- Tom Jowitt
Leaked Vulkan Files Reveal Kremlin’s Cyberwarfare Tactics
Explosive documents leaked by whistleblower in protest of Kremlin’s war in Ukraine, shine a light on Russia’s cyberwarfare operations
A top secret trove of documents from a Moscow-based defence contractor has provided a fascinating insight into Russia’s cyberwarfare operations.
The Washington Post, the Guardian and other media outlets reported that more than 5,000 pages of confidential corporate documents have revealed that Russian intelligence agencies worked with the Moscow-based contractor called NTC Vulkan, to strengthen their ability to launch cyberattacks, sow disinformation and surveil parts of the internet.
The documents (dubbed the ‘Vulkan files’) date from 2016 to 2021 and were reportedly leaked by an anonymous whistleblower angered by Russia’s war in Ukraine, who approached the German newspaper Süddeutsche Zeitung.
The leaker said the Russia’s GRU and FSB agencies were “hide behind” NTC Vulkan.
“People should know the dangers of this,” the whistleblower was quoted as saying by the Guardian. “Because of the events in Ukraine, I decided to make this information public. The company is doing bad things and the Russian government is cowardly and wrong.”
“I am angry about the invasion of Ukraine and the terrible things that are happening there,” said the whistleblower. “I hope you can use this information to show what is happening behind closed doors.”
The source later shared the data and further information with the Munich-based investigative startup Paper Trail Media.
For several months, journalists working for 11 media outlets, including the Guardian, Washington Post and Le Monde, investigated the files in a consortium led by Paper Trail Media and Der Spiegel.
Officials from five Western intelligence agencies and several independent cybersecurity companies have reportedly stated they believe the documents are authentic, after reviewing excerpts at the request of the media outlets.
NTC Vulkan and the Kremlin did not respond to multiple requests for comment, the Guardian reported.
So what do the ‘Vulkan files’ actually reveal?
The documents are a combination of internal documents, project plans, manuals, technical specification sheets and other details for software that Vulkan actually designed for the Russian military and intelligence establishment.
It also includes internal company emails, financial records, budgets and contracts that show both the ambition of Russia’s cyber operations and the breadth of the work Moscow has been outsourcing to third party Russian defence contractors.
This includes programs to create fake social media pages and software that can identify and stockpile lists of vulnerabilities in computer systems across the globe for possible future targeting.
The documents reportedly suggest the Russian defence contractor was supporting Russian operations including both social media disinformation and training to remotely disrupt real-world targets, such as sea, air and rail control systems.
The documents describe testing and payments for work done by Vulkan for the Russian security services and several associated research institutes. The company has both government and civilian clients.
According to the newspapers, the ‘Vulkan files’ offer a rare window into the secret corporate dealings of Russia’s military and spy agencies, including work for the notorious government hacking group Sandworm.
The US government has previously attributed Sandworm to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU).
Sandworm has been identified twice of causing power blackouts in Ukraine, disrupting the Opening Ceremonies of the 2018 Winter Olympics, and launching NotPetya, the most economically destructive malware in history.
According to the Washington Post, one of the leaked documents mentions the numerical designation for Sandworm’s military intelligence unit, 74455, suggesting that Vulkan was preparing software for use by the elite hacking squad.
The unsigned, 11-page document, dated 2019, showed a Sandworm official approving the data transfer protocol for one of the platforms.
According to the newspaper reports, several mock-ups of a user interface for a project known as Amezit appear to depict examples of possible hacking targets, including the Foreign Ministry in Switzerland and a nuclear power plant in that country.
Another document shows a map of the United States with circles that appear to represent clusters of internet servers.
One illustration for a Vulkan platform called Skan makes reference to a US location, labelled “Fairfield,” as a place to find network vulnerabilities for use in an attack, the Post reported.
Another document describes a “user scenario” in which hacking teams would identify insecure routers in North Korea, presumably for potential use in a cyberattack.
The documents do not, however, include verified target lists, malicious software code or evidence linking the projects to known cyberattacks, the newspapers noted.
That said, the ‘Vulkan files’ do offer insights into the aims of the Russian state under Vladimir Putin.
According to the Washington Post, three former Vulkan employees, who spoke on the condition of anonymity out of fear of retribution, confirmed some details about the company.
Financial records for Vulkan, which were separately obtained by the news organisations, match references in the documents in several instances, detailing millions of dollars worth of transactions between known Russian military or intelligence entities and the company.
Vulkan was founded in 2010 and has about 135 employees. The company website says its main headquarters is in northeast Moscow.