More than 5,000 pages of documents from a Moscow-based contractor offer unusual glimpses into planning and training for security services, including the notorious hacking group Sandworm
By Craig Timberg, Ellen Nakashima, Hannes Munzinger and Hakan Tanriverdi
March 30, 2023
The Washington Post
Russian intelligence agencies worked with a Moscow-based defense contractor to strengthen their ability to launch cyberattacks, sow disinformation and surveil sections of the internet, according to thousands of pages of confidential corporate documents.
The documents detail a suite of computer programs and databases that would allow Russia’s intelligence agencies and hacking groups to better find vulnerabilities, coordinate attacks and control online activity. The documents suggest the firm was supporting operations including both social media disinformation and training to remotely disrupt real-world targets, such as sea, air and rail control systems.
An anonymous person provided the documents from the contractor, NTC Vulkan, to a German reporter after expressing outrage about Russia’s attack on Ukraine. The leak, an unusual occurrence for Russia’s secretive military industrial complex, demonstrates another unintended consequence of President Vladimir Putin’s decision to take his country to war.
Officials from five Western intelligence agencies and several independent cybersecurity companies said they believe the documents are authentic, after reviewing excerpts at the request of The Washington Post and several partner news organizations.
These officials and experts could not find definitive evidence that the systems have been deployed by Russia or been used in specific cyberattacks, but the documents describe testing and payments for work done by Vulkan for the Russian security services and several associated research institutes. The company has both government and civilian clients.
The trove offers a rare window into the secret corporate dealings of Russia’s military and spy agencies, including work for the notorious government hacking group Sandworm. U.S. officials have accused Sandworm of twice causing power blackouts in Ukraine, disrupting the Opening Ceremonies of the 2018 Winter Olympics and launching NotPetya, the most economically destructive malware in history.
One of the leaked documents mentions the numerical designation for Sandworm’s military intelligence unit, 74455, suggesting that Vulkan was preparing software for use by the elite hacking squad. The unsigned, 11-page document, dated 2019, showed a Sandworm official approving the data transfer protocol for one of the platforms.
“The company is doing bad things, and the Russian government is cowardly and wrong,” said the person who provided the documents to the German reporter, shortly after the invasion of Ukraine. The reporter then shared them with a consortium of news organizations, which includes The Washington Post and is led by Paper Trail Media and Der Spiegel, both based in Germany.
The anonymous person, who spoke to the reporter through an encrypted chat app, declined to identify themself before ending contact, declaring the need to vanish “like a ghost” for security reasons.
“I am angry about the invasion of Ukraine and the terrible things that are happening there,” the person said. “I hope you can use this information to show what is happening behind closed doors.”
Vulkan did not respond to requests for comment. An employee of the company who answered the phone at its head office confirmed that an email with queries had been received and said it would be answered by company officials, “if it is of interest to them.”
No responses came. Kremlin officials also did not reply to requests for comment.
The cache of more than 5,000 pages of documents, dated between 2016 and 2021, includes manuals, technical specification sheets and other details for software that Vulkan designed for the Russian military and intelligence establishment. It also includes internal company emails, financial records and contracts that show both the ambition of Russia’s cyber operations and the breadth of the work Moscow has been outsourcing.
This includes programs to create fake social media pages and software that can identify and stockpile lists of vulnerabilities in computer systems across the globe for possible future targeting.
Several mock-ups of a user interface for a project known as Amezit appear to depict examples of possible hacking targets, including the Foreign Ministry in Switzerland and a nuclear power plant in that nation. Another document shows a map of the United States with circles that appear to represent clusters of internet servers.
One illustration for a Vulkan platform called Skan makes reference to a U.S. location, labeled “Fairfield,” as a place to find network vulnerabilities for use in an attack. Another document describes a “user scenario” in which hacking teams would identify insecure routers in North Korea, presumably for potential use in a cyberattack.
The documents do not, however, include verified target lists, malicious software code or evidence linking the projects to known cyberattacks. Still, they offer insights into the aims of a Russian state that — like other major powers, including the United States — is eager to grow and systematize its ability to conduct cyberattacks with greater speed, scale and efficiency.
“These documents suggest that Russia sees attacks on civilian critical infrastructure and social media manipulation as one and the same mission, which is essentially an attack on the enemy’s will to fight,” said John Hultquist, the vice president for intelligence analysis at the cybersecurity firm Mandiant, which reviewed selections of the document at the request of The Post and its partners.
The role of contractors in Russian cyberwarfare is “very significant,” especially for the Russian military intelligence agency commonly called the GRU, said a Western intelligence analyst, speaking on the condition of anonymity to share sensitive findings. “They are a critical pillar of GRU offensive cyber research and development. They provide expertise that the GRU may lack on a given issue. The spy services can do cyber operations without them, but likely not as well.”
