(Cyber) GRU (X): objectives

Apart from some more specific objectives, such as Westinghouse Electric Company’s – with business in nuclear technology – or domestic routers that can be compromised to orchestrate a distributed attack against the real objective, the information published in 2018 has brought to light five major GRU objectives, consistent with the interests of the Service and consequently with those of the Russian Federation; are those exposed at this point.

It is striking that in most of these objectives – with the possible exception of Ukraine and its infrastructures – the GRU has, presumably always, an interest related more to the confrontation of psychological information to which we have referred than with a purely technical attack. In other words, it is unlikely that the GRU will attack targets such as the researchers of the use of Novichok or the demolition of the MH17, which we will see below, with the intention of technologically altering the results of these investigations … it is more likely that the real objective was to obtain information, on the one hand, to know first-hand the state at each moment and on the other, equally important, to obtain data that would allow the Service to initiate disinformation campaigns against these investigating bodies, so that in the face of society they would lose lost credibility in their claims, thus benefiting the interests of the Russian Federation. [Read more…]

(Cyber) GRU (IX): structure. Other units

In addition to the two previous units, which have gained prominence from the information brought to light in 2018, the GRU has other Military Units linked to signal intelligence, cybersecurity or information warfare. Some of which we can find data in public sources are the following:

  • Military Unit 11135 (18th Central Research Institute). Historically ([1]) the Central Scientific Research Institute has been identified within the GRU, which from Moscow designs SIGINT equipment for the GRU and which is perhaps currently this Military Unit, focused today not only on interception of radio and satellite communications but also on wireless devices, SCADA systems or protection of communications ([2]).
  • Military Unit 40904, known as the “177th Independent Center for the Management of Technological Development”. Located in Meshcheryakova, 2 (Moscow), with high probability, this unit specializes in signal intelligence processing ([3]).
  • Military Unit 36360. Apparently it is a training unit of the GRU in which advanced intelligence courses are taught, at least since January 1949. This training, also apparently and according to open sources, includes topics closely linked to the cyber domain such as the following:
    • Telecommunications Engineering (communication by radio, radio broadcasting and television).
    • Technologies, networks and communication systems.
    • Information systems and technologies: information and analysis.
    • Software Engineering.
    • Applied Mathematics and Computer Science.
    • Information security.
    • Computer software.
    • Automated information processing and control systems.
    • Translation and translation studies (linguistics).
  • Military Unit 54726 (46th Central Research Institute), a center focused on military technical information, especially on the capabilities of foreign countries, which potentially includes research in the cyber field.

[Read more…]

CISSP certificate – II. Personal experience

In yesterday’s post we saw some general aspects of CISSP certification, which can be expanded consulting the official website of (ISC)2. In this post I will go into detail on the non-formal aspects, such as materials, advice and personal opinions. Let’s get started.

Is the exam difficult?

If you search on Google, the main user communities related to (ISC)2 are found on reddit and in the (ISC)2 forums. In both there are multiple entries relating opinions, experience with the exam, asking and giving advice, reviewing study materials and other topics. However, my impression is that the tone tends to be negative and somewhat frightening, terrifying even at times. Many people who have taken the exam describe it as very difficult and obscure with tricky wording. In addition, there are no “example” questions on the Internet, and the people who produce the training material (including the official question book) or teach the training courses (bootcamps) are never the same people who write the exam questions. Therefore, a critical element to manage during exam preparation is uncertainty.

[Read more…]

Ukraine election 2019 polls Maldoc: analysis

From Lab52 at S2 Grupo, we have recently detected a malicious document titled “Ukraine_election_2019_polls.doc”. The document was uploaded to Virustotal on March 12nd, 2019 from Germany.

The title and uploading date is especially relevant in this case, because of the existing conflict between Ukraine and Russia and the general elections at Ukraine.

Document content

[Read more…]

CISSP certificate – I

A few years ago (2011), our colleague José Luis Villalón told us about the (ISC)2 CISSP certification. As things have changed somewhat since then, and taking advantage of the fact that I recently passed the exam, we are going to take a look at this certification, the changes it has undergone and (in the next post) some advice that has personally helped me to pass the exam.


The CISSP (Certified Information Systems Security Professional) certification of (ISC)2 is currently one of the main (basic to me, although that depends on your experience and background) certifications in the field of information security, although it is more widespread in the USA than in other countries, if we take a look at the number of certificates per country. While on 31 December 2018 the US had around 84500 certificates, between Germany (2100), France (1000), Italy (400) and Spain (650) barely reach to 4000 certifications. This is probably due to the fact that many Human Resources departments in the US consider CISSP to be a basic prerequisite in the field of cybersecurity, in addition to the significant greater acceptance that (ISC)2 certificates have in the US market.

