Large-scale preparations by Russian military and intelligence services to use their cyberwar capabilities in misinformation campaigns, hacking operations, critical infrastructure disruption, and Internet control have been revealed by the disclosure of hundreds of pages of sensitive documents.
The documents, which were obtained via a leak from a Russian contractor named NTC Vulkan, demonstrate how Russian intelligence services collaborate with commercial corporations to plan and carry out worldwide cyber activities. These consist of project plans, software descriptions, instructions, corporate correspondence, and other documents pertaining to the transfer of ownership from the firm.
In order to teach hackers, Vulkan hosts a training session in which participants attempt to seize control of railroad networks and power facilities.
The leak reveals that the corporation has deep ties to the FSB, which is Russia’s internal espionage agency, as well as the GOU and GRU, which are the respective operational and intelligence divisions of the armed forces, and the SVR, which is Russia’s organization for international intelligence.
The documents, which were provided by an anonymous source to a German reporter working for the Suddeutsche Zeitung at the beginning of Russia’s invasion of Ukraine, have since been analyzed by media outlets all over the world, including The Washington Post and German media outlets Paper Trail Media and Der Spiegel.
Vulkan’s engineers have been working with Russian military and intelligence services, according to thousands of pages worth of classified papers, to assist hacking operations, train personnel before strikes on national infrastructure, disseminate misinformation, and control areas of the internet. So reveal a consortium of media outlets to which an anonymous Russian insider leaked documents that reveal how the company, NTC Vulkan, works as a cyber operations support contractor for the Russian government, according to individuals who reviewed the information. The documents in question reveal how the Russian government uses cyber operations. Engineers working with Vulkan had previously done contract work for Russian military and intelligence services, where they supported cyber operations, trained agents before to strikes on national infrastructure, spread disinformation, and controlled areas of the internet. Emails, internal papers, project plans, budgets, and contracts are some of the contents of the disclosed data, which range in period from 2016 to 2021.
Sandworm, the hacking unit of Russia’s GRU military intelligence agency that is known for the wave of NotPetya encryption attacks in 2017 as well as attacks on Ukraine’s electricity infrastructure, is one of Vulkan’s customers. According to the leaks, the organization known as Vulkan, which derives its name from the Russian word for volcano, performs its duties for a significant portion of the Russian government. This includes the federal security service, also known as the FSB, which is in charge of domestic counterintelligence; the SVR foreign intelligence service; and the operational and intelligence divisions of the armed forces, known as the GOU and GRU.
Anton Vladimirovich Markov, who serves as Vulkan’s current CEO, launched the company in 2010. According to a story in The Guardian, Vulkan workers were often present at various European IT and cybersecurity conferences up until the month of February 2022, when Russia stepped up its invasion of Ukraine. According to what was found, former workers are now employed by companies like Amazon Web Services and Siemens.
The Russian government is dependent on a massive military-industrial complex, as is usual for big nations’ governing structures. Since 2011, Vulkan has been awarded contracts to work on top-secret projects for both the state and the military. At the moment, the company looks to have roughly 120 workers, with almost half of them working as software engineers.
According to Mandiant, the dumps include information on three projects that are linked to contracts with Russian intelligence agencies. These programs are referred to as Scan-V, Amesit, and Krystal-2B. According to what was said, the initiatives comprise “tools, training programs, and a red team platform” for “exercising” offensive cyber operations. These offensive cyber operations include cyberespionage, information operations, and attacking operational equipment.
The capabilities that were outlined in the contracted NTC Vulkan project Scan might assist automate aspects of the reconnaissance and preparation that goes into operations.
It would seem that the authorization for Scan-V originated from the Soviet military unit 74455, often commonly referred to as Sandworm.
Krystal-2B and Amesit are focused on emulating “OT test bed conditions for rail and pipeline control systems, but documentation for the projects “also reveals interest in critical infrastructure objectives, primarily energy utilities and oil and gas, but also water utilities and transportation systems, including rail, sea, and air. The commissioning document for railroads includes attack scenarios such as “manipulating the speed of trains,” “generating illegal track transfers,” and “causing automobile traffic barriers to fail,” all of which “have the specific goal of causing train crashes and accidents.”
According to a research by Mandiant, the skills necessary for modeling of pipelines include “closing valves, shutting down pumps, overfilling tanks, leaking contents, and creating pump cavitation and overheating.”
The anonymous person who leaked the Vulkan files was also taking huge risks. The Russian government is known for going after people it thinks are betraying the country. In a short conversation with a German journalist, the leaker said that they knew it was dangerous to give sensitive information to foreign media. But they had taken steps that would change their lives. They said they had left their old life behind and were now living “as a ghost.”
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.