies with cyber warfare tools. Journalists from Der Spiegel and Munich-based investigative group …
The IT firm, on its website, claims to help more than 200 companies protect their businesses
There's Boeing in that list... seems weird, doesn't it?
Rebarding cybersecurity: I see attacks on our firewall every day. I provide the information to organisations that attacks come from their infrastructure. I never had an answer, and attacks continue.
Couldn't organisations made responsible for this? If so, they would dedicate means to investigate and make their networks safer.
Just out of curiosity, have you tried contacting the organisations (at least the legitimate ones) over a public channel, so something like Twitter (although I'm loathe to actually suggest using Twitter). When you publically shame firms, they tend to actually react. If you contact only by email, they can ignore it, pretend they never saw the email, etc.
Maybe someone needs to create a site, where people with their own servers can post info about from which infrastructure attacks are coming from, collate the Info, identify a worst offenders list, and get some media coverage about it. El Reg would probably help out there. You'd be surprised how quickly media pressure can focus minds in business...
I only pay attention to the alerts from our firewall that it has not 'dropped'. I look up the IP address on Domain Tools and email the 'abuse' contact with the evidence. If they don't respond I email once more, if there is still no response and the intrusion attempts continue, I put the entire IP range into the blocked group on the firewall - fsck 'em!
I agree that if an attack is coming from an organisation's infrastructure, and they are made aware of it, then they should take appropriate action to stop that.
However, we all know how easy it is to spoof a source IP address. The risk with public naming-and-shaming is that you could be identifying the spoofee and not the spoofer, and risk public ire upon an innocent party.
Only communications with no handshake is easy to spoof. That limits spoofing to mostly DDoS amplification attacks, and there are well known best practices for preventing that.
The hostile TCP/IP addresses you see in application logs are real. Yes, there really are that many big-name networks hosting long-lived botnets.
That wouldn't be entirely fair. Quite a lot of attacks come via compromised kit that can't be fixed because a fix hasn't been released yet.
The angle I typically work is to hard block the offending IP range, which usually triggers a complaint by a client or a customer, which gets fired up the chain and grabs attention of someone higher up who usually has the clout / contact details to get in touch with someone else higher up in the offending company.
Personally, I'm never quick to judge another sysadmin...just because an attack appears to have originated on their network, doesn't mean actually did. Where possible, I'll contact a sysadmin directly, introducing myself as another "fucking knackered" sysadmin (which usually creates a level of rappor and understanding from the get go) and I'll work with them. I will never fire off a snotty email to a sysadmin telling them to "sort their shit out" or anything like that. We're all buddies here, alright?
For example, I run a mailing list server for a client and in the past (when I inherited the system and before I was able to lock it down), at the time it was the wild west, anyone could send an email to the mailing lists and it would just bounce through...naturally, as you've already suspected, this was a massive problem when it came to spam. Someones sysadmin came down on me like a ton of bricks, because when the email passed through the mailing lists, it was re-sent using a mailing list address, the sysadmin, like the tosser he was, just went for the throat...anyway, some of his people started getting an avalanche of crap and he pointed the finger at me...which is fair to a point, but I was hamstrung at that point so I couldn't lock down the lists, but I couldn't stop the spam either because it was originating outside of my network of users. Anyway, long story short...the origin of the spam (thanks to some email header sleuthing) turned out to be a machine on his network. I was polite about it, and he did wind his neck in...but man he was sheepish in follow up phone calls and he got a scathing public bollocking on a conference call from his boss with us.
Remember kids, don't be a dick to other sysadmins, if you're nice...there is a good chance that a fellow sysadmin might help you get a problem resolved and keep it off the radar...helping you to avoid looking like a dick and avoid getting your ears chewed off by your boss.
Most importantly, if you treat other sysadmins with respect, you now have more than one person helping to resolve a problem...you're not alone stressing the fuck out...you may also benefit from some "back channel" knowledge sharing that you can't get anywhere else. I've shared and received valuable advice and tips with sysadmins steadying other ships...I don't know them personally, I may never speak to them again...one of them might be you in passing in the future...but I've probably learned more useful stuff this way than any other way. Little golden nuggets like Powershell hacks I might no have known, hidden registry keys that are worth knowing, config tweaks to improve performance / security...you name it.
Sharing is caring. Be excellent to each other.
...and fellow sysadmins...I'll see you out there!
I was wondering why there's an increase in networks that have been compromised by hostile software but remain operating for months at a time. Then it was suddenly obvious - the same clouds and backbones that keep these compromised systems online are selling protection services. DigitalOcean, OVH, Cloudflare, Google, Amazon, NTT, and AT&T all have products that would benefit from a more hostile internet. Then there's all of Russia and China that's very willing to host attackers as long as they target "western" countries.
I'm hoping that this drives adoption of public or independent realtime blacklists. Nothing gets a big network to shape up like suddenly finding that nobody wants their traffic anymore.
Speaking of Boeing, I emailed the company to ask about that and it seems the company did some work for Boeing Russia in 2012, with no acknowledged contact since the conclusion of whatever the arrangement might have been. The official statement was, "In March 2022, Boeing suspended major operations in Russia. We continue to adhere to U.S. sanctions and global laws and regulations."
How do you "stockpile" cyber weapons?
This implies some sort of physical thing and most of this is going to be code/software.
I could have a stockpile of say, toilet paper or baked beans taking up space in my garage!
You could have a catalogue or such like.
Maybe I am just being picky......
Very easily.
Unleashing your nastiest backdoors is something you reserve for when you really need it.
Bletchley Park and Ultra deliberately did not act on all intel gathered to not give the game away and saved the capability for the most dire needs.
I happen to work for an organisation that has access to samples of the black energy malware that were used to attack Ukraine. I can confirm it's some well thought out nasty shit. By unleashing it early, it's possible effects were perhaps not as damaging as it could have been... Imagine if it infected multiple countries before the threat vector was understood?
A/C for obvious.
This post has been deleted by its author
You could 'stockpile' 0-days and lesser known exploits or malware for use on targets that are less likely to be prepared.
I guess a military analogy would be to not throw your whole military into Kyiv expecting it to fall in 3 days, but rather try to wear the "enemy" down bit by bit. (Not that it guarantees success by any means.)
Another, called Amezit, is described by Mandiant as "a framework used to control the online information environment and manipulate public opinion, enhance psychological operations, and store and organize data for upstream communication of efforts."
Hmmm? ..... so almost just like something very similar to a BBC media network/propaganda channel?
Those are not very stealthy though, are they, and nowadays not nearly as effective as they might have been in the past to capture the hearts and minds of the generally retarded and ignorantly uninterested and uninteresting and easily led and misinformed?
Dealing with information which delivers intelligence creating smarter beings appears to be proving problematical and more than just a tad terrifying for previously well thought of established state and status quo forces and sources whenever they are no longer able to successfully censor and prevent deep sight and far sound/teleaudiovisual transmission.
But who in their right mind would want to remain deaf, dumb and blind to all that is going on around them, with a prime directive for others in command and control, to enslave and belittle them?
Idiots? Morons? Certainly not SMARTR Future IT Literate Beings ...... Future Iterations of a Human Being in an Earthly Existence.
I trust that the American authorities, who surely are fair-minded and unbiased, will pursue this whistle-blower with as much assiduity as they have pursued Julian Assange, Chelsea Manning, and Edward Snowden, if they should ever step into the US or a friendly jurisdiction.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
