An unremarkable office is located in a suburb in the north-eastern part of Moscow. On the board it says: Business center. Nearby are modern apartment blocks and an old cemetery with ivy-covered war memorials. The army of Peter the Great used to practice in that area.
Inside the six-story building, a new generation is helping Russia's military operations. Her weapons are more advanced than those of Peter the Great: they are not spears and halberds, but tools for hacking and disseminating disinformation.
The software engineers behind these systems are employed by NTC Vulkan. At first glance, it looks like an ordinary cybersecurity consulting firm. However, leaked secret documents from the company exposed its work to strengthen Vladimir Putin's cyber warfare capabilities.
Thousands of pages of classified documents reveal how Vulcan engineers worked for Russian military and intelligence agencies supporting hacking operations, training operatives before attacks on state infrastructure, spreading disinformation and controlling certain parts of the Internet.
The company's work is linked to the Federal Security Service (FSB), the domestic spy agency, the armed forces' operational and intelligence departments, known as GOU and GRU, and the SVR, Russia's foreign intelligence agency.
One document links Vulkan's cyberattack tool to the infamous Sandworm hacking group, which the US government claims has caused two blackouts in Ukraine, disrupted the Olympics in South Korea and launched NotPetya, the most economically destructive malware in history. Codenamed Scan-V, it scours the Internet for vulnerabilities, which are later used in future cyberattacks.
Another system, known as Amezit, is a plan to monitor and control the Internet in regions under Russian control and also enables the spread of disinformation through fake social media profiles.
Vulcan's third system - Crystal-2V - is a program to train cyber operatives in the methods needed to take down rail, air and naval infrastructure. The document about that software states: "The degree of secrecy of the processed and stored data in the product is "top secret".
The Vulkan files, which date from 2016 to 2021, were leaked to the media by an anonymous whistleblower angry about Russia's war in Ukraine. These types of data leaks are extremely rare in Moscow. In the days after the invasion in February last year, a source approached the German newspaper "Zidejche Zeitung" and said that the GRU and the FSB were "hiding behind" Vulkan.
"People should know how dangerous this is," said the whistleblower. "Due to the events in Ukraine, I decided to publish this information. The company is doing bad things and the Russian government is behaving wrongly and cowardly. I am angry about the invasion of Ukraine and the horrible things that are happening there. I hope you can use this information to show what goes on behind closed doors."
The source later shared the data and further information with the research startup "Paper Trail Media" based in Munich. For months, journalists from 11 media outlets, including "The Guardian", "Washington Post" and "Mond", reviewed documents in the consortium led by "Paper Trail Media" and "Spiegel".
Five Western intelligence agencies have confirmed that the Vulkan documents appear authentic. The Kremlin and the company did not respond to requests for comment.
Among the leaked files are emails, internal documents, project plans, budgets and contracts. They provide insight into the Kremlin's efforts in the cyber world as it wages a brutal war in Ukraine. It is not known for certain whether the means designed by Vulkan were used for attacks in the real world, in Ukraine or elsewhere.
However, Russian hackers are known to have repeatedly targeted Ukrainian computer networks, and that campaign continues. Since the invasion last year, Moscow's missiles have hit Kiev and other cities, destroying key infrastructure and leaving the country in darkness.
Analysts say Russia is also waging an ongoing conflict with the West, which it views as an enemy, including the US, UK, EU, Canada, Australia and New Zealand, all of which have developed covert cyber offensive capabilities in a digital arms race.
Some files also contain what appear to be graphic examples of potential targets. One contains a dot map across the US. Another contains details of a nuclear power plant in Switzerland.
One document shows that engineers recommended Russia boost its capabilities using hacking tools stolen from the US National Security Agency in 2016 and posted online.
John Haltquist, vice president of the intelligence analysis firm at the cyber security company Mandiant, which reviewed part of the material at the request of the research consortium, said: These documents indicate that Russia views attacks on key civilian infrastructure and manipulation of social networks as the same mission, which is an essential attack on the enemy's will to fight.
What is Vulcan?
Vulkan's CEO, Anton Markov, is a middle-aged man with a short haircut and large dark circles. Markov founded Vulkan in 2010 with Aleksandar Irzavski. Both graduated from the St. Petersburg Military Academy and served in the army, rising to the ranks of captain and major. "They had good contacts in that direction," said one former employee.
The company is part of the Russian military-industrial complex. This underworld includes spy agencies, commercial firms and higher education institutions. Specialists such as programmers and engineers move from one branch to another; and covert state actors rely heavily on private sector expertise.
Vulkan was founded at a time when Russia was rapidly expanding its cyber capabilities. Traditionally, the FSB has been at the forefront of cyber activities. In 2012, Vladimir Putin appointed the ambitious and energetic Sergei Shoigu as Minister of Defense. Shoigu wanted his own cybertroops, which would answer directly to him.
Since 2011, Vulkan has received special government permits to work on classified military projects and state secrets. It is a mid-sized technology company with over 120 employees - 60 of whom are software developers.
