Vulkan Files reveals Russian cyber warfare strategy

A Russian cybersecurity company that lists the Kremlin and its agencies as clients has been uncovered in a cross-border investigation after a disgruntled employee leaked thousands of internal documents, providing unique insight into Moscow’s modus operandi.

The “Vulkan files,” released on Thursday (March 30), relate to the Russian company RTV Vulkan and shed light on how closely intertwined classic military, cyber operations and psychological warfare are under Moscow’s leadership.

The files were reportedly handed over to the German media outlet Suddeutsche Zeitung on February 24, 2022, by an informant who opposed the invasion of Ukraine. The content was analyzed by more than 50 journalists from eight countries working with media outlets such as The Guardian, Washington Post and Le Monde, led by Paper Trail Media and Der Spiegel.

“Thousands of pages of classified documents reveal how Moscow-based defense contractor NTC Vulkan helped Russian intelligence services enhance their ability to conduct cyberattacks, spread disinformation and monitor the Internet. An investigation has revealed NTC Vulkan’s ties to Sandworm and Cozy Bear,” writes Paper Trail Media.

The leak reveals evidence of tools used to influence social media discussions, surveillance and espionage, manipulate public opinion, interfere in elections, and censorship. It also shows the close ties between Russian intelligence services and the company, which regularly speaks on topics such as the fight against digital “extremism.”

“The point is not to counterattack aggressively. However, it is certainly a case of ensuring that we are able to detect and stop attacks. These competencies are needed,” German Federal Minister of the Interior Nancy Faser said in response to the revelations.

Background

The leaked files include internal documents and agreements with software vendors and provide an actual list of clients, including the Internal Affairs Service, FSB, Foreign Intelligence Service, SVR, GRU Military Intelligence Service, and GRU Unit 74455: The Sandworm hacker group, a group allegedly responsible for the blackout in Ukraine and actively supporting the Russian invasion.

Google’s Threat Analysis Group (TAG) has previously accused a Russian cybersecurity company of involvement in a malware campaign by the Russian hacker group Cosy Bear that dates back to 2012. 

The leaked documents describe various tools, including those for detecting security vulnerabilities and planning attacks on network infrastructure, censorship, disinformation, and surveillance.

One of the tools for digital interception of enemies used since 2018 is called Scan-V, which collects information about a target, such as a network structure, departments, and employees, for observation from a distance.

The knowledge gained is partly based on publicly available sources, including websites that report on security loopholes. As part of a larger tool, it scans target systems for vulnerabilities to coordinate attacks from within. All vulnerability points are logged and stored in a database.

Amezit

The Amezit tool is designed for censorship, surveillance, and disinformation, as well as for identifying loopholes and gaps in the security of software of certain telecommunications equipment from companies such as Huawei, Juniper, and Cisco. To disrupt network traffic, known pages are imitated and spread with false or fake content. 

For disinformation purposes, fake profiles are massively created to distribute pro-Kremlin content via email, SMS, and social media. Public opinion can be influenced through the targeted promotion of specific hashtags. Bot databases are the basis for these operations.

The international research group Vulkan Files has identified several hundred Twitter accounts that may be directly or indirectly linked to the documents.

To prevent Russian identity from being attributed to this activity and the small details, the instructions include creating email accounts in Gmail, Yahoo, and Hotmail and making payments using cryptocurrency or prepaid credit cards. In addition, the LPI/Legend subsystem aims to hide the origin of data by either removing metadata or even deliberately falsifying it. 

Crystal-2V

Crystal-2V refers to targeted attacks on critical infrastructure, including rail and air traffic, electricity, and water supply. According to the Vulcan files, this was at the modeling stage, as no evidence was used.