Russia’s ‘Vulkan Files,’ a 3CX supply chain attack and White House action on spyware

Toby Elliott / Unsplash

Welcome to Changelog for 4/2/23, published by Synack! Nathaniel Mott here, back with a look at some of the biggest cybersecurity news of the week.

 

The payload

A trove of documents known as “The Vulkan Files” has offered a rare glimpse into how a private company, NTC Vulkan, has supported Russia’s offensive cyber operations.

Der Spiegel, The Guardian and The Washington Post have all published reports based on The Vulkan Files, which an anonymous whistleblower provided to Paper Trail Media to protest Russia’s invasion of Ukraine. The Guardian said the trove includes “thousands of pages of secret documents” dating from 2016 to 2021 and that “five western intelligence agencies confirmed the Vulkan files appear to be authentic.”

Mandiant published a report based on these documents saying they describe three programs. The first, called Scan, is a “comprehensive framework likely used to enable cyber operations” that “consists of a variety of methods for large-scale data collection and contains comprehensive documentation on how to structure databases to store and handle such information.”

The second, known as Amesit, is “a framework used to control the online information environment and manipulate public opinion, enhance psychological operations, and store and organize data for upstream communication of efforts,” according to Mandiant, part of Google Cloud. It’s complemented by the third program, Krystal-2B, a “training platform for exercising coordinated IO/OT attacks against transportation and utility industries using Amesit.”

Mandiant said the tools’ capabilities are consistent with previously observed state-sponsored hacking activity from Russia. “Another noteworthy observation is the incorporation of IO capabilities in the same projects that describe OT targeting, which hints at the likelihood of deploying campaigns that leverage both resources to support complex information warfare operations,” Mandiant added.

The company stressed that it’s not clear if Russia has relied on these systems following its invasion of Ukraine, but this knowledge about some of the country’s cyberwar-related capabilities is still valuable.

“As we continue to observe the intensification of threat activity from Russian-sponsored actors in parallel to the invasion in Ukraine,” Mandiant said, “defenders should remain aware about the capabilities and priorities reflected in these documents to be prepared for protecting critical infrastructure and services.”

The week, compiled

The reported compromise of business communications provider 3CX has managed to combine fears regarding supply chain attacks—such as the SolarWinds hack of 2020 and Kaseya ransomware incident of 2021—with post-Log4Shell anxieties surrounding the use of open source software.

CrowdStrike said on March 29 that it had observed “unexpected malicious activity” from 3CX’s desktop app for Windows. SentinelOne issued a similar report that same day, and on March 30, Apple security researcher Patrick Wardle confirmed that the Mac version of the app was also compromised. (The company’s mobile apps don’t appear to have been affected.)

 1_iBvzirUbGaovHLecAZv9Cw
Julian Hochgesang / Unsplash

3CX said in a statement that “the issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT.” The company hasn’t said what library was affected. There are signs that it’s referring to a popular open source media tool called FFmpeg, yet its maintainers said on Twitter their project has not been compromised.

At the moment, the 3CX incident seems more like a traditional supply chain attack than a sign that companies need to rush to figure out if they’re using FFmpeg—or whichever library 3CX believes is responsible for this incident—like they did Log4j. But that isn’t to say this attack is inconsequential; BleepingComputer reported that the “3CX Phone System is used by more than 600,000 companies worldwide and has over 12 million daily users.”

And now for a spyware-themed trio of news items from this week:

Reuters: A recent executive order barring federal agencies from using commercial spyware that “poses risks to national security” or enables human rights abuses in other countries was reportedly preceded by the revelation that “at least 50 U.S. government staffers stationed in 10 countries were targeted with commercial hacking tools.”

TechCrunch: Google’s Threat Analysis Group (and Amnesty International) revealed two spyware campaigns targeting devices in the United Arab Emirates with a variety of zero-day and known vulnerabilities in Android, iOS, Chrome and other ubiquitous software.

CyberScoop: The U.S. wasn’t alone in speaking out against spyware this week. The White House said “the governments of Australia, Canada, Costa Rica, Denmark, France, New Zealand, Norway, Sweden, Switzerland, the United Kingdom, and the United States” were “partnering to counter the misuse of commercial spyware” around the world.

A message from Synack

Heading to RSA this year? Swing by Fogo de Chão to join Synack’s “Journey by the Bay” experience just 98 steps away from the Moscone Center. We have a jam-packed week of programming lined up, from an exclusive whiskey and dry-aged steak tasting to an executive panel discussion on women in the boardroom. Check out the full roster of events and parties here.

Flash memory

Gmail is old enough to drink pretty much anywhere except the U.S. Google launched the email service on April 1, 2004, making it 19 years old.

 1_NEsJs8W-26OlwRaUfmmnEw
Rubaitul Azad / Unsplash

I’d bet the odds of someone reading this never interacting with Gmail are practically zero. Google said in 2019 that it had grown to more than 1.5 billion users around the world—and the remaining billions of internet users are all but guaranteed to correspond with someone using the service.

Happy Birthday, Gmail!

Local files

BleepingComputer: It was a bad week for some fraudsters: Ukraine announced the arrest of several members of a gang believed to have stolen $4.3 million from victims throughout Europe using more than 100 sites that stole customers’ credit card information when they made purchases.

Space News: The U.S. Space Force has requested $700 million to “enhance the cyber defense of our critical networks associated with space operations,” as chief of space operations Gen. B. Chance Saltzman reportedly put it.

The Record: A recent attack on BMW France wasn’t as successful as the Play ransomware gang claimed, with the company saying that it had “not identified any intrusion within BMW Group or BMW France systems.” The ransomware incident was instead confined to a local dealer.

Off-script

I can’t help but shudder every time I see the so-called mammoth meatball. If you know the one I mean, you understand why. If you don’t, well, I’m sorry you have to hear it from me.

Even the Associated Press — the stodgy wire service that’s prevented sensible journalists from being able to use the Oxford comma for decades — seemed taken aback. Its coverage opened with: “Throw another mammoth on the barbie? […] An Australian company on Tuesday lifted the glass cloche on a meatball made of lab-grown cultured meat using the genetic sequence from the long-extinct pachyderm, saying it was meant to fire up public debate about the hi-tech treat.”

 1_pU_saflZTxtlLERksfRXAQ
Aico Lind / Studio Aico

From any other publication that would be cutesy; from the AP it’s a clear sign that something ain’t right. (The meatball. Obviously the meatball.)

Who is this supposed to serve? What kind of Venn diagram is this startup, Vow, drawing with “people who have no problem with pushing tech to the limit by kinda-sorta resurrecting extinct animals because they haven’t seen Jurassic Park” and “people who haven’t already made up their minds about whether or not they’d eat lab-grown meat”? Two completely separate circles?

Science was a mistake.

That’s all for now — please send any feedback and RSA-related pitches to nmott@synack.com or bsobczak@synack.com. We’re off next Sunday, but we’ll return with another newsletter on April 16.