'Vulkan files': Leaked papers reveal Russia's cyberwarfare strategies

The "5,000-page document" anonymous source disappeared "like a ghost" for security reasons.
Baba Tamim
Stock photo: Hooded hackers.
Stock photo: Hooded hackers.

BeeBright/iStock 

Russia has reportedly worked with the Moscow-based defense contractor NTC Vulkan to conduct cyberattacks and disseminate misinformation.

Several programs and databases that would enable Russian intelligence agencies and hacking organizations to identify security flaws, plan attacks, and manipulate online activity are highlighted, according to the leaked documents reported by media sources on Thursday. 

"People should know the dangers of this," said the whistleblower who leaked the documents. 

"Because of the events in Ukraine, I decided to make this information public. The company is doing bad things, and the Russian government is cowardly and wrong." 

"I am angry about the invasion of Ukraine and the terrible things that are happening there. I hope you can use this information to show what is happening behind closed doors," added the source. 

Programs that encouraged social media misinformation and remote training to interfere with systems that regulate rail, aviation, and sea traffic were among those cited.

The source of the leaked documents is unknown, but they were provided to a German reporter in the aftermath of Russia's attack on Ukraine, claim reports. 

The source later shared the data and additional information with the Munich-based investigative startup Paper Trail Media.

Journalists from 11 media organizations, including The Guardian, Washington Post, and Le Monde, have been looking into the data for several months as part of a group organized by Paper Trail Media and Der Spiegel.

The hacking target included a nuclear power plant

The records provide a unique look at the covert business dealings of Russia's military and intelligence services, including producing software for the infamous elite hacking group Sandworm.

Sandworm is accused of being responsible for power outages in Ukraine, interference with the 2018 Winter Olympics Opening Ceremony, and the release of NotPetya, the most destructive malware in history. 

There is no concrete proof that the systems have been deployed by Russia or used in particular intrusions, despite the fact that representatives from five Western intelligence agencies and a number of independent cybersecurity firms claim to believe the documents are authentic, according to the Washington Post report. 

The leaked documents, though, disclose payments made for work carried out by Vulkan for numerous research institutes, including Russian intelligence services.

The documents, which span the years 2016 to 2021 and include instructions, technical specifications, internal correspondence from the corporation, financial records, and contracts, demonstrate the breadth of the job that Moscow outsourced.

According to WP, NTC Vulkan created software for Russia, including applications that generate phony social media profiles as well as apps that can find and compile lists of vulnerabilities in computer systems around the world that could be exploited.

Additionally, it has interfaces for numerous projects like Amezit and Skan that identify potential hacking targets, including the Swiss Foreign Ministry and a nuclear power plant. 

The documents talk about "a user scenario," in which a hacker team would locate vulnerable routers in North Korea in order to launch a cyberattack. 

"These documents suggest that Russia sees attacks on civilian critical infrastructure and social media manipulation as one and the same mission, which is essentially an attack on the enemy's will to fight," said John Hultquist, vice president of intelligence analysis at the cybersecurity company Mandiant, which reviewed some of the material at the consortium's request.

Although Vulkan did not respond to requests for comment by the Washington Post, the documents provide insight into the goals of a Russian state that, like other major powers such as the United States, is eager to grow and improve its ability to conduct cyberattacks on a large scale and with high speed.

The anonymous source of the "5,000-page document," according to The Guardian report, was speaking with the reporter via an encrypted chat app and declined to give their name, claiming that they needed to disappear "like a ghost" for security reasons.

Add Interesting Engineering to your Google News feed.
Add Interesting Engineering to your Google News feed.
message circleSHOW COMMENT (1)chevron
Job Board