As the conflict in Ukraine with Russia continues, more information emerges on the extent of how Russian cyberwarfare has evolved in the past two decades. An interesting investigative article from the Guardian online (which I paraphrase and quote below) pulls back the curtain on some of the less known acts of war in cyberspace.
In an inconspicuous office is in Moscow’s north-eastern suburbs. A sign reads: “Business center”. Nearby are modern residential blocks and a rambling old cemetery, home to ivy-covered war memorials. The area is where Peter the Great once trained his mighty army. Inside the six-storey building, a new generation is helping Russian military operations. Its weapons are more advanced than those of Peter the Great’s era: not pikes and halberds, but hacking and disinformation tools.
The software engineers behind these systems are employees of NTC Vulkan. On the surface, it looks like a run-ofthe-mill cybersecurity consultancy.
However, a leak of secret files from the company has exposed its work bolstering Vladimir Putin’s cyberwarfare capabilities.
Thousands of pages of secret documents reveal how Vulkan’s engineers have worked for Russian military and intelligence agencies to support hacking operations, train operatives before attacks on national infrastructure, spread disinformation and control sections of the internet.
One document links a Vulkan cyber-attack tool with the notorious hacking group Sandworm, which the US government said twice caused blackouts in Ukraine, disrupted the Olympics in South Korea and launched NotPetya, the most economically destructive malware in history.
Code-named Scan-V, it scours the internet for vulnerabilities, which are then stored for use in future cyber-attacks. The Vulkan files, which date from 2016 to 2021, were leaked by an anonymous whistleblower angered by Russia’s war in Ukraine.
Such leaks from Moscow are extremely rare. Days after the invasion in February last year, the source approached the German newspaper Süddeutsche Zeitung and said the GRU and FSB “hide behind” Vulkan. Five western intelligence agencies confirmed the Vulkan files appear to be authentic.
The company and the Kremlin did not respond to multiple requests for comment. Russian hackers are known to have repeatedly targeted Ukrainian computer networks; a campaign that continues. Since last year’s invasion, Moscow’s missiles have hit Kyiv and other cities, destroying critical infrastructure and leaving the country in the dark.
Analysts say Russia is also engaged in a continual conflict with what it perceives as its enemy, the west, including the US, UK, EU, Canada, Australia and New Zealand, all of which have developed their own classified cyberoffensive capabilities in a digital arms race. Vulkan is part of Russia’s military-industrial complex.
This subterranean world encompasses spy agencies, commercial firms and higher education institutions. Specialists such as programmers and engineers move from one branch to another; secret state actors rely heavily on private sector expertise.
Traditionally, the FSB took the lead in cyber affairs. From 2011 Vulkan received special government licenses to work on classified military projects and state secrets. It is a mid-sized tech company, with more than 120 staff — about 60 of whom are software developers.
It is not known how many private contractors are granted access to such sensitive projects in Russia, but some estimates suggest it is no more than about a dozen. Vulkan’s corporate culture is more Silicon Valley than spy agency.
It has a staff football team, and motivational emails with fitness tips and celebrations of employee birthdays. There is even an upbeat slogan: “Make the world a better place” appears in a glossy promotional video. One of Vulkan’s most farreaching projects was carried out with the blessing of the Kremlin’s most infamous unit of cyberwarriors, known as Sandworm.
According to US prosecutors and western governments, over the past decade Sandworm has been responsible for hacking operations on an astonishing scale. It has carried out numerous malign acts: political manipulation, cybersabotage, election interference, dumping of emails and leaking.
Sandworm disabled Ukraine’s power grid in 2015. The following year it took part in Russia’s brazen operation to derail the US presidential election. Two of its operatives were indicted for distributing emails stolen from Hillary Clinton’s Democrats using a fake persona, Guccifer 2.0.
Then in 2017 Sandworm purloined further data in an attempt to influence the outcome of the French presidential vote, the US says. That same year the unit unleashed the most consequential cyber-attack in history.
Operatives used a bespoke piece of malware called NotPetya. Beginning in Ukraine, NotPetya rapidly spread across the globe. It knocked offline shipping firms, hospitals, postal systems and pharmaceutical manufacturers — a digital onslaught that spilled over from the virtual into the physical world.
A special unit within the GRU’s “main centre for special technologies”, Sandworm is known internally by its field number 74455.
Hacking groups such as Sandworm penetrate computer systems by first looking for weak spots. Since last year’s invasion, Russia has arrested anti-war protesters and passed punitive laws to prevent public criticism of what Putin calls a “special military operation”.
The Vulkan files contain documents linked to an FSB operation to monitor social media usage inside Russia on a gigantic scale, using semantic analysis to spot “hostile” content. The development of secret programs speaks to the paranoia at the heart of Russia’s leadership.
It is terrified of street protests and revolution of the kind seen in Ukraine, Georgia, Kyrgyzstan and Kazakhstan. Moscow regards the internet as a crucial weapon in maintaining order. At home, Putin has eliminated his opponents.
Dissidents have been locked up; critics such as Alexei Navalny poisoned and jailed. The Kremlin was already known to have made use of its disinformation factory, the St Petersburg-based Internet Research Agency, which has been put on the US sanctions list.
The billionaire Yevgeny Prigozhin, Putin’s close ally, is behind the mass manipulation operation. The Vulkan files show how the Russian military hired a private contractor to build similar tools for automated domestic propaganda.
Another Vulkan-developed project linked to Amezit is far more threatening. Code-named Crystal-2V, it is a training platform for Russian cyberoperatives. Capable of allowing simultaneous use by up to 30 trainees, it appears to simulate attacks against a range of essential national infrastructure targets: railway lines, electricity stations, airports, waterways, ports and industrial control systems.
Until Russia’s invasion of Ukraine in 2022, Vulkan staff openly travelled to western Europe, visiting IT and cybersecurity conferences, including a gathering in Sweden, to mingle with delegates from western security firms. Former Vulkan graduates now live in Germany, Ireland and other EU countries.
Some work for global tech corporations. Two are at Amazon Web Services and Siemens. Siemens declined to comment on individual employees but said it took such questions “very seriously”. Amazon said it implemented “strict controls” and that protecting customer data was its “top priority”.
There were enormous risks, too, for the anonymous whistleblower behind the Vulkan files. The Russian regime is known for hunting down those it regards as traitors. In their brief exchange with a German journalist, the leaker said they were aware that giving sensitive information to foreign media was dangerous.
But they had taken life-changing precautions. They had left their previous life behind, they said, and now existed “as a ghost” As Sun Tzu, great warrior and philosopher wrote in his classic The Art of War: “Let your plans be dark and impenetrable as night, and when you move, fall like a thunderbolt”.
As always God bless and stay safe in both digital and physical worlds.
• ILAITIA B. TUISAWAU is a private cybersecurity consultant. The views expressed in this article are his and are not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@cyberbati.com