[Read more…]

Military Financing Maldoc: analysis

Recently at Lab52 from S2 Grupo, we have detected an infection campaign through a malicious document that has called our attention due to its content and title.

The document in question, named “Military Financing.xlsm” and hash “efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12”  stands out mainly for the image it contains, which refers to a document with secret information about the US Department of State.

Illustration 1 Content of the document

[Read more…]

IoT in the Industry 4.0 – Our data – collaboration or use?

On 7 February, a meeting was held in Madrid at the Vodafone Observatory of the Company, where experts in the cloud, artificial intelligence, robotics and digital transformation gave a vision on how to face the challenges of industry 4.0. In previous articles by Joan Balbastre about Industry 4.0, we could see what characterizes this industrial revolution and its basic design principles. In these articles, up to six different principles are named and one of them allows us to focus on this text: service orientation. This orientation turned out to be the fundamental axis of the whole event.

It is true that, in the face of strong competition between companies from different sectors, the optimization of the products or services provided has become a priority. There are many ways to improve a company or product. In recent years, information gathering has become one of the fundamental pillars on which the Industry 4.0 revolution is based. The data collected from consumers allows companies to perform different actions such as preventive maintenance, quality assurance, real-time defect management, operations management, etc. A clear example of the change that companies in the industry are undergoing is the case of Quality Espresso, which has gone from producing only one product, designing, producing and marketing coffee makers, to the provision of an added service thanks to the collection of information. Quality Espresso coffee machines not only allow connectivity with different devices, but are also able to collect statistical information for the company, in order to improve the products or even influence the design of new ones, as indicated in the event.

[Read more…]


The OrangeWorm group was named and described by the Symantec Company in different blog entries [1] [2]. We would highlight from these entries that it is a group that has been operational since 2015 and is focused on attacking the health, pharmaceutical, technological, manufacturing and logistics sectors. The sector most affected is healthcare as described by Symantec.

Based on this information, Lab52 has carried out an in-depth study of the Kwampirs tool (OrangeWorm’s main tool) used by this group.

Next, the RAT (Remote Administration Tool) in Dll format and the main binary or orchestrator of the infection will be analyzed.

Technical analysis of Kwampirs Dropper

Within its arsenal, OrangeWorm has a RAT in DLL format whose execution and lateral movement is carried out by an executable together with the one that composes the threat known as Kwampirs.

Regarding the executable, which we will call “Kwampirs Dropper” initially highlight its resources, among which are two images with corrupt sections. One of which consists of the DLL with RAT capabilities encrypted with an XOR key that in each execution extracts, decrypts and executes: [Read more…]

Exchange forensics: The mysterious case of ghost mail (IV)

Articles in the series “Exchange forensics: The mysterious case of ghost mail”: [1] [2] [3] [4]

[Note: This is a fiction story, the characters and situations are not real, the only real thing is the technical part, which is based on a mixture of work done, experiences of other colleagues and research carried out. with the same technical dose but with less narrative, you can consult the video of the talk that the author gave at the 11th STIC Conference of the CCN-CERT here]

We return to the investigation of the incident by examining what our colleague had found in the OWA logs. If we gather all the information regarding the accesses made from the two IP addresses with the Firefox User-Agent, we find several patterns of interest:
[Read more…]

Exchange forensics: The mysterious case of ghost mail (III)

Articles in the series “Exchange forensics: The mysterious case of ghost mail”: [1] [2] [3]

[Note: This is a fiction story, the characters and situations are not real, the only real thing is the technical part, which is based on a mixture of work done, experiences of other colleagues and research carried out. with the same technical dose but with less narrative, you can consult the video of the talk that the author gave at the 11th STIC Conference of the CCN-CERT here]

After a sleepless night (tossing and turning, brooding on the incident and trying to understand what may have happened, what we may have overlooked, what we still need to try), we return loaded with caffeine to the Organization.

Autopsy has finished the processing of the hard disk image, but after a superficial analysis of the results our initial theory is confirmed: the user’s computer is clean. In fact, it is so clean that the malicious email did not even touch that computer. Therefore, it is confirmed that everything that happened must have happened in the Exchange.

We keep thinking about the incident, and there is something that irks us: if the attackers had complete control of the Exchange, they could have deleted the mail from the Recoverable Items folder, which they didn’t. But what they did manage was to erase it from the EventHistoryDB table, which operates at a lower level … or perhaps they didn’t either.

[Read more…]