In the first part of this series, Strike Source delves into the explosive disclosure of a collaboration between Russian intelligence agencies and the Moscow-based defense contractor NTC Vulkan. We have learned that Vulkan plays a central role in Moscow’s cyber warfare endeavours, this partnership pre-dating the Russian invasion of Ukraine.
Our exploration is driven by a vast collection of leaked documents, shining a bright light on the shadowy operations conducted by Vulkan at the behest of the Kremlin. These files paint the picture of a web of sophisticated cyber threats, ranging from orchestrated cyberattacks to widespread internet surveillance, with the potential to destabilize global cybersecurity.
At the same time, we look at the role private entities like Vulkan play in state-backed cyber warfare, providing insights into the ways in which these firms operate and their contribution to disruptive state-sponsored cyber activities. In a time where cyber warfare is rising, governments and their state security agencies are no longer the sole actors, with third-parties and contractors of all stripes becoming integral players in the global cybersecurity landscape.
The alarm bells about this collaboration rang as these documents were anonymously leaked to a German reporter. The whistleblower, likely a Vulkan employee outraged by Russia’s attack on Ukraine, brought to light the extent of the collaboration and the significant threat it posed.
This leak has provided the global community with a stark insight into the mechanics of state-sponsored cyberwarfare and the role of private contractors in aiding and abetting these activities. As we continue to depend more on digital infrastructure, understanding the depth and implications of such collaborations becomes crucial in securing our cyber frontiers.
Who is Vulkan?
The leaks have cast NTC Vulkan as a central player in the Kremlin’s cyber warfare endeavours. At the same time, with the Western media rightfully focused on the leaks’ contents, little seems to have been discussed about who and what NTC Vulkan is.
For all intents and purposes, Vulkan comes across as a typical cybersecurity and IT consulting firm. Services offered by Vulkan mirror those offered by run-of-the-mill cybersecurity consultants, including penetration testing, risk assessments against recognized cybersecurity frameworks, and cybersecurity roadmaps.
Articles from the Western press point to a startup-like working culture that would not be out of place at a Silicon Valley tech hub. Vulkan’s sophistication is supplemented by the organization casting itself as a focal point for cybersecurity expertise—its prefixed acronym does not refer to its incorporation, but to an educational and technical center (Научно-Технический Центр).
This IT shop located in Moscow’s northeastern suburbs, with all the appearances of a regular consultancy, surprisingly happens to be the Kremlin’s outsourced iron hand for cyberwarfare initiatives. Ostensibly a contractor, NTC Vulkan has been supplying the frontlines with weapons for Russian cyberwarfare and disinformation efforts well before Russia’s troops set foot into Ukraine proper.
Contractors and Cyberwarfare
In the world of cyberwarfare, contractors like Vulkan don’t just serve as supporting characters—they take on starring roles. Their importance is particularly pronounced in Russia’s strategy, with their military intelligence agency, known as the GRU, relying heavily on the technical expertise and innovative solutions provided by these private firms.
Vulkan is one such private firm that has been center stage. The leaked documents reveal the company as a crucial collaborator in solidifying Russia’s cyber capabilities. By designing tailored software and providing advanced technical services, Vulkan effectively arms Russia’s intelligence agencies with the tools needed to conduct sophisticated cyberattacks and surveillance.
Their role in war efforts is nothing new, fingered as the creators of MiniDuke malware which was spotted in 2010, Vulkan has had a long and prosperous relationship with the Russian intelligence agencies. MiniDuke was used relentlessly in attacking Ukrainian institutions during the invasion of Crimea and the subsequent attacks against Ukraine. It is entirely possible, and likely, given the development and testing time as well as Russian bureaucracy that this relationship dates back to as early as 2008 when APT 29 first arrived on the scene.
