The inconspicuous office is located in the north-eastern suburbs of Moscow. A sign reads “Business Center”. Nearby are modern apartment blocks and a sprawling old cemetery with ivy-covered war memorials. Peter the Great once trained his mighty army in this area.
In the six-storey building, a new generation supports Russian military operations. His weapons are more advanced than Peter the Great’s: no pikes and halberds, but hacking and disinformation tools.
The software engineers behind these systems are employees of NTC Vulkan. On the surface, it looks like run-of-the-mill cybersecurity advice. However, a leak of the company’s secret files has exposed its work in support of Vladimir Putin’s cyberwarfare Capabilities.
Thousands of pages of classified documents reveal how Vulkan engineers worked for Russian military and intelligence agencies to support hacking operations, train agents to attack national infrastructure, spread disinformation and control parts of the internet.
The company’s work is linked to the Federal Security Service or FSB, the domestic espionage agency; the operational and intelligence branches of the armed forces, known as the GOU and GRU; and the SVR, Russia’s foreign intelligence agency.
A diagram showing a Vulkan hacking reconnaissance system, codenamed Scan, in development since 2018.A document links a Vulkan cyberattack tool to the notorious hacking group Sandworm, which the US government says has twice caused power outages in Ukraine, disrupted the South Korean Olympics, and launched NotPetya, the most economically destructive malware in history. Codenamed Scan-V, it scans the Internet for vulnerabilities, which are then stored for future cyberattacks.
Another system called Amezit is a blueprint for internet surveillance and control in regions under Russian command and also enables disinformation via fake social media profiles. A third system built by Vulkan – Crystal-2V – is a training program for cyber agents in the methods needed to bring down rail, air and sea infrastructure. A file explaining the software states: “The classification level of the information processed and stored in the product is ‘top secret’.”
The Vulkan files, which date from 2016 to 2021, were leaked by an anonymous whistleblower outraged by Russia’s war in Ukraine. Such leaks from Moscow are extremely rare. Days after the invasion in February last year, the source turned to the German newspaper Süddeutsche Zeitung and said the GRU and FSB are “hiding behind” Vulkan.
“People should know the dangers of this,” the whistleblower said. “Because of the events in Ukraine, I decided to publish this information. The company does bad things and the Russian government is cowardly and wrong. I am angry about the invasion of Ukraine and the terrible things that are happening there. I hope you can use this information to show what happens behind closed doors.”
The source later shared the data and more information with Munich-based investigative startup Paper Trail Media. For several months, journalists from eleven media outlets, including the Guardian, Washington Post and Le Monde, researched the files in a consortium led by Paper Trail Media and Der Spiegel.
Five Western intelligence agencies confirmed the Vulkan files appear to be authentic. The company and the Kremlin did not respond to multiple requests for comment.
The leak contains emails, internal documents, project plans, budgets and contracts. They offer a glimpse into the Kremlin’s far-reaching cyber efforts at a time when it is waging a brutal war against Ukraine. It is not known whether the tools created by Vulkan were used in real attacks in Ukraine or elsewhere.
But it is known that Russian hackers have repeatedly targeted Ukrainian computer networks; a campaign that continues. Since last year’s invasion, Moscow’s missiles have hit Kiev and other cities, destroying vital infrastructure and leaving the country in the dark.
Analysts say Russia is also locked in a constant conflict with what it perceives as its enemy, the West, including the US, UK, EU, Canada, Australia and New Zealand, all of which have their own classified cyber offensive capabilities have developed digital arms race.
Some documents in the leak provide illustrative examples of potential targets. One contains a map with points in the USA. Another contains the details of a nuclear power plant in Switzerland.
A map of the US found in the leaked volcano files as part of the multi-faceted Amezite system.A document shows engineers recommending Russia expand its own capabilities by using hacking tools stolen by the US National Security Agency and put online in 2016.
John Hultquist, the vice president of intelligence analysis at cybersecurity firm Mandiant, which reviewed a selection of the material at the consortium’s request, said: “These documents suggest that Russia views attacks on civilian critical infrastructure and social media manipulation as one and the same mission.” , which is essentially an attack on the enemy’s will to fight.”