The development of these secret programs speaks to the paranoia at the heart of the Russian leadership, which is terrified of street protests and revolutions. Moscow considers the Internet to be a key weapon in maintaining order
Vulcan's corporate culture is more like that of Silicon Valley than a spy agency. Employees have their own soccer team, motivational emails are sent with fitness tips, and employee birthday parties are organized. They even have a slogan: "Making the world a better place" that appears in the promotional video.
Vulkan claims that their specialty is "information security"; officially their clients are large Russian state companies. Among them are Sberbank, Aeroflot airline and Russian Railways. “The job was fun. We used the latest technologies," said one employee who later left the company for "The Guardian". “People were really smart. The salary was good, well above average".
In addition to technical expertise, such generous salaries also entailed discretion. Some employees graduated from the Bauman State Technological University in Moscow, which has a long history of creating personnel for the Ministry of Defense. The work process is organized on the principles of strict operational secrecy, and employees are never told what is being done in other sectors.
Based on the leaked documents, it can be concluded that the company's culture is patriotic. On New Year's Eve 2019, an employee created a cheerful file in Microsoft Excel with Soviet military music and a picture of a bear. Next to it was written: "APT Magma Bear". This was an allusion to Russian state hacking groups like Cozy Bear and Fancy Bear, and seems to point to Vulkan's covert activities.
Five months later, Markov reminded his employees of Victory Day, when the victory of the Red Army over Nazi Germany in 1945 is celebrated. "This is a significant event in the history of our country," he told the employees. “I grew up watching war movies and was lucky enough to talk to veterans and hear their stories. Those people gave their lives for us, so that we could live in Russia".
One of Vulkan's most far-reaching projects was carried out with the blessing of the Kremlin's most notorious cyberwarrior unit, known as Sandworm. Over the past decade, Sandworm has been responsible for hacking operations of staggering proportions, according to Russian prosecutors and Western governments. They have carried out numerous malicious activities: political manipulation, cyber sabotage, interference in elections, intrusions into emails and publishing of data.
Sandworm disabled Ukraine's power grid in 2015. The following year, it participated in a brazen operation to influence the US presidential election. Two operatives of the group have been charged with distributing emails stolen from Democrat Hillary Clinton using a fake profile, Guccifer 2.0.
Then in 2017, Sandworm stole additional data in an attempt to influence the outcome of the French presidential election, according to the US.
That same year, the unit carried out a cyberattack with the biggest consequences in history. The operatives used the NotPetya malware. Starting in Ukraine, NotPetya quickly spread around the world. It brought down the networks of shipping companies, hospitals, postal systems and pharmaceutical companies - a digital massacre that spilled from the virtual to the physical world.
The Vulkan documents shed light on some of the digital machinery that could play a role in the new Sandworm attack.
A system built for attacks
Sandworm is a special unit within the GRU's “main center for special technologies”. Its code 74455 appears in the Vulkan files as an “approval page” on the white paper. It describes a “data exchange protocol” between an apparently pre-existing military database containing intelligence on software and hardware weaknesses and the new system Vulkan was supposed to build: Scan-V.
Hacking groups like Sandworm penetrate computer systems by first looking for weak points. Scan-V supports that process, performing automated reconnaissance of potential targets around the world for potentially vulnerable servers and network devices. The intelligence is then stored in a data repository, giving hackers an automated means of identifying targets.
Gabi Roncone, another expert at the cybersecurity company Mandiant, compared it to scenes from old military movies where people put “artillery and troops on a map. They want to understand where the enemy tanks are and where they should strike first to break through the enemy lines," she said. The Scan project was commissioned in May 2018 by the Institute of Engineering Physics, a research facility in the Moscow region closely associated with the GRU. All details were confidential. It is unclear whether Sandworm was planned to be a user of the system, but in May 2020, a team from Vulkan visited a military facility in Khimki, the same city near Moscow where the hacking unit is based, to test the Scan system.
“The scan was definitely made for offensive purposes. It fits well into the organizational structure and strategic approach of the GRU," said one analyst after reviewing the documents. "You don't often find network diagrams like this. It's really very complicated stuff”.
The leaked files do not contain any information about Russian malicious code or malware, which is used for hacking operations. However, a Google analyst said in 2012 that the tech firm linked Vulkan to an operation involving malware known as MiniDuke. SVR, Russia's foreign intelligence agency, used MiniDuke in data theft attempts. Leaks show that a secret part of the SVR, military unit 33949, has been hired by Vulkan to work on multiple projects.
Internet control, surveillance and disinformation
In 2018, a team of Vulkan employees traveled south to attend official testing of a program that enables Internet control, surveillance and disinformation. The meeting was held at the Radio Research Institute in Rostov-on-Don, which is affiliated with the FSB. Vulkan was hired in 2016 to help create a new system, called Amezit, which the files also linked to the Russian military.
"A lot of people worked for Amezit. Money and time have been invested. Other companies were also involved, possibly because the project was so big and important," recalled one former employee.
The documents show that Vulcan engineers were developing Amesite until 2021, with plans for further development in 2022.
