Apr 6: The Vulkan Files- what are they & why do we need to pay attention

By Luke Harding, Stiliyana Simeonova, Manisha Ganguly and Dan Sabbagh, as published in the Guardian on March 30, 2023

‘Vulkan files’ leak reveals Putin’s global and domestic cyberwarfare tactics

By Luke Harding, Stiliyana Simeonova, Manisha Ganguly and Dan Sabbagh, The Guardian, March 30, 2023

Along with the Team Jorge investigation, the Vulkan Files add to information about global cyber-warfare and Russia’s role in it. In this investigation, journalists from Der Spiegel, the Guardian and others unveil the world of elite Russian hackers, and provide a look inside their arsenal of cyber-weapons and reveal their strategy. Russian hackers target airports and power plants around the world, along with the internet. Their activities directly make their way into our lives. I’ll be posting parts of their investigations over the next few days.

What is Vulkan?

Vulkan’s chief executive, Anton Markov, is a man of middle years, with cropped hair and dark bags around the eyes. Markov founded Vulkan (meaning volcano in English) in 2010, with Alexander Irzhavsky. Both are graduates of St Petersburg’s military academy and have served with the army in the past, rising to captain and major respectively. “They had good contacts in that direction,” one former employee said.

Anton Markov, the Vulkan chief executive. Photograph: social media

The company is part of Russia’s military-industrial complex. This subterranean world encompasses spy agencies, commercial firms and higher education institutions. Specialists such as programmers and engineers move from one branch to another; secret state actors rely heavily on private sector expertise.

Vulkan launched at a time when Russia was rapidly expanding its cyber-capabilities. Traditionally, the FSB took the lead in cyber affairs. In 2012 Putin appointed the ambitious and energetic Sergei Shoigu as defence minister. Shoigu – who is in charge of Russia’s war in Ukraine – wanted his own cyber-troops, reporting directly to him.

From 2011 Vulkan received special government licences to work on classified military projects and state secrets. It is a mid-sized tech company, with more than 120 staff – about 60 of whom are software developers. It is not known how many private contractors are granted access to such sensitive projects in Russia, but some estimates suggest it is no more than about a dozen.

Vulkan’s corporate culture is more Silicon Valley than spy agency. It has a staff football team, and motivational emails with fitness tips and celebrations of employee birthdays. There is even an upbeat slogan: “Make the world a better place” appears in a glossy promotional video.

Vulkan says it specialises in “information security”; officially, its customers are big Russian state companies. They include Sberbank, the country’s largest bank; the national airline Aeroflot; and Russian railways. “The work was fun. We used the latest technologies,” said one former employee who eventually left after they grew disillusioned with the job.“The people were really clever. And the money was good, well above the usual rate.”

As well as technical expertise, those generous salaries bought the expectation of discretion. Some staff are graduates of Bauman Moscow State Technical University, which has a long history of feeding recruits to the defence ministry. Workflows are organised on principles of strict operational secrecy, with staff never being told what other departments are working on.

The firm’s ethos is patriotic, the leak suggests. On New Year’s Eve in 2019 an employee created a lighthearted Microsoft Excel file with Soviet military music and a picture of a bear. Alongside it were the words: “APT Magma Bear”. The reference is to Russian state hacking groups such as Cozy Bear and Fancy Bear, and appears to point to Vulkan’s own shadowy activities.

Five months later, Markov reminded his workers of Victory Day, a 9 May holiday celebrating the Red Army’s defeat of Nazi Germany in 1945. “This is a significant event in the history of our country,” he told staff. “I grew up on films about the war and had the good fortune to communicate with veterans and to listen to their stories. These people died for us, so we can live in Russia.”

One of Vulkan’s most far-reaching projects was carried out with the blessing of the Kremlin’s most infamous unit of cyberwarriors, known as Sandworm. According to US prosecutors and western governments, over the past decade Sandworm has been responsible for hacking operations on an astonishing scale. It has carried out numerous malign acts: political manipulation, cyber-sabotage, election interference, dumping of emails and leaking.

Sandworm disabled Ukraine’s power grid in 2015. The following year it took part in Russia’s brazen operation to derail the US presidential election. Two of its operatives were indicted for distributing emails stolen from Hillary Clinton’s Democrats using a fake persona, Guccifer 2.0. Then in 2017 Sandworm purloined further data in an attempt to influence the outcome of the French presidential vote, the US says.

