The inconspicuous office is in Moscow’s north-eastern suburbs. A sign reads: “Business center”. Nearby are modern residential blocks and a rambling old cemetery, home to ivy-covered war memorials. The area is where Peter the Great once trained his mighty army.
Inside the six-story building, a new generation is helping Russian military operations. Its weapons are more advanced than those of Peter the Great’s era: not pikes and halberds, but hacking and disinformation tools.
The software engineers behind these systems are employees of NTC Vulkan. On the surface, it looks like a run-of-the-mill cybersecurity consultancy. However, a leak of secret files from the company has exposed its work bolstering Vladimir Putin’s cyberwarfare capabilities.
Thousands of pages of secret documents reveal how Vulkan’s engineers have worked for Russian military and intelligence agencies to support hacking operations, train operatives before attacks on national infrastructure, spread disinformation and control sections of the internet.
The company’s work is linked to the federal security service or FSB, the domestic spy agency; the operational and intelligence divisions of the armed forces, known as the GOU and GRU; and the SVR, Russia’s foreign intelligence organization.
One document links a Vulkan cyber-attack tool with the notorious hacking group Sandworm, which the US government said twice caused blackouts in Ukraine, disrupted the Olympics in South Korea and launched NotPetya, the most economically destructive malware in history. Codenamed Scan-V, it scours the internet for vulnerabilities, which are then stored for use in future cyber-attacks.
Another system, known as Amezit, amounts to a blueprint for surveilling and controlling the internet in regions under Russia’s command, and also enables disinformation via fake social media profiles. A third Vulkan-built system – Crystal-2V – is a training program for cyber-operatives in the methods required to bring down rail, air and sea infrastructure. A file explaining the software states: “The level of secrecy of processed and stored information in the product is ‘Top Secret’.”
The Vulkan files, which date from 2016 to 2021, were leaked by an anonymous whistleblower angered by Russia’s war in Ukraine. Such leaks from Moscow are extremely rare. Days after the invasion in February last year, the source approached the German newspaper Süddeutsche Zeitung and said the GRU and FSB “hide behind” Vulkan.
“People should know the dangers of this,” the whistleblower said. “Because of the events in Ukraine, I decided to make this information public. The company is doing bad things and the Russian government is cowardly and wrong. I am angry about the invasion of Ukraine and the terrible things that are happening there. I hope you can use this information to show what is happening behind closed doors.”
The source later shared the data and further information with the Munich-based investigative startup Paper Trail Media. For several months, journalists working for 11 media outlets, including the Guardian, Washington Post and Le Monde, have investigated the files in a consortium led by Paper Trail Media and Der Spiegel.
Five western intelligence agencies confirmed the Vulkan files appear to be authentic. The company and the Kremlin did not respond to multiple requests for comment.
The leak contains emails, internal documents, project plans, budgets and contracts. They offer insight into the Kremlin’s sweeping efforts in the cyber-realm, at a time when it is pursuing a brutal war against Ukraine. It is not known whether the tools built by Vulkan have been used for real-world attacks, in Ukraine or elsewhere.
But Russian hackers are known to have repeatedly targeted Ukrainian computer networks; a campaign that continues. Since last year’s invasion, Moscow’s missiles have hit Kyiv and other cities, destroying critical infrastructure and leaving the country in the dark.
Analysts say Russia is also engaged in a continual conflict with what it perceives as its enemy, the west, including the US, UK, EU, Canada, Australia and New Zealand, all of which have developed their own classified cyber-offensive capabilities in a digital arms race.
Some documents in the leak contain what appear to be illustrative examples of potential targets. One contains a map showing dots across the US. Another contains the details of a nuclear power station in Switzerland.
click to enlarge |
One document shows engineers recommending Russia add to its own capabilities by using hacking tools stolen in 2016 from the US National Security Agency and posted online.
John Hultquist, the vice-president of intelligence analysis at the cybersecurity firm Mandiant, which reviewed selections of the material at the request of the consortium, said: “These documents suggest that Russia sees attacks on civilian critical infrastructure and social media manipulation as one and the same mission, which is essentially an attack on the enemy’s will to fight.”
Sandworm disabled Ukraine’s power grid in 2015. The following year it took part in Russia’s brazen operation to derail the US presidential election. Two of its operatives were indicted for distributing emails stolen from Hillary Clinton’s Democrats using a fake persona, Guccifer 2.0. Then in 2017 Sandworm purloined further data in an attempt to influence the outcome of the French presidential vote, the US says.
That same year the unit unleashed the most consequential cyber-attack in history. Operatives used a bespoke piece of malware called NotPetya. Beginning in Ukraine, NotPetya rapidly spread across the globe. It knocked offline shipping firms, hospitals, postal systems and pharmaceutical manufacturers – a digital onslaught that spilled over from the virtual into the physical world.
The Vulkan files shed light on a piece of digital machinery that could play a part in the next attack unleashed by Sandworm.