Three former Vulkan employees, who spoke on the condition of anonymity out of fear of retribution, confirmed some details about the company. Financial records for Vulkan, which were separately obtained by the news organizations, match references in the documents in several instances, detailing millions of dollars worth of transactions between known Russian military or intelligence entities and the company.
The intelligence and cybersecurity experts said details in the documents also match information collected about Russia’s hacking programs — including in a smaller previous leak — and appear to describe new tools for enabling offensive cyber operations. Vulkan, they said, is one of dozens of private firms known to provide tailored cyber capabilities to the Russian security services.
The experts cautioned that it was not clear which of the programs had been completed and deployed, as opposed to being merely developed and ordered up by the Russian military, including by units linked to the GRU. The documents do, however, refer to state-mandated testing, changes desired by the clients and finished projects, strongly suggesting that at least trial versions of some of the programs were activated.
“You don’t find network diagrams and design documents like this very often. It really is very intricate stuff. This wasn’t meant to be ever seen publicly,” said one of the Western intelligence officials, speaking on the condition of anonymity to share candid assessments of sensitive findings. “But it makes sense to pay attention. Because you better understand what the GRU is trying to do.”
The Threat Analysis Group at Google, the tech company’s premier cyberthreat hunter, found evidence in 2012 that Vulkan was being used by the SVR, Russia’s foreign intelligence service. The researchers observed a suspicious test phishing email being sent from a Gmail account to a Vulkan email account that had been set up by the same person, evidently a company employee.
“[T]he use of test messages is common practice to test phishing emails prior to their use,” Google said in a statement. After that test email, the Google analysts saw the same Gmail address being used to send malware known to be employed by SVR against other targets.
That was “not the smartest move” on the Vulkan employee’s part, said one Google analyst, speaking on the condition of anonymity to describe sensitive findings. “It was definitely a slip-up.”
A file labeled “Secret Party NTC Vulkan” is a holiday invitation disguised in a piece of malware that normally takes control of a user’s computer. The invitation — apparently harmless — automatically downloads an illustration of a large bear alongside a champagne bottle and two glasses.
The image is labeled “APT Magma Bear,” a reference to Western cybersecurity officials’ labeling of Russian hacking groups with ursine code names. APT refers to “Advanced Persistent Threat,” a cybersecurity term for the most serious hacking groups, which are typically run by nation states such as Russia.
The invitation reads “APT Magma Bear wishing you and your family a wonderful holiday season and a healthy and peaceful New Year!” as Soviet military music plays in the background.
Vulkan was founded in 2010 and has about 135 employees, according to Russian business information websites. The company website says its main headquarters is in northeast Moscow.
A promotional video on the company website portrays Vulkan as a scrappy tech start-up that “solves corporate problems” and has a “comfortable work environment.” It ends by declaring that Vulkan’s goal is to “make the world a better place.”
The promotional video does not mention military or intelligence contracting work.
“The work was fun. We used the latest technologies,” said one former employee in an interview, speaking on the condition of anonymity for fear of retribution. “The people were really clever. And the money was good.”
Some former Vulkan employees later worked for major Western companies, including Amazon and Siemens. Both companies issued statements that did not dispute that former Vulkan employees worked for them, but they said that internal corporate controls protected against unauthorized access to sensitive data.
The documents also show that Vulkan intended to use an array of U.S. hardware in setting up systems for Russian security services. The design documents repeatedly refer to American products, including Intel processors and Cisco routers, that should be used to configure the “hardware-software” systems for Russian military and intelligence units.
There are other connections to U.S. companies. Some of those companies, including IBM, Boeing and Dell at one time worked with Vulkan, according to its website, which describes commercial software development work with no obvious ties to intelligence and hacking operations. Representatives of IBM, Boeing and Dell did not dispute that those entities previously worked with Vulkan but said they do not now have any business relationships with the company.
The trove of documents initially was shared with a reporter for the German newspaper Süddeutsche Zeitung. The consortium examining the documents has 11 members — including The Post, the Guardian, Le Monde, Der Spiegel, iStories, Paper Trail Media and Süddeutsche Zeitung — from eight countries.
Among the thousands of pages of leaked Vulkan documents are projects designed to automate and enable operations across Russian hacking units.
Amezit, for example, details tactics for automating the creation of massive numbers of fake social media accounts for disinformation campaigns. One document in the leaked cache describes how to use banks of mobile phone SIM cards to defeat verification checks for new accounts on Facebook, Twitter and other social networks.
Reporters for Le Monde, Der Spiegel and Paper Trail Media, working from Twitter accounts listed in the documents, found evidence that these tools probably had been used for numerous disinformation campaigns in several countries.
One effort included tweets in 2016 — when Russian disinformation operatives were working to boost Republican presidential candidate Donald Trump and undermine Democrat Hillary Clinton — linking to a website claiming that Clinton had made “a desperate attempt” to “regain her lead” by seeking foreign support in Italy.
