The Vulkan papers offer