“Vulkan Files”: Behind the scenes of Putin’s cyberwar

A leak of secret documents reveals how employees of Moscow-based company Vulkan support hacking operations for the Russian military and secret services.

The so-called “Vulcan Files” provide new insights into the cyber warfare of Russian President Vladimir Putin. A whistleblower who wants to remain anonymous has provided the Süddeutsche Zeitung (SZ) with thousands of pages of secret documents from the Moscow IT company NTC Vulkan. Journalists from the SZ evaluated the papers together with colleagues from the “Spiegel”, ZDF Frontal, the Austrian “Standard”, the British Guardian, and the Washington Post. They reveal that Vulkan operatives have been working for the Russian military and intelligence services on joint hacking operations, training agents on how to attack critical infrastructure, and spreading disinformation. The goal of the supported cyberwar campaigns was also to control and censor parts of the Internet.

According to ZDF, the documents from 2016 to 2021 show that Russia wants to strike online worldwide. Externally, Vulkan presents itself as a harmless company that develops software and drives IT security. In fact, the company, run by Anton Markov, a graduate of the St. Petersburg Military Academy, also works for the Russian military intelligence agency GRU, the domestic intelligence agency FSB, and the foreign intelligence agency SWR.

Swiss nuclear power plants in training documents

Part of the “Vulkan Files” are training documents for the commissioned programs. This includes: “Shutting down control systems of rail, air and sea transport”, “Disrupting energy companies and critical infrastructure” and identifying weak points in these areas in order to be able to attack them.

According to the “Standard”, a diagram from the documents illustrates the Mühleberg nuclear power plant in Switzerland, which has now been shut down. Experts had previously discovered security gaps in this, of all places. The Swiss Ministry of Foreign Affairs is also mentioned in the documents. A marker indicates the area where the Ukrainian embassy in Bern is based. The newspaper writes that it is probably initially a placeholder. However, these should be similar to real targets, especially since attacks on train lines, airports, and other important infrastructure were mentioned elsewhere.

Connection to Sandworm

A key Vulkan product is Skan-W aka Scan-W. It should be able to scan the Internet for vulnerabilities that attackers can use to penetrate external servers and cause damage. This tool is linked to the notorious Sandworm hacking group, which the US government says twice caused power outages in Ukraine and disrupted the Olympics in South Korea, according to the Guardian. With NotPetya, the “Unit 74455” of the military intelligence service GRU, which according to the articles is behind Sandworm, is said to have circulated the most economically damaging malware in history.

Western security researchers have already pointed out that the cyber attack on the US provider Viasat and its KA-Sat network for satellite internet in February 2022, parallel to Russia’s armed attack on Ukraine, was attributable to wiper malware. Known as “AcidRain,” the destructive program that disabled tens of thousands of broadband modems worldwide is said to have similarities to a plug-in of the Sandworm cluster’s VPNFilter botnet malware. The Kremlin officially denies responsibility for such attacks. The Vulkan files now reveal the connections to a large extent, for example via accounts with the names of the operations and malware.

Internet monitoring blueprint

Another emerging system, dubbed Amezit (Amesit), is a blueprint for Internet surveillance and control in regions under Russian command. This means that entire regions could be cut off from the free Internet, writes the SZ. It also enables the massive spread of disinformation via fake profiles on social media.

Crystal-2V is a training program for cyber operators, teaching them the methods needed to shut down rail, air, and maritime infrastructure. A file explaining the software states: “The security level of the information processed and stored in the product is ‘Top Secret’.” Other programs developed by Vulkan go by names such as Fraction, which monitors dissidents, or Edison.

Hundreds of cyber weapons

Evidence of these software projects can be found in more than 17,000 transfer transactions. Accordingly, Vulkan received installment payments of several million euros, in the subject of which the names of the programs can be found. The payments were reportedly directed to institutes closely linked to intelligence agencies and the military. There are also close contacts with the large Moscow universities. Vulkan specifically advertises for young talent among graduates, and company representatives held a course at Lomonosov University on how to infiltrate social networks.

Konstantin von Notz, deputy leader of the Greens in the Bundestag and chairman of the parliamentary control body responsible for the secret services, assumes that “hundreds of such cyber weapons” are currently being developed. “These examples and also many incidents in recent years make it clear that there is a real danger from cyberspace for the critical infrastructure in Germany,” he fears. Vulkan is said to be just one of more than 30 Russian companies competing for lucrative government contracts for cyber warfare.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s