That same year the unit unleashed the most consequential cyber-attack in history. Operatives used a bespoke piece of malware called NotPetya. Beginning in Ukraine, NotPetya rapidly spread across the globe. It knocked offline shipping firms, hospitals, postal systems and pharmaceutical manufacturers – a digital onslaught that spilled over from the virtual into the physical world.

The Vulkan files shed light on a piece of digital machinery that could play a part in the next attack unleashed by Sandworm.

An FBI wanted poster for six members of the GRU believed to be working for Sandworm. Photograph: FBI

A system ‘built for offensive purposes’

A special unit within the GRU’s “main centre for special technologies”, Sandworm is known internally by its field number 74455. This code appears in the Vulkan files as an “approval party” on a technical document. It describes a “data exchange protocol” between an apparently pre-existing military-run database containing intelligence about software and hardware weaknesses, and a new system that Vulkan had been commissioned to help build: Scan-V.

Hacking groups such as Sandworm penetrate computer systems by first looking for weak spots. Scan-V supports that process, conducting automated reconnaissance of potential targets around the world in a hunt for potentially vulnerable servers and network devices. The intelligence is then stored in a data repository, giving hackers an automated means of identifying targets.

Gabby Roncone, another expert with the cybersecurity company Mandiant, gave the analogy of scenes from old military movies where people place “their artillery and troops on the map. They want to understand where the enemy tanks are and where they need to strike first to break through the enemy lines,” she said.

The Scan project was commissioned in May 2018 by the Institute of Engineering Physics, a research facility in the Moscow region closely associated with the GRU. All details were classified. It is not clear whether Sandworm was an intended user of the system, but in May 2020 a team from Vulkan visited a military facility in Khimki, the same city on the outskirts of Moscow where the hacking unit is based, to test the Scan system.

“Scan is definitely built for offensive purposes. It fits comfortably into the organisational structure and the strategic approach of the GRU,” one analyst said after reviewing the documents. “You don’t find network diagrams and design documents like this very often. It really is very intricate stuff.”

The leaked files contain no information about Russian malicious code, or malware, used for hacking operations. But an analyst with Google said that in 2012 the tech firm linked Vulkan to an operation involving a malware known as MiniDuke. The SVR, Russia’s foreign intelligence agency, used MiniDuke in phishing campaigns. The leak shows that an undercover part of the SVR, military unit 33949, contracted Vulkan to work on multiple projects. The company codenamed its client “sanatorium” and “dispensary”.

Internet control, surveillance and disinformation

In 2018, a team of Vulkan employees travelled south to attend the official testing of a sweeping program enabling internet control, surveillance and disinformation. The meeting took place at the FSB-linked Rostov-on-Don Radio Research Institute. It subcontracted Vulkan to help in the creation of the new system, dubbed Amezit, which was also linked in the files to the Russian military.

A screenshot from Amezit showing fake accounts created by Vulkan to mimic real social media profiles.

“A lot of people worked on Amezit. Money and time was invested,” a former employee recalled. “Other companies were involved as well, possibly because the project was so big and important.”

Vulkan played a central role. It won an initial contract to build the Amezit system in 2016 but documents suggest parts of Amezit were still being improved by Vulkan engineers well into 2021, with plans for further development in 2022.

One part of Amezit is domestic-facing, allowing operatives to hijack and take control of the internet if unrest breaks out in a Russian region, or the country gains a stronghold over territory in a rival nation state, such as Ukraine. Internet traffic deemed to be politically harmful can be removed before it has a chance to spread.

A 387-page internal document explains how Amezit works. The military needs physical access to hardware, such as mobile phone towers, and to wireless communications. Once they control transmission, traffic can be intercepted. Military spies can identify people browsing the web, see what they are accessing online, and track information that users are sharing.

Since last year’s invasion, Russia has arrested anti-war protesters and passed punitive laws to prevent public criticism of what Putin calls a “special military operation”. The Vulkan files contain documents linked to an FSB operation to monitor social media usage inside Russia on a gigantic scale, using semantic analysis to spot “hostile” content.

According to a source familiar with Vulkan’s work, the firm developed a bulk collection program for the FSB called Fraction. It combs sites such as Facebook or Odnoklassniki – the Russian equivalent – looking for key words. The aim is to identify potential opposition figures from open source data.