What is volcano?
Vulkan CEO Anton Markov is a middle-aged man with close-cropped hair and dark bags around his eyes. Markov co-founded Vulkan (meaning volcano in English) with Alexander Irzhavsky in 2010. Both are graduates of the St. Petersburg Military Academy and have served in the army in the past, rising to the rank of captain and major respectively. “They had good contacts in this direction,” said a former employee.
Anton Markov, managing director of Vulkan. Photo: social mediaThe company is part of the military-industrial complex of Russia. This underground world includes spy agencies, trading companies and higher education institutions. Specialists such as programmers and engineers move from one industry to another; Secret state actors rely heavily on private sector expertise.
Vulkan launched at a time when Russia was rapidly expanding its cyber capabilities. Traditionally, the FSB has taken the lead in cyber affairs. In 2012, Putin appointed the ambitious and energetic Sergei Shoigu as defense minister. Shoigu – who is responsible for Russia’s war in Ukraine – wanted his own cyber troops, reporting directly to him.
As of 2011, Vulkan received special government licenses to work on classified military projects and state secrets. It is a medium-sized technology company with more than 120 employees – about 60 of them are software developers. It is not known how many private contractors are granted access to such sensitive projects in Russia, but some estimates put the number at no more than a dozen or so.
Vulkan’s corporate culture is more Silicon Valley than a spy agency. It has a staff soccer team and motivational emails with fitness tips and celebrating staff birthdays. There’s even a cheery tagline: “Make the world a better place” appears in a glossy promotional video.
Vulkan says it specializes in “information security”; officially, his customers are large russian state companies. These include Sberbank, the country’s largest bank; the national airline Aeroflot; and Russian railways. “The work was fun. We used the latest technologies,” said a former employee who eventually left after becoming disillusioned with the job. “People were really smart. And the money was good, well above the usual rate.”
These generous salaries not only bought technical know-how, but also the expectation of discretion. Some employees are graduates of Bauman Moscow State Technical University, which has a long history of recruiting the Ministry of Defense. Work processes are organized according to the principles of strict trade secrets, with employees never being told what other departments are working on.
The company’s ethos is patriotic, as the leak suggests. On New Year’s Eve 2019, an employee created a cheerful Microsoft Excel file with Soviet military music and a picture of a bear. Next to it were the words: “APT Magma Bear”. The reference is to Russian state hacking groups such as Cozy Bear and Fancy Bear and appears to point to Vulkan’s own shady activities.
Five months later, Markov reminded his workers of Victory Day, a May 9 holiday celebrating the Red Army’s victory over Nazi Germany in 1945. “This is a significant event in the history of our country,” he told staff. “I grew up watching films about the war and was fortunate to communicate with veterans and hear their stories. These people died for us so that we could live in Russia.”
One of Vulkan’s most far-reaching projects was carried out with the blessing of the Kremlin’s most notorious unit of cyber warriors, known as the Sandworm. According to US prosecutors and western governments, Sandworm has been responsible for hacking operations on a staggering scale over the past decade. It has performed numerous malicious acts: political manipulation, cybersabotage, election manipulation, email dumping, and leaking.
Sandworm paralyzed Ukraine’s power grid in 2015. The following year, it took part in Russia’s brazen operation to wreck the US presidential election. Two of her agents have been charged for distributing emails stolen from Hillary Clinton’s Democrats using a fake persona, Guccifer 2.0. Then, in 2017, Sandworm stole more data to influence the outcome of the French presidential election, the US says.
In the same year, the unit unleashed the most consequential cyber attack in history. The agents used custom malware called NotPetya. NotPetya started in Ukraine and quickly spread all over the world. Offline mail order companies, hospitals, postal systems and pharmaceutical manufacturers were hit – a digital onslaught that spilled from the virtual to the physical world.
The Vulkan files shed light on a digital machinery that could play a role in Sandworm’s next attack.