But Vulkan isn’t alone. In the shadows of this digital underground, there are dozens of similar firms known to supply cyber capabilities to Russian security services. This vast network of contractors, often posing as cybersecurity firms, significantly amplifies the reach and impact of Russian cyber operations. The extensive involvement of private contractors in Russia’s cyber warfare emphasizes a pivotal yet often overlooked aspect of global cybersecurity.
These entities not only fuel the technology that drives cyberattacks, but they also complicate the landscape, making it more challenging to predict, trace, and counteract these threats.
Unveiling the Vulkan Files
With a volume of over 5,000 pages spanning the period between 2016 and 2021, the Vulkan files provide an unprecedented glance into the chasm that is the world of cyberwarfare. These documents, which appear to be technical manuals, specification sheets, and other details, reveal a powerful suite of software tools and databases specifically designed to fortify Russia’s intelligence agencies and hacking groups.
This portfolio of digital weapons is both broad and versatile. They allow for the exploitation of system vulnerabilities across global computer networks, a feature that not only enables the launch of pinpointed cyberattacks but also ensures these attacks are well-coordinated.
Significantly, the documents shed light on specific programs created for the manipulation of social media. These tools can create fake social media pages on a large scale—an essential component in the age of disinformation and propaganda warfare. But their capabilities do not stop there. They can also identify and collate potential weaknesses in computer systems worldwide, effectively collecting digital entry points for future targeting.
The depth of information in the leaked documents offers a rare glimpse into the covert operations of Russia’s military and spy agencies. This includes the infamous Sandworm hacking group, which has been linked to several high-profile cyberattacks over the years. The inner workings and strategies of these groups, as detailed in the files, help us better understand their methodologies and techniques.
Authenticity and Impact
Confirming the validity of the leaked documents has been a critical concern, given the significant implications of their content.
Officials from five Western intelligence agencies and numerous independent cybersecurity firms have independently scrutinized the files and come to a shared conclusion: they believe the documents to be authentic. Such consensus, spanning across multiple organizations and experts, lends significant credibility to the Vulkan files and their startling revelations.
The insights provided by cybersecurity experts have been instrumental in assessing the impact of these findings. John Hultquist, Vice President of Intelligence Analysis at Mandiant, draws particular attention to Russia’s approach to cyber warfare. According to Hultquist, the documents suggest that Russia sees attacks on critical civilian infrastructure and social media manipulation as parallel and interrelated missions.
This perspective fundamentally challenges the conventional fracture between digital and physical realms in warfare. If Russia indeed views these two types of attacks as part of the same mission, it suggests a holistic strategy aimed at destabilizing societies both physically, by threatening or disrupting critical infrastructure, and psychologically, by manipulating information and sowing discourse via social media.
Hultquist’s analysis underscores the potential consequences of the strategies and technologies revealed in the Vulkan files. If such methods are put into practice, they could result in devastating impacts on societies and individuals around the globe. This realization reinforces the urgency of strengthening global cybersecurity measures and heightens the importance of transparency and vigilance in digital spaces.
The leak of the Vulkan files brought more than the cybersecurity firm’s inner workings and private projects to light—it gave the public a rare glimpse of the future. While threat intelligence specialists often have the disadvantage of working one step behind threat actors, analyzing their past attacks to anticipate future plans, the Vulkan files leak gave cyber defenders an inside look at Russia’s information warfare strategies.
The documents also confirmed the increasingly pivotal role of private defense contractors in cyber warfare. Government outsourcing to private contractors, while not uncommon, adds a level of obscurity that only contributes to the confusion that comes along with attribution for cyberattacks.
While the leak provides valuable intelligence for cybersecurity entities to better understand and prepare for potential threats, it also underscores the importance of international cooperation, transparency, and stronger regulations in countering these threats. As we grapple with the ever-evolving landscape of cyberwarfare, it’s clear that understanding and addressing the role of private defense contractors like Vulkan will be crucial in maintaining global cybersecurity.
In subsequent articles, we will explore the geopolitical impact of these revelations and gain an understanding of the tools developed by Vulkan for Russian intelligence and military agencies.