Vulkan staff regularly visited the FSB’s information security centre in Moscow, the agency’s cyber-unit, to consult on the secret program. The building is next to the FSB’s Lubyanka headquarters and a bookshop; the leak reveals the unit’s spies were jokingly nicknamed “book-lovers”.

The development of these secret programs speaks to the paranoia at the heart of Russia’s leadership. It is terrified of street protests and revolution of the kind seen in Ukraine, Georgia, Kyrgyzstan and Kazakhstan. Moscow regards the internet as a crucial weapon in maintaining order. At home, Putin has eliminated his opponents. Dissidents have been locked up; critics such as Alexei Navalny poisoned and jailed.

It is an open question as to whether Amezit systems have been used in occupied Ukraine. In 2014 Russia covertly swallowed the eastern cities of Donetsk and Luhansk. Since last year, it has taken further territory and shut down Ukrainian internet and mobile services in areas it controls. Ukrainian citizens have been forced to connect via Crimea-based telecoms providers, with sim cards handed out in “filtration” camps run by the FSB.

However, reporters were able to track down real-world activity carried out by fake social media accounts linked to Vulkan as part of a sub-system of Amezit, codenamed PRR.

Tools for automated domestic propaganda

The Kremlin was already known to have made use of its disinformation factory, the St Petersburg-based Internet Research Agency, which has been put on the US sanctions list. The billionaire Yevgeny Prigozhin, Putin’s close ally, is behind the mass manipulation operation. The Vulkan files show how the Russian military hired a private contractor to build similar tools for automated domestic propaganda.

This Amezit sub-system allows the Russian military to carry out large-scale covert disinformation operations on social media and across the internet, through the creation of accounts that resemble real people online, or avatars. The avatars have names and stolen personal photos, which are then cultivated over months to curate a realistic digital footprint.

The leak contains screenshots of fake Twitter accounts and hashtags used by the Russian military from 2014 until earlier this year. They spread disinformation, including a conspiracy theory about Hillary Clinton and a denial that Russia’s bombing of Syria killed civilians. Following the invasion of Ukraine, one Vulkan-linked fake Twitter account posted: “Excellent leader #Putin”.

A tweet from a fake social media account linked to Vulkan.

Another Vulkan-developed project linked to Amezit is far more threatening. Codenamed Crystal-2V, it is a training platform for Russian cyber-operatives. Capable of allowing simultaneous use by up to 30 trainees, it appears to simulate attacks against a range of essential national infrastructure targets: railway lines, electricity stations, airports, waterways, ports and industrial control systems.

An ongoing security risk?

The intrusive and destructive nature of the tools that Vulkan has been hired to build raise difficult questions for software developers who have worked on these projects. Can they be described as cyber-mercenaries? Or Russian spies? Some almost certainly are. Others are perhaps mere cogs in a wider machine, performing important engineering tasks for their country’s cyber-military complex.

Until Russia’s invasion of Ukraine in 2022, Vulkan staff openly travelled to western Europe, visiting IT and cybersecurity conferences, including a gathering in Sweden, to mingle with delegates from western security firms.

Former Vulkan graduates now live in Germany, Ireland and other EU countries. Some work for global tech corporations. Two are at Amazon Web Services and Siemens. Siemens declined to comment on individual employees but said it took such questions “very seriously”. Amazon said it implemented “strict controls” and that protecting customer data was its “top priority”.

It is unclear if former Vulkan engineers now in the west pose a security risk, and whether they have come to the attention of western counter-intelligence agencies. Most, it would seem, have relatives back in Russia, a vulnerability known to have been used by the FSB to pressure Russian professionals abroad to collaborate.

Contacted by a reporter, one ex-staffer expressed regret at having helped Russia’s military and domestic spy agency. “To begin with it wasn’t clear what my work would be used for,” they said. “Over time I understood that I couldn’t carry on, and that I didn’t want to support the regime. I was afraid something would happen to me, or I would end up in jail.”

There were enormous risks, too, for the anonymous whistleblower behind the Vulkan files. The Russian regime is known for hunting down those it regards as traitors. In their brief exchange with a German journalist, the leaker said they were aware that giving sensitive information to foreign media was dangerous. But they had taken life-changing precautions. They had left their previous life behind, they said, and now existed “as a ghost”.