back to article Leaked IT contractor files detail Kremlin's stockpile of cyber-weapons

An unidentified whistleblower has provided several media organizations with access to leaked documents from NTC Vulkan – a Moscow IT consultancy – that allegedly show how the firm supports Russia's military and intelligence agencies with cyber warfare tools. Journalists from Der Spiegel and Munich-based investigative group …

  1. Potemkine! Silver badge

    The IT firm, on its website, claims to help more than 200 companies protect their businesses

    There's Boeing in that list... seems weird, doesn't it?

    Rebarding cybersecurity: I see attacks on our firewall every day. I provide the information to organisations that attacks come from their infrastructure. I never had an answer, and attacks continue.

    Couldn't organisations made responsible for this? If so, they would dedicate means to investigate and make their networks safer.

    1. lglethal Silver badge
      Go

      Just out of curiosity, have you tried contacting the organisations (at least the legitimate ones) over a public channel, so something like Twitter (although I'm loathe to actually suggest using Twitter). When you publically shame firms, they tend to actually react. If you contact only by email, they can ignore it, pretend they never saw the email, etc.

      Maybe someone needs to create a site, where people with their own servers can post info about from which infrastructure attacks are coming from, collate the Info, identify a worst offenders list, and get some media coverage about it. El Reg would probably help out there. You'd be surprised how quickly media pressure can focus minds in business...

      1. Anonymous Coward
        Anonymous Coward

        I only pay attention to the alerts from our firewall that it has not 'dropped'. I look up the IP address on Domain Tools and email the 'abuse' contact with the evidence. If they don't respond I email once more, if there is still no response and the intrusion attempts continue, I put the entire IP range into the blocked group on the firewall - fsck 'em!

        1. teknopaul

          Fsck 'em and any one who inherits their IPs

      2. Hans Neeson-Bumpsadese Silver badge

        I agree that if an attack is coming from an organisation's infrastructure, and they are made aware of it, then they should take appropriate action to stop that.

        However, we all know how easy it is to spoof a source IP address. The risk with public naming-and-shaming is that you could be identifying the spoofee and not the spoofer, and risk public ire upon an innocent party.

        1. Peter2

          It's trivial to spoof an IP address.

          However, unless i'm missing something if it's aimed at being used for probing you then replies (from probing etc) will be going back to that address, and there's not much point in doing that unless you control it as you wouldn't see the responses.

        2. Kevin McMurtrie Silver badge

          Only communications with no handshake is easy to spoof. That limits spoofing to mostly DDoS amplification attacks, and there are well known best practices for preventing that.

          The hostile TCP/IP addresses you see in application logs are real. Yes, there really are that many big-name networks hosting long-lived botnets.

    2. Anonymous Coward
      Anonymous Coward

      That wouldn't be entirely fair. Quite a lot of attacks come via compromised kit that can't be fixed because a fix hasn't been released yet.

      The angle I typically work is to hard block the offending IP range, which usually triggers a complaint by a client or a customer, which gets fired up the chain and grabs attention of someone higher up who usually has the clout / contact details to get in touch with someone else higher up in the offending company.

      Personally, I'm never quick to judge another sysadmin...just because an attack appears to have originated on their network, doesn't mean actually did. Where possible, I'll contact a sysadmin directly, introducing myself as another "fucking knackered" sysadmin (which usually creates a level of rappor and understanding from the get go) and I'll work with them. I will never fire off a snotty email to a sysadmin telling them to "sort their shit out" or anything like that. We're all buddies here, alright?

      For example, I run a mailing list server for a client and in the past (when I inherited the system and before I was able to lock it down), at the time it was the wild west, anyone could send an email to the mailing lists and it would just bounce through...naturally, as you've already suspected, this was a massive problem when it came to spam. Someones sysadmin came down on me like a ton of bricks, because when the email passed through the mailing lists, it was re-sent using a mailing list address, the sysadmin, like the tosser he was, just went for the throat...anyway, some of his people started getting an avalanche of crap and he pointed the finger at me...which is fair to a point, but I was hamstrung at that point so I couldn't lock down the lists, but I couldn't stop the spam either because it was originating outside of my network of users. Anyway, long story short...the origin of the spam (thanks to some email header sleuthing) turned out to be a machine on his network. I was polite about it, and he did wind his neck in...but man he was sheepish in follow up phone calls and he got a scathing public bollocking on a conference call from his boss with us.

      Remember kids, don't be a dick to other sysadmins, if you're nice...there is a good chance that a fellow sysadmin might help you get a problem resolved and keep it off the radar...helping you to avoid looking like a dick and avoid getting your ears chewed off by your boss.

      Most importantly, if you treat other sysadmins with respect, you now have more than one person helping to resolve a problem...you're not alone stressing the fuck out...you may also benefit from some "back channel" knowledge sharing that you can't get anywhere else. I've shared and received valuable advice and tips with sysadmins steadying other ships...I don't know them personally, I may never speak to them again...one of them might be you in passing in the future...but I've probably learned more useful stuff this way than any other way. Little golden nuggets like Powershell hacks I might no have known, hidden registry keys that are worth knowing, config tweaks to improve performance / security...you name it.

      Sharing is caring. Be excellent to each other.

      ...and fellow sysadmins...I'll see you out there!

    3. Kevin McMurtrie Silver badge

      Because money

      I was wondering why there's an increase in networks that have been compromised by hostile software but remain operating for months at a time. Then it was suddenly obvious - the same clouds and backbones that keep these compromised systems online are selling protection services. DigitalOcean, OVH, Cloudflare, Google, Amazon, NTT, and AT&T all have products that would benefit from a more hostile internet. Then there's all of Russia and China that's very willing to host attackers as long as they target "western" countries.