An FBI-wanted poster for six members of the GRU believed to work for Sandworm. Photo: FBIA system “built for offensive purposes”
Sandworm, a special unit within the GRU’s “Main Center for Special Technologies”, is known internally by field number 74455. This code appears in the Vulkan files as the “Approval Party” on a technical document. It describes a “data exchange protocol” between what appears to be a pre-existing military-run database containing information about software and hardware vulnerabilities, and a new system Vulkan was commissioned to build: Scan-V.
Hacker groups like Sandworm break into computer systems by first looking for vulnerabilities. Scan-V supports this process by conducting automated reconnaissance of potential targets around the world in search of potentially compromised servers and network devices. The information is then stored in a data store, giving hackers an automated means of identifying targets.
Gabby Roncone, another expert at cybersecurity firm Mandiant, pointed to scenes from old military films where people “place their artillery and troops on the map. They want to understand where enemy tanks are and where to strike first to break through enemy lines,” she said.
The scan project was commissioned in May 2018 by the Institute of Engineering Physics, a research institution in the Moscow region closely associated with the GRU. All details have been classified. It’s not clear if Sandworm was an intended user of the system, but in May 2020 a team from Vulkan visited a military facility in Khimki, the same town on the outskirts of Moscow where the hacking unit is based, to test the scanning system to test.
Do you have information about this story? Email [email protected] or use Signal or WhatsApp to message (UK) +44 7584 640566 or (USA) +1 646 886 8761.
“Scan is definitely built for offensive purposes. It fits well with the organizational structure and strategic approach of the GRU,” said an analyst after reviewing the documents. “You don’t find network diagrams and design documents like this very often. It’s really very complicated stuff.”
The leaked files do not contain any information about Russian malicious code or malware used for hacking operations. However, a Google analyst said that in 2012 the tech company linked Vulkan to an operation involving malware known as MiniDuke. The SVR, Russia’s foreign intelligence service, used MiniDuke in phishing campaigns. The leak reveals that an undercover part of the SVR, military unit 33949, hired Vulkan to work on several projects. The company called its customers “sanatorium” and “pharmacy”.
Control, surveillance and disinformation of the Internet
In 2018, a team of Vulkan employees traveled south to participate in the official testing of a comprehensive program enabling internet control, surveillance, and disinformation. The meeting took place at the Rostov-on-Don Radio Research Institute affiliated with the FSB. It hired Vulkan to help create the new system called Amezit, which the files also linked to the Russian military.
A screenshot of Amezit showing fake accounts created by Vulkan to mimic real social media profiles.“A lot of people worked on Amezit. Money and time were invested,” recalls a former employee. “Other companies were also involved, possibly because the project was so big and important.”
Vulkan played a central role in this. It received an initial contract to build the Amezit system in 2016, but documents suggest portions of Amezit continued to be improved by Vulkan engineers well into 2021, with plans for further development in 2022.
A portion of Amezit faces inland, allowing agents to hijack and seize control of the internet if unrest erupts in a Russian region or the country gains a stronghold over the territory of a rival nation-state like Ukraine. Internet traffic deemed politically harmful can be removed before it can spread.
A 387-page internal document explains how Amezit works. The military requires physical access to hardware such as cell towers and wireless communications. Once they control the transmission, traffic can be intercepted. Military spies can identify people surfing the Internet, see what they access online, and track information users share.
Since last year’s invasion, Russia has arrested anti-war protesters and enacted criminal laws to deter public criticism of what Putin calls a “special military operation.” The Vulkan files contain documents related to an FSB operation to monitor social media usage inside Russia on a massive scale, using semantic analysis to detect “hostile” content.
According to a source familiar with Vulkan’s work, the company has developed a collection program for the FSB called Fraction. It combs through sites like Facebook or Odnoklassniki – the Russian equivalent – looking for keywords. The aim is to identify potential opponents from open source data.
