www.washingtonpost.com Open in urlscan Pro
2.19.32.96  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Accessibility statementSkip to main content

Democracy Dies in Darkness

Subscribe

Sign in
National SecurityForeign Policy Intelligence Justice Immigration Military
National SecurityForeign Policy Intelligence Justice Immigration Military

The Vulkan Files


SECRET TROVE OFFERS RARE LOOK INTO RUSSIAN CYBERWAR AMBITIONS


MORE THAN 5,000 PAGES OF DOCUMENTS FROM A MOSCOW-BASED CONTRACTOR OFFER UNUSUAL
GLIMPSES INTO PLANNING AND TRAINING FOR SECURITY SERVICES, INCLUDING THE
NOTORIOUS HACKING GROUP SANDWORM

By Craig Timberg
, 
Ellen Nakashima
, 
Hannes Munzinger
and 
Hakan Tanriverdi
March 30, 2023 at 11:00 a.m. EDT

The leak of documents from a Moscow-based defense contractor is unusual for
Russia’s secretive military industrial complex. (Washington Post illustration,
NTC Vulkan; iStock)

Listen
16 min
Comment on this storyComment731

Gift Article

Share

Russian intelligence agencies worked with a Moscow-based defense contractor to
strengthen their ability to launch cyberattacks, sow disinformation and surveil
sections of the internet, according to thousands of pages of confidential
corporate documents.

The documents detail a suite of computer programs and databases that would allow
Russia’s intelligence agencies and hacking groups to better find
vulnerabilities, coordinate attacks and control online activity. The documents
suggest the firm was supporting operations including both social media
disinformation and training to remotely disrupt real-world targets, such as sea,
air and rail control systems.



An anonymous person provided the documents from the contractor, NTC Vulkan, to a
German reporter after expressing outrage about Russia’s attack on Ukraine. The
leak, an unusual occurrence for Russia’s secretive military industrial complex,
demonstrates another unintended consequence of President Vladimir Putin’s
decision to take his country to war.



Officials from five Western intelligence agencies and several independent
cybersecurity companies said they believe the documents are authentic, after
reviewing excerpts at the request of The Washington Post and several partner
news organizations.

These officials and experts could not find definitive evidence that the systems
have been deployed by Russia or been used in specific cyberattacks, but the
documents describe testing and payments for work done by Vulkan for the Russian
security services and several associated research institutes. The company has
both government and civilian clients.

7 takeaways from the Vulkan Files investigation

The trove offers a rare window into the secret corporate dealings of Russia’s
military and spy agencies, including work for the notorious government hacking
group Sandworm. U.S. officials have accused Sandworm of twice causing power
blackouts in Ukraine, disrupting the Opening Ceremonies of the 2018 Winter
Olympics and launching NotPetya, the most economically destructive malware in
history.



One of the leaked documents mentions the numerical designation for Sandworm’s
military intelligence unit, 74455, suggesting that Vulkan was preparing software
for use by the elite hacking squad. The unsigned, 11-page document, dated 2019,
showed a Sandworm official approving the data transfer protocol for one of the
platforms.

“The company is doing bad things, and the Russian government is cowardly and
wrong,” said the person who provided the documents to the German reporter,
shortly after the invasion of Ukraine. The reporter then shared them with a
consortium of news organizations, which includes The Washington Post and is led
by Paper Trail Media and Der Spiegel, both based in Germany.

The anonymous person, who spoke to the reporter through an encrypted chat app,
declined to identify themself before ending contact, declaring the need to
vanish “like a ghost” for security reasons.

“I am angry about the invasion of Ukraine and the terrible things that are
happening there,” the person said. “I hope you can use this information to show
what is happening behind closed doors.”

Advertisement

Story continues below advertisement



Vulkan did not respond to requests for comment. An employee of the company who
answered the phone at its head office confirmed that an email with queries had
been received and said it would be answered by company officials, “if it is of
interest to them.”

No responses came. Kremlin officials also did not reply to requests for comment.

The cache of more than 5,000 pages of documents, dated between 2016 and 2021,
includes manuals, technical specification sheets and other details for software
that Vulkan designed for the Russian military and intelligence establishment. It
also includes internal company emails, financial records and contracts that show
both the ambition of Russia’s cyber operations and the breadth of the work
Moscow has been outsourcing.

This includes programs to create fake social media pages and software that can
identify and stockpile lists of vulnerabilities in computer systems across the
globe for possible future targeting.

Several mock-ups of a user interface for a project known as Amezit appear to
depict examples of possible hacking targets, including the Foreign Ministry in
Switzerland and a nuclear power plant in that nation. Another document shows a
map of the United States with circles that appear to represent clusters of
internet servers.