      I'm hoping that this drives adoption of public or independent realtime blacklists. Nothing gets a big network to shape up like suddenly finding that nobody wants their traffic anymore.

    4. thomas_claburn

      Speaking of Boeing, I emailed the company to ask about that and it seems the company did some work for Boeing Russia in 2012, with no acknowledged contact since the conclusion of whatever the arrangement might have been. The official statement was, "In March 2022, Boeing suspended major operations in Russia. We continue to adhere to U.S. sanctions and global laws and regulations."

  2. hoola Silver badge

    Stockpile?

    How do you "stockpile" cyber weapons?

    This implies some sort of physical thing and most of this is going to be code/software.

    I could have a stockpile of say, toilet paper or baked beans taking up space in my garage!

    You could have a catalogue or such like.

    Maybe I am just being picky......

    1. Anonymous Coward
      Anonymous Coward

      Re: Stockpile?

      Very easily.

      Unleashing your nastiest backdoors is something you reserve for when you really need it.

      Bletchley Park and Ultra deliberately did not act on all intel gathered to not give the game away and saved the capability for the most dire needs.

      I happen to work for an organisation that has access to samples of the black energy malware that were used to attack Ukraine. I can confirm it's some well thought out nasty shit. By unleashing it early, it's possible effects were perhaps not as damaging as it could have been... Imagine if it infected multiple countries before the threat vector was understood?

      A/C for obvious.

    2. This post has been deleted by its author

    3. elsergiovolador Silver badge

      Re: Stockpile?

      You burn them on CD-R and put on a pile.

    4. Tom66

      Re: Stockpile?

      You could 'stockpile' 0-days and lesser known exploits or malware for use on targets that are less likely to be prepared.

      I guess a military analogy would be to not throw your whole military into Kyiv expecting it to fall in 3 days, but rather try to wear the "enemy" down bit by bit. (Not that it guarantees success by any means.)

      1. Stork
        Joke

        Re: Stockpile?

        Oh, malware also wears down the enemy bit by bit!

    5. donk1

      Re: Stockpile?

      Stockpile "a large accumulated stock" - keep creating them and do not use them!

    6. Anonymous Coward
      Anonymous Coward

      Re: Stockpile?

      You keep a box full of USB thumb drives with malware on them in a warehouse. The difficult bit is if someone in the warehouse accidentally knocks the box over and you can't find all the thumb drives essentially USB dropping yourself. Very hazardous business indeed.

  3. amanfromMars 1 Silver badge

    Always Look on the Bright Side of Life ..... IT is Making Everything Greater and Better

    Another, called Amezit, is described by Mandiant as "a framework used to control the online information environment and manipulate public opinion, enhance psychological operations, and store and organize data for upstream communication of efforts."

    Hmmm? ..... so almost just like something very similar to a BBC media network/propaganda channel?

    Those are not very stealthy though, are they, and nowadays not nearly as effective as they might have been in the past to capture the hearts and minds of the generally retarded and ignorantly uninterested and uninteresting and easily led and misinformed?

    Dealing with information which delivers intelligence creating smarter beings appears to be proving problematical and more than just a tad terrifying for previously well thought of established state and status quo forces and sources whenever they are no longer able to successfully censor and prevent deep sight and far sound/teleaudiovisual transmission.

    But who in their right mind would want to remain deaf, dumb and blind to all that is going on around them, with a prime directive for others in command and control, to enslave and belittle them?

    Idiots? Morons? Certainly not SMARTR Future IT Literate Beings ...... Future Iterations of a Human Being in an Earthly Existence.

    1. Gort99
      Thumb Down

      Re: Always Look on the Bright Side of Life ..... IT is Making Everything Greater and Better

      Are you just turning into the Lord HawHaw of the Ukraine conflict?

      1. amanfromMars 1 Silver badge

        Re: Always Look on the Bright Side of Life ..... IT is Making Everything Greater and Better

        Are you just turning into the Lord HawHaw of the Ukraine conflict? .... Gort99

        A bold and loud NO is the correct, unambiguous answer to that question, Gort99.

  4. Plest Silver badge
    Unhappy

    I can't imagine the leaker of these docs will be seen for another 30 years and only then if they manage to survive one of Vlad's own branded "Hilton's" in Siberia.

    1. Anonymous Coward
      Anonymous Coward

      Room with a view

      If things go normally, they will put him in a room with a window, in a tall building.

      1. TimMaher Silver badge
        Coat

        Re: Room with a view

        It will have a, recently withdrawn, GnomeMart “Russian” branded window.

        They are faulty.

    2. teknopaul

      Unfortunately they might do better out of the deal than Snowdon did.

  5. Pascal Monett Silver badge
    Trollface

    "Google-owned Mandiant helped interpret the documents"

    So that was the 5th intelligence agency. After the CIA, the NSA, the Energy Department and the FBI, I was wondering.

    Oh, and now we know that Google has the data.

    1. Roland6 Silver badge

      Re: "Google-owned Mandiant helped interpret the documents"

      Well given the general level of (non)security of cloud-base data stores - based on media reports, don’t be surprised if the entire dataset gets incorporated into GPT-5 (rumoured to be released late 2023…

  6. Yes Me
    Joke

    Let's be even-handed about this

    I trust that the American authorities, who surely are fair-minded and unbiased, will pursue this whistle-blower with as much assiduity as they have pursued Julian Assange, Chelsea Manning, and Edward Snowden, if they should ever step into the US or a friendly jurisdiction.

    1. Roland6 Silver badge

      Re: Let's be even-handed about this

      The worrying thing is that certain parts of the US establishment (Trump supporting Republicans?) would be very willing to swap this person for Snowden…

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like