The Official Site of David Guest

ULA: Are the leaked emails genuine?

In the news recently a leak of emails from ULA, one of SpaceX’s biggest rivals, were cooking-up a large serving of conspiracy pie. I’m actually less interested what may or may not have been going on and wanted to focus on if I could prove if this correspondence was genuine. Also, how did these documents get out? Do ULA have someone inside their organisation? Or does an external hacker have access to their mail?

The package was a 7Zip archive that had nothing interesting about it from an external examination. I unpacked this archive which contained a single word document (a .docx) and a directory (called ‘Mails’) with a number of PDF documents.

FW_ In wide-ranging interview, Bill Nelson lays out his vision for NASA.pdfaaa78d7de61a8cd6afdb86774ec9b9c5fda0e6fb8fc6a01994d5413f258d4dd0
NASA issues.pdf805bb725500f5cc36f9719961c83509b3d07250e4870295a5ea1280dafcf5990
Re_ Elon Musk’s War on Regulators.pdf6a5f5259fb0b7471e02c0baa757fac071f3ca9e288a1e3c62f4d59bb3d3fe07a
RE_ EXTERNAL_ Re_ NASA’s Giant Leap Backwards Towards Moon Landing.pdfdd96ca92bba8698edaa331287f152378ce92ffa34490b9fc1a3efc2ee9d27ca9
RE_ The Machinists Union Strongly Support ULA’s Tory Bruno Remaining on National Space Council.pdf3db268c9920408cfe0c8143857bf10fffc209362e992a480a3fec1dcce8b13bc
Elon Musk_Bad for Democracy (002).docx7b4ca566672fc94d9221612a7c1e9addac75fc3f8ad2e6e187c8c6cedb0d6735
Contents of 7Zip file

I took a look at the PDF’s first. These were created by Aspose PDF for .NET 19.10. Each of the documents was PDF’d through this tool at the same time 2021-08-24 at 10:55:27/10:55:28. These were created by a Windows system with the US language set, and looking at the time offset, apparently by a system on the East coast of the USA.

On examination of the ULA website and the PDF’s available through it, I can’t find any use of Aspose. Although not really narrowing things down – all of their PDF’s appear to be created on Windows and some of those PDF’s have a -0400 time offset too for documents created during DST. What does this mean? Very little unfortunately, except for pure coincidence.

ULA’s site is hosted out of Florida, the rest of their infra appears to be in Colorado. Whilst the mail system doesn’t appear to be available open to the internet, dnsdumpster does suggest they are using Citrix. Could this have been the way the documents got out? Possible. Although the server is very choosy about who it’s going to even allow a TCP connection for 80 / 443. So it’s possible only their own staff can connect over a VPN. This was not a hugely in-depth study, but my money would be on this leak being an insider.

Maybe ULA’s security folks might want to see if any of their machines have recently had Aspose running on them?

The Word document actually revealed nothing at all. Any metadata had been stripped to the point I couldn’t recover anything. I can’t even confirm what version of Word created the document as the <AppVersion> information has been removed.

Unfortunately then, there is nothing specific that can definitively confirm that these are genuine emails. We know that our actor was on a US configured system, was in the US and was on the East coast at the time of producing the documents. Whilst they do appear to be genuine, with forensics it’s what you can prove not what you believe…

Status: Unconfirmed.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.