One illustration for a Vulkan platform called Skan makes reference to a U.S.
location, labeled “Fairfield,” as a place to find network vulnerabilities for
use in an attack. Another document describes a “user scenario” in which hacking
teams would identify insecure routers in North Korea, presumably for potential
use in a cyberattack.

The documents do not, however, include verified target lists, malicious software
code or evidence linking the projects to known cyberattacks. Still, they offer
insights into the aims of a Russian state that — like other major powers,
including the United States — is eager to grow and systematize its ability to
conduct cyberattacks with greater speed, scale and efficiency.

“These documents suggest that Russia sees attacks on civilian critical
infrastructure and social media manipulation as one and the same mission, which
is essentially an attack on the enemy’s will to fight,” said John Hultquist, the
vice president for intelligence analysis at the cybersecurity firm Mandiant,
which reviewed selections of the document at the request of The Post and its
partners.

Advertisement

Story continues below advertisement


‘A CRITICAL PILLAR’

The role of contractors in Russian cyberwarfare is “very significant,”
especially for the Russian military intelligence agency commonly called the GRU,
said a Western intelligence analyst, speaking on the condition of anonymity to
share sensitive findings. “They are a critical pillar of GRU offensive cyber
research and development. They provide expertise that the GRU may lack on a
given issue. The spy services can do cyber operations without them, but likely
not as well.”

Three former Vulkan employees, who spoke on the condition of anonymity out of
fear of retribution, confirmed some details about the company. Financial records
for Vulkan, which were separately obtained by the news organizations, match
references in the documents in several instances, detailing millions of dollars
worth of transactions between known Russian military or intelligence entities
and the company.



The intelligence and cybersecurity experts said details in the documents also
match information collected about Russia’s hacking programs — including in a
smaller previous leak — and appear to describe new tools for enabling offensive
cyber operations. Vulkan, they said, is one of dozens of private firms known to
provide tailored cyber capabilities to the Russian security services.

The experts cautioned that it was not clear which of the programs had been
completed and deployed, as opposed to being merely developed and ordered up by
the Russian military, including by units linked to the GRU. The documents do,
however, refer to state-mandated testing, changes desired by the clients and
finished projects, strongly suggesting that at least trial versions of some of
the programs were activated.

“You don’t find network diagrams and design documents like this very often. It
really is very intricate stuff. This wasn’t meant to be ever seen publicly,”
said one of the Western intelligence officials, speaking on the condition of
anonymity to share candid assessments of sensitive findings. “But it makes sense
to pay attention. Because you better understand what the GRU is trying to do.”

The Threat Analysis Group at Google, the tech company’s premier cyberthreat
hunter, found evidence in 2012 that Vulkan was being used by the SVR, Russia’s
foreign intelligence service. The researchers observed a suspicious test
phishing email being sent from a Gmail account to a Vulkan email account that
had been set up by the same person, evidently a company employee.

“[T]he use of test messages is common practice to test phishing emails prior to
their use,” Google said in a statement. After that test email, the Google
analysts saw the same Gmail address being used to send malware known to be
employed by SVR against other targets.

That was “not the smartest move” on the Vulkan employee’s part, said one Google
analyst, speaking on the condition of anonymity to describe sensitive findings.
“It was definitely a slip-up.”

References to the company also can be found in VirusTotal, a Google-owned
service with a database of malicious software that is a resource for security
researchers.

A file labeled “Secret Party NTC Vulkan” is a holiday invitation disguised in a
piece of malware that normally takes control of a user’s computer. The
invitation — apparently harmless — automatically downloads an illustration of a
large bear alongside a champagne bottle and two glasses.

The image is labeled “APT Magma Bear,” a reference to Western cybersecurity
officials’ labeling of Russian hacking groups with ursine code names. APT refers
to “Advanced Persistent Threat,” a cybersecurity term for the most serious
hacking groups, which are typically run by nation states such as Russia.

The invitation reads “APT Magma Bear wishing you and your family a wonderful
holiday season and a healthy and peaceful New Year!” as Soviet military music
plays in the background.

Advertisement

Story continues below advertisement


TIES TO WESTERN CORPORATIONS

Vulkan was founded in 2010 and has about 135 employees, according to Russian
business information websites. The company website says its main headquarters is
in northeast Moscow.

A promotional video on the company website portrays Vulkan as a scrappy tech
start-up that “solves corporate problems” and has a “comfortable work
environment.” It ends by declaring that Vulkan’s goal is to “make the world a
better place.”

The promotional video does not mention military or intelligence contracting
work.

“The work was fun. We used the latest technologies,” said one former employee in
an interview, speaking on the condition of anonymity for fear of retribution.
“The people were really clever. And the money was good.”

Some former Vulkan employees later worked for major Western companies, including
Amazon and Siemens. Both companies issued statements that did not dispute that
former Vulkan employees worked for them, but they said that internal corporate
controls protected against unauthorized access to sensitive data.

