In the news recently a leak of emails from ULA, one of SpaceX’s biggest rivals, were cooking-up a large serving of conspiracy pie. I’m actually less interested what may or may not have been going on and wanted to focus on if I could prove if this correspondence was genuine. Also, how did these documents get out? Do ULA have someone inside their organisation? Or does an external hacker have access to their mail?
The package was a 7Zip archive that had nothing interesting about it from an external examination. I unpacked this archive which contained a single word document (a .docx) and a directory (called ‘Mails’) with a number of PDF documents.
| Title | SHA256 |
| FW_ In wide-ranging interview, Bill Nelson lays out his vision for NASA.pdf | aaa78d7de61a8cd6afdb86774ec9b9c5fda0e6fb8fc6a01994d5413f258d4dd0 |
| Musk.pdf | 9c0739f836ff92fea4bb6ea313dabfd4bbf2f14477ff2e6974c512edae8b0e32 |
| NASA issues.pdf | 805bb725500f5cc36f9719961c83509b3d07250e4870295a5ea1280dafcf5990 |
| Re_ Elon Musk’s War on Regulators.pdf | 6a5f5259fb0b7471e02c0baa757fac071f3ca9e288a1e3c62f4d59bb3d3fe07a |
| RE_ EXTERNAL_ Re_ NASA’s Giant Leap Backwards Towards Moon Landing.pdf | dd96ca92bba8698edaa331287f152378ce92ffa34490b9fc1a3efc2ee9d27ca9 |
| RE_ The Machinists Union Strongly Support ULA’s Tory Bruno Remaining on National Space Council.pdf | 3db268c9920408cfe0c8143857bf10fffc209362e992a480a3fec1dcce8b13bc |
| Elon Musk_Bad for Democracy (002).docx | 7b4ca566672fc94d9221612a7c1e9addac75fc3f8ad2e6e187c8c6cedb0d6735 |
I took a look at the PDF’s first. These were created by Aspose PDF for .NET 19.10. Each of the documents was PDF’d through this tool at the same time 2021-08-24 at 10:55:27/10:55:28. These were created by a Windows system with the US language set, and looking at the time offset, apparently by a system on the East coast of the USA.
On examination of the ULA website and the PDF’s available through it, I can’t find any use of Aspose. Although not really narrowing things down – all of their PDF’s appear to be created on Windows and some of those PDF’s have a -0400 time offset too for documents created during DST. What does this mean? Very little unfortunately, except for pure coincidence.
ULA’s site is hosted out of Florida, the rest of their infra appears to be in Colorado. Whilst the mail system doesn’t appear to be available open to the internet, dnsdumpster does suggest they are using Citrix. Could this have been the way the documents got out? Possible. Although the server is very choosy about who it’s going to even allow a TCP connection for 80 / 443. So it’s possible only their own staff can connect over a VPN. This was not a hugely in-depth study, but my money would be on this leak being an insider.
Maybe ULA’s security folks might want to see if any of their machines have recently had Aspose running on them?
The Word document actually revealed nothing at all. Any metadata had been stripped to the point I couldn’t recover anything. I can’t even confirm what version of Word created the document as the <AppVersion> information has been removed.
Unfortunately then, there is nothing specific that can definitively confirm that these are genuine emails. We know that our actor was on a US configured system, was in the US and was on the East coast at the time of producing the documents. Whilst they do appear to be genuine, with forensics it’s what you can prove not what you believe…
Status: Unconfirmed.