One part of Amezite is homegrown, allowing operatives to seize control of the Internet if unrest breaks out in a Russian region, or if the country asserts control over territory in a rival state, such as Ukraine. Internet traffic deemed politically harmful can be removed before it has a chance to spread.
A 387-page internal document explains how Amesite works. The military needs physical access to hardware, such as cell phone towers, and wireless communications. Once they establish control over the transmission, the traffic can be intercepted. Military spies can identify people browsing the web, see what they access online, and monitor the information users share.
Since the invasion last year, Russia has been arresting anti-war protesters and passing criminal laws to prevent public criticism of what Putin calls a "special military operation." The Vulkan files contain documents related to an FSB operation to monitor the use of social networks in Russia on a massive scale, using semantic analysis to spot "hostile" content.
According to a source familiar with Vulkan's work, the firm created a data collection program called Fraction for the FSB. He combs networks like Facebook and the Russian equivalent Odnoklasniki, looking for keywords. The goal is to identify potential opposition figures from data from open sources.
Vulkan staff regularly visited the FSB's Information Security Center in Moscow, the agency's cyber unit, to consult on the secret program. That building is located next to the headquarters of FSB Lubjanka and a bookstore. Leaked information shows that the spies of that unit were nicknamed "book lovers".
The development of these secret programs speaks to the paranoia at the heart of the Russian leadership, which fears street protests and revolutions like those in Ukraine, Georgia, Kyrgyzstan and Kazakhstan. Moscow considers the Internet to be a key weapon in maintaining order. At home, Putin eliminated his opponents. Dissidents were detained, and critics like Alexei Navalny were poisoned and in prison.
The question remains whether Amezit systems are used in occupied Ukraine. In 2014, Russia secretly captured the eastern cities of Donetsk and Luhansk. Since last year, it has gained additional territory and cut off internet and mobile services in the Ukrainian areas it controls. Ukrainian citizens were forced to connect through telecommunications providers in Crimea, with SIM cards distributed in "filtration" camps run by the FSB.
However, journalists were able to monitor real-world activity from fake social media accounts linked to Vulkan as part of Amezito's subsystem codenamed PRR.
Tools for automated domestic propaganda
The Kremlin was already known to be using its disinformation factory, the St. Petersburg-based Internet Research Agency, which was placed on the US sanctions list. Billionaire Yevgeny Prigozhin, a close ally of Putin, is behind the massive manipulation operation. The Vulkan files show how the Russian military hired a private contractor to build similar automated domestic propaganda tools.
This Amezit subsystem allows the Russian military to conduct large-scale covert disinformation operations on social media and across the Internet, through the creation of accounts that look like real people online or avatars. The avatars have names and stolen personal photos, which are then processed for months to create a realistic digital footprint.
The documents indicate that Russia views attacks on key civilian infrastructure and manipulation of social networks as the same mission, a fundamental attack on the enemy's will to fight.
The leaked data contains footage of fake Twitter accounts and hashtags used by the Russian military from 2014 until earlier this year. They spread misinformation, including conspiracy theories about Hillary Clinton and denials that Russian bombings in Syria killed civilians.
Another Amesite-related project developed by Vulcan is far more dangerous. Codenamed Crystal-2V, it is a training platform for Russian cyber operatives. Capable of allowing simultaneous use by up to 30 trainees, it simulates attacks on a range of key national infrastructure targets: railway lines, power stations, airports, waterways, ports and industrial control systems.
A persistent security risk?
The intrusive and destructive nature of the tools Vulkan was hired to build raises difficult questions about the software developers working on these projects. Can they be described as cyber mercenaries? Or Russian spies? Some almost certainly are. Others may be just cogs in a larger machine, performing important engineering tasks for their country's cyber-military complex.
Until Russia's invasion of Ukraine in 2022, Vulcan staff openly traveled to Western Europe, attending IT and cybersecurity conferences, including a gathering in Sweden, to mingle with delegates from Western security firms.
Former Vulcan graduates now live in Germany, Ireland and other EU countries. Some work for global technology corporations. Two are in Amazon Web Services and Siemens. Siemens declined to comment on individual employees, but said it takes such matters "very seriously." Amazon said it has put in place "strict controls" and that protecting customer data is its "top priority".
It is not clear whether the former engineers now in the West pose a security risk and whether Western counterintelligence agencies have drawn attention to them. Most appear to have relatives in Russia, a vulnerability the FSB is known to have used to pressure Russian professionals abroad to cooperate.
A former official contacted by a reporter expressed regret for helping Russia's military and domestic spy agencies. "In the beginning, it was not clear what my work would be used for," he said. "Over time, I realized that I could not continue and that I did not want to support the regime. I was afraid that something would happen to me or that I would end up in prison”.
There was also a huge risk for the anonymous whistleblower behind the Vulkan files. The Russian regime is known for persecuting those it considers traitors. In a brief conversation with a German journalist, the whistleblower said he was aware that giving sensitive information to foreign media was dangerous. But he took precautions that changed his life. He, as he said, left his previous life behind and now lives "as a ghost".
Prepared by: A. Šofranac; N. Bogetić
See more:
Download the app and follow the news
FOLLOW US ON