The documents also show that Vulkan intended to use an array of U.S. hardware in
setting up systems for Russian security services. The design documents
repeatedly refer to American products, including Intel processors and Cisco
routers, that should be used to configure the “hardware-software” systems for
Russian military and intelligence units.

There are other connections to U.S. companies. Some of those companies,
including IBM, Boeing and Dell at one time worked with Vulkan, according to its
website, which describes commercial software development work with no obvious
ties to intelligence and hacking operations. Representatives of IBM, Boeing and
Dell did not dispute that those entities previously worked with Vulkan but said
they do not now have any business relationships with the company.

Advertisement

Story continues below advertisement


AUTOMATED DISINFORMATION

The trove of documents initially was shared with a reporter for the German
newspaper Süddeutsche Zeitung. The consortium examining the documents has 11
members — including The Post, the Guardian, Le Monde, Der Spiegel, iStories,
Paper Trail Media and Süddeutsche Zeitung — from eight countries.

Among the thousands of pages of leaked Vulkan documents are projects designed to
automate and enable operations across Russian hacking units.

Amezit, for example, details tactics for automating the creation of massive
numbers of fake social media accounts for disinformation campaigns. One document
in the leaked cache describes how to use banks of mobile phone SIM cards to
defeat verification checks for new accounts on Facebook, Twitter and other
social networks.

Reporters for Le Monde, Der Spiegel and Paper Trail Media, working from Twitter
accounts listed in the documents, found evidence that these tools probably had
been used for numerous disinformation campaigns in several countries.

One effort included tweets in 2016 — when Russian disinformation operatives were
working to boost Republican presidential candidate Donald Trump and undermine
Democrat Hillary Clinton — linking to a website claiming that Clinton had made
“a desperate attempt” to “regain her lead” by seeking foreign support in Italy.

The reporters also found evidence of the software being used to create fake
social media accounts, inside and outside of Russia, to push narratives in line
with official state propaganda, including denials that Russian attacks in Syria
killed civilians.

Amezit has other features designed to allow Russian officials to monitor, filter
and surveil sections of the internet in regions they control, the documents
show. They suggest that the program contains tools that shape what internet
users would see on social media.

The project is repeatedly described in the documents as a complex of systems for
“information restriction of the local area” and the creation of an “autonomous
segment of the data transmission network.”

A 2017 draft manual for one of the Amezit systems offers instructions on the
“preparation, placement and promotion of special materials” — most likely
propaganda distributed using fake social media accounts, telephone calls, emails
and text messages.

Advertisement

Story continues below advertisement


MAPPING CRITICAL INFRASTRUCTURE

One of the mock-ups in a 2016 design document allows a user to hover a cursor
over an object on a map and display IP addresses, domain names and operating
systems as well as other information about “physical objects.”

One such physical object — highlighted in fluorescent green — is the Ministry of
Foreign Affairs in Bern, Switzerland, which shows a hypothetical email address
and the “attack goal” to “obtain root user privileges.” The other object
highlighted on the map is the Muhleberg Nuclear Power Plant, west of Bern. It
stopped producing power in 2019.




Dmitri Alperovitch, who co-founded the cyberthreat intelligence firm
CrowdStrike, said that the documents indicate that Amezit is intended to enable
discovery and mapping of critical facilities such as railways and power plants,
but only when the attacker has physical access to a facility.

“With physical access, you can plug this tool into a network and it will map out
vulnerable machines,” said Alperovitch, now the chairman of Silverado Policy
Accelerator, a think tank in Washington.

Emails suggest that the Amezit systems were at least tested by Russian
intelligence agencies by 2020. A company email dated May 16, 2019, describes
feedback from the customer and desires for changes in the program. A spreadsheet
marks which parts of the project have been finished.



A document in the trove also suggests that Vulkan was contracted in 2018 to
create a training program called Crystal-2 to provide simultaneous operation by
up to 30 trainees. The document mentions testing “the Amezit system to disable
[incapacitate] control systems for rail, air and sea transport” but does not
make clear whether the training program conceived in the documents went forward.

Trainees also would be “testing methods for obtaining unauthorized access to
local computer and technological networks of infrastructure and facilities to
support life in population centers and industrial areas,” potentially using
capabilities the document ascribes to Amezit.

Later in the document, the text reads: “The level of secrecy of processed and
stored information in the product is ‘Top Secret.’”

Advertisement

Story continues below advertisement


REPOSITORY OF VULNERABILITIES

Skan, the other main project described in the documents, allowed Russia’s
attackers continuously to analyze the internet for vulnerable systems and
compile them in a database for possible future attacks.

Joe Slowik, the threat intelligence manager at the cybersecurity company
Huntress, said Skan probably was designed to work in tandem with other software.

“This is the background system that would allow for it all — organizing and
potentially tasking and targeting of capabilities in a way that can be centrally
managed,” he said.

