Poster of Russian President Vladimir Putin on building showing Vulkan files revealed Russian cyberwar strategies

Vulkan Files: Contractor Leak Reveals Russian Cyberwar Plans, Disinformation Campaigns

A whistleblower for NTC Vulkan, a Russian cybersecurity contractor, has come forward with internal documents that provide deep insight into Russian cyberwar plans and strategies. The “Vulkan Files” reveal that company engineers work directly for Russian military and intelligence outfits and train state-backed hackers, run disinformation campaigns and provide support for cyber attacks.

The leaks have been screened by journalists from 11 media outlets, including the Washington Post and Guardian, and several Western intelligence agencies are confirming that the material is authentic. The contractor purports to do most of its business with major private companies in Russia, but the Vulkan Files indicate it is essentially an extension of the government.

Vulkan Files indicate critical infrastructure, social media are key points of focus

Vulkan is one of only about a dozen contractors in Russia that have the government licenses needed to work on classified military and state projects. From the outside, the company looks like any other tech startup. On the inside, it is a key piece of Russian cyberwar efforts, at least according to the Vulkan Files leaks.

The whistleblower, reportedly a former employee who opposes the Ukraine invasion, has provided thousands of internal documents to the media. These documents make clear that the contractor works directly with the GRU, FSB and SVR on a variety of Russian cyberwar projects.

The Vulkan Files indicate that the contractor has particularly close ties with a unit called Sandworm, a GRU-affiliated advanced persistent threat (APT) group that has been active since at least 2015. Its high-profile actions include attacks on the Ukraine power grid, distribution of the NotPetya malware in 2017, and attempting to disrupt the 2018 Winter Olympics opening ceremony. Its repeated attacks on Ukraine’s utilities over the years recently prompted investigators with the UC Berkeley School of Law to petition the Hague to charge group members with war crimes.

According to the Vulkan Files, the company is developing cyber attack tools for Sandworm, including a scanner (called “Scan-V”) meant to continually prowl the internet for vulnerabilities and log them for later use. It is also responsible for a social media manipulation tool called Amezit, which coordinates posting under fake accounts and domestic surveillance. Another system, Crystal-2V, trains hackers in the methods used to attack critical infrastructure and transportation systems.

Documents connected with the Amezit system appear to show servers of interest throughout the United States, along with scattered other locations throughout the world (such as a nuclear power plant in Switzerland). The combination of documents indicates that the Russian cyberwar program sees both social media manipulation and hacking of foreign critical infrastructure as an intertwined mission.

The Vulkan Files collectively span from 2016 to 2021. The leaker reportedly approached the media with them in February 2022, just after the invasion of Ukraine began. Substantial time was spent vetting the documents, and the leaker also appears to be well aware of the dangers of publicizing Russian cyberwar documents, saying that they have spent the ensuing time cutting ties to their previous life and becoming “a ghost.”

Russian cyberwar plans mix disruption abroad with tight domestic control of information, surveillance

Despite encompassing some 5,000 pages, the Vulkan Files are short on information in certain areas: the malware that the government uses, specific targets that it is eyeing in the near future, or “smoking gun” evidence linking Russian APT groups to specific cyber attacks. The documentation is more of a general overview of the Russian cyberwar efforts and what the country’s broad intentions are.

Though the Russian government trusts only a handful of contractors with state secrets, it is eager to work with them when they can supply some sort of cyber capability that it does not have internally. Russian cyberwarfare also appears to often run on United States hardware. The Vulkan Files indicate that IBM, Boeing and Dell all had prior relationships with the contractor. Intel processors and Cisco routers are also used in Russian military and intelligence systems.

In terms of social media operations, the Russian cyberwar plans put a heavy focus on interfering in foreign elections and pushing state propaganda both at home and abroad. One of the tactics outlined in the Vulkan Files is the use of “banks” of SIM cards to create fake accounts on services such as Facebook and Twitter. The government appeared to show interest in helping Donald Trump to get elected in 2016, planting and amplifying false stories about Democrat candidate Hillary Clinton.

The primary domestic program appears to be called “Project Fraction.” There is also a heavy focus on monitoring social media within Russia and its allied and controlled territories, combing platforms for keywords that might indicate participation in political opposition. The project also has tools used to evaluate the content of social media posts in terms of attitudes and possibility of a threat to government positions.


Senior Correspondent at CPO Magazine