The reporters also found evidence of the software being used to create fake social media accounts, inside and outside of Russia, to push narratives in line with official state propaganda, including denials that Russian attacks in Syria killed civilians.
Amezit has other features designed to allow Russian officials to monitor, filter and surveil sections of the internet in regions they control, the documents show. They suggest that the program contains tools that shape what internet users would see on social media.
The project is repeatedly described in the documents as a complex of systems for “information restriction of the local area” and the creation of an “autonomous segment of the data transmission network.”
A 2017 draft manual for one of the Amezit systems offers instructions on the “preparation, placement and promotion of special materials” — most likely propaganda distributed using fake social media accounts, telephone calls, emails and text messages.
One of the mock-ups in a 2016 design document allows a user to hover a cursor over an object on a map and display IP addresses, domain names and operating systems as well as other information about “physical objects.”
One such physical object — highlighted in fluorescent green — is the Ministry of Foreign Affairs in Bern, Switzerland, which shows a hypothetical email address and the “attack goal” to “obtain root user privileges.” The other object highlighted on the map is the Muhleberg Nuclear Power Plant, west of Bern. It stopped producing power in 2019.
Dmitri Alperovitch, who co-founded the cyberthreat intelligence firm CrowdStrike, said that the documents indicate that Amezit is intended to enable discovery and mapping of critical facilities such as railways and power plants, but only when the attacker has physical access to a facility.
“With physical access, you can plug this tool into a network and it will map out vulnerable machines,” said Alperovitch, now the chairman of Silverado Policy Accelerator, a think tank in Washington.
Emails suggest that the Amezit systems were at least tested by Russian intelligence agencies by 2020. A company email dated May 16, 2019, describes feedback from the customer and desires for changes in the program. A spreadsheet marks which parts of the project have been finished.
A document in the trove also suggests that Vulkan was contracted in 2018 to create a training program called Crystal-2 to provide simultaneous operation by up to 30 trainees. The document mentions testing “the Amezit system to disable [incapacitate] control systems for rail, air and sea transport” but does not make clear whether the training program conceived in the documents went forward.
Trainees also would be “testing methods for obtaining unauthorized access to local computer and technological networks of infrastructure and facilities to support life in population centers and industrial areas,” potentially using capabilities the document ascribes to Amezit.
Later in the document, the text reads: “The level of secrecy of processed and stored information in the product is ‘Top Secret.’”
Skan, the other main project described in the documents, allowed Russia’s attackers continuously to analyze the internet for vulnerable systems and compile them in a database for possible future attacks.
Joe Slowik, the threat intelligence manager at the cybersecurity company Huntress, said Skan probably was designed to work in tandem with other software.
“This is the background system that would allow for it all — organizing and potentially tasking and targeting of capabilities in a way that can be centrally managed,” he said.
Slowik said Sandworm, the Russian military hacking group blamed for numerous disruptive attacks, was likely to want to keep a large repository of vulnerabilities. A document from 2019 says Skan could be used to display “a list of all possible attack scenarios” and highlight all the nodes on the network that could be involved in the attacks.
The system also appears to enable coordination among Russian hacking units, allowing “the ability to exchange data between prospective geographically dispersed special units,” according to the leaked documents.
“Skan reminds me of old military movies where people stand around and place their artillery and troops on the map,” says Gabby Roncone, another cybersecurity expert at Mandiant. “And then they want to understand where the enemy tanks are and where they need to strike first to break through the enemy lines.”
There is evidence that at least some part of Skan was delivered to the Russian military.
In an email dated May 27, 2020, Vulkan developer Oleg Nikitin described collecting a list of employees “to visit the territory of our functional user” to install and configure equipment for the Skan project, and upgrade and configure software and demonstrate functionality. The functional user is described as “Khimki,” a reference to the Moscow suburb where Sandworm is based.
“The territory is closed, the regime is strict,” Nikitin wrote, using Russian terms for a protected, secret government facility.
Nikitin did not reply to a request for comment.
Maria Christoph from Paper Trail Media contributed to this report.
Craig Timberg is The Post’s senior editor for collaborative investigations and a former technology reporter. Ellen Nakashima is a Post national security reporter who has written about cybersecurity and intelligence issues. Hannes Munzinger and Hakan Tanriverdi are senior investigative reporters for Paper Trail Media, based in Munich. Munzinger received the document trove and had initial conversations with the source while working for his previous employer, Süddeutsche Zeitung.
About the Vulkan Files
This investigation was a collaboration among journalists from eight countries working at 11 news organizations, including The Washington Post. Leading the project were Paper Trail Media and Der Spiegel in Germany. Also participating from that country were Süddeutsche Zeitung and ZDF. Other partners include the Guardian in Britain, Le Monde in France, Tamedia in Switzerland, the Danish Broadcasting Corporation in Denmark, Der Standard in Austria and iStories, a news site covering Russia that is based in Latvia.