Slowik said Sandworm, the Russian military hacking group blamed for numerous
disruptive attacks, was likely to want to keep a large repository of
vulnerabilities. A document from 2019 says Skan could be used to display “a list
of all possible attack scenarios” and highlight all the nodes on the network
that could be involved in the attacks.

The system also appears to enable coordination among Russian hacking units,
allowing “the ability to exchange data between prospective geographically
dispersed special units,” according to the leaked documents.

“Skan reminds me of old military movies where people stand around … and place
their artillery and troops on the map,” says Gabby Roncone, another
cybersecurity expert at Mandiant. “And then they want to understand where the
enemy tanks are and where they need to strike first to break through the enemy
lines.”

There is evidence that at least some part of Skan was delivered to the Russian
military.

In an email dated May 27, 2020, Vulkan developer Oleg Nikitin described
collecting a list of employees “to visit the territory of our functional user”
to install and configure equipment for the Skan project, and upgrade and
configure software and demonstrate functionality. The functional user is
described as “Khimki,” a reference to the Moscow suburb where Sandworm is based.

“The territory is closed, the regime is strict,” Nikitin wrote, using Russian
terms for a protected, secret government facility.

Nikitin did not reply to a request for comment.

Maria Christoph from Paper Trail Media contributed to this report.

Craig Timberg is The Post’s senior editor for collaborative investigations and a
former technology reporter. Ellen Nakashima is a Post national security reporter
who has written about cybersecurity and intelligence issues. Hannes Munzinger
and Hakan Tanriverdi are senior investigative reporters for Paper Trail Media,
based in Munich. Munzinger received the document trove and had initial
conversations with the source while working for his previous employer,
Süddeutsche Zeitung.


ABOUT THE VULKAN FILES

This investigation was a collaboration among journalists from eight countries
working at 11 news organizations, including The Washington Post. Leading the
project were Paper Trail Media and Der Spiegel in Germany. Also participating
from that country were Süddeutsche Zeitung and ZDF. Other partners include the
Guardian in Britain, Le Monde in France, Tamedia in Switzerland, the Danish
Broadcasting Corporation in Denmark, Der Standard in Austria and iStories, a
news site covering Russia that is based in Latvia.

Editing by Ben Pauker. Copy editing by Gilbert Dunkley.


731 Comments
GiftOutline
Gift Article

Loading...

Subscribe to comment and get the full experience. Choose your plan →


View more

Loading...
Company
 * About The Post
 * Newsroom Policies & Standards
 * Diversity and Inclusion
 * Careers
 * Media & Community Relations
 * WP Creative Group
 * Accessibility Statement

Get The Post
 * 
 * Become a Subscriber
 * Gift Subscriptions
 * Mobile & Apps
 * Newsletters & Alerts
 * Washington Post Live
 * Reprints & Permissions
 * Post Store
 * Books & E-Books
 * Newspaper in Education
 * Print Archives (Subscribers Only)
 * Today’s Paper
 * Public Notices

Contact Us
 * Contact the Newsroom
 * Contact Customer Care
 * Contact the Opinions team
 * Advertise
 * Licensing & Syndication
 * Request a Correction
 * Send a News Tip
 * Report a Vulnerability

Terms of Use
 * Digital Products Terms of Sale
 * Print Products Terms of Sale
 * Terms of Service
 * Privacy Policy
 * Cookie Settings
 * Submissions & Discussion Policy
 * RSS Terms of Service
 * Ad Choices

washingtonpost.com © 1996-2023 The Washington Post
 * washingtonpost.com
 * © 1996-2023 The Washington Post
 * About The Post
 * Contact the Newsroom
 * Contact Customer Care
 * Request a Correction
 * Send a News Tip
 * Report a Vulnerability
 * Download the Washington Post App
 * Policies & Standards
 * Terms of Service
 * Privacy Policy
 * Cookie Settings
 * Print Products Terms of Sale
 * Digital Products Terms of Sale
 * Submissions & Discussion Policy
 * RSS Terms of Service
 * Ad Choices








THE WASHINGTON POST CARES ABOUT YOUR PRIVACY

We and our partners store and/or access information on a device, such as unique
IDs in cookies to process personal data. You may accept or manage your choices
by clicking below, including your right to object where legitimate interest is
used, or at any time in the privacy policy page. These choices will be signaled
to our partners and will not affect browsing data.


WE AND OUR PARTNERS PROCESS DATA TO PROVIDE:

Actively scan device characteristics for identification. Select basic ads. Store
and/or access information on a device. Create a personalised ads profile. Select
personalised ads. Create a personalised content profile. Select personalised
content. Measure ad performance. Measure content performance. Apply market
research to generate audience insights. Develop and improve products. View list
of partners

I accept Disable all Manage cookies