Vulkan employees regularly visited the FSB’s Moscow Information Security Center, the agency’s cyber unit, to consult on the classified program. The building is next to the FSB’s Lubyanka headquarters and a bookstore; The leak reveals that the unit’s spies were jokingly called “book lovers”.
The development of these secret programs speaks to the paranoia at the heart of the Russian leadership. She is afraid of street protests and revolutions like those seen in Ukraine, Georgia, Kyrgyzstan and Kazakhstan. Moscow sees the internet as a crucial weapon in maintaining order. At home, Putin eliminated his opponents. dissidents were imprisoned; Poisoned and imprisoned critics like Alexei Navalny.
It is an open question whether Amezit systems were used in occupied Ukraine. In 2014, Russia secretly swallowed the eastern cities of Donetsk and Luhansk. Since last year, it has seized further territory, shutting down Ukrainian internet and mobile services in areas under its control. Ukrainian citizens were forced to connect through Crimea-based telecom providers, with SIM cards distributed at FSB-run “filtration camps”.
However, reporters were able to sniff out real activity being conducted by fake social media accounts linked to Vulkan as part of a subsystem of Amezit codenamed PRR.
The Kremlin was already known to have used its disinformation factory, the St. Petersburg-based Internet Research Agency, which was placed on the US sanctions list. Behind the mass manipulation is billionaire Yevgeny Prigozhin, Putin’s close ally. The Vulkan files show how the Russian military hired a private contractor to build similar tools for automated domestic propaganda.
This Amezit subsystem allows the Russian military to conduct large-scale covert disinformation operations on social media and the internet by creating accounts that resemble real people online or avatars. The avatars have names and stolen personal photos, which are then cultivated over months to curate a realistic digital footprint.
The leak includes screenshots of fake Twitter accounts and hashtags used by the Russian military from 2014 until earlier this year. They spread disinformation, including a conspiracy theory about Hillary Clinton and a denial that Russia’s bombing killed Syrian civilians. After the invasion of Ukraine, a fake Twitter account linked to Vulkan posted: “Excellent leader #Putin”.
A tweet from a fake social media account linked to Vulkan.Another project developed by Vulkan, related to Amezit, is far more menacing. Codenamed Crystal-2V, it is a training platform for Russian cyber agents. It can be used by up to 30 trainees at a time and appears to simulate attacks on a number of key national infrastructure targets: railways, power stations, airports, waterways, ports and industrial control systems.
An ongoing security risk?
The intrusive and destructive nature of the tools Vulkan was commissioned to create raise difficult questions for software developers who worked on these projects. Can you call them cyber mercenaries? Or Russian spies? Some almost certainly are. Others may be mere cogs in a larger machine, performing critical engineering tasks for their country’s cyber-military complex.
Until Russia invaded Ukraine in 2022, Vulkan employees openly traveled to Western Europe and attended IT and cybersecurity conferences, including a gathering in Sweden, to meet with delegates from Western security firms.
Former Vulkan graduates now live in Germany, Ireland and other EU countries. Some work for global technology companies. Two are at Amazon Web Services and Siemens. Siemens did not want to comment on individual employees, but takes such questions “very seriously”. Amazon said it has implemented “strict controls” and that protecting customer data is its “top priority”.
It is unclear whether former Vulkan engineers now pose a security risk in the West, and whether they have caught the attention of Western counterintelligence agencies. Most, it appears, have relatives in Russia, a weakness known to have been used by the FSB to pressure Russian professionals abroad to cooperate.
Contacted by a reporter, a former employee expressed regret for helping Russia’s military and domestic espionage. “In the beginning it wasn’t clear what my work would be used for,” they said. “As time went by, I realized that I couldn’t continue and that I didn’t want to support the regime. I was afraid that something would happen to me or that I would end up in prison.”
There were also enormous risks for the anonymous whistleblower behind the Vulkan files. The Russian regime is known for hunting down those it deems traitors. In their brief exchange with a German journalist, the leaker said they were aware that sharing sensitive information with foreign media was dangerous. But they had taken life-changing precautions. They had left their previous life behind, they said, and now existed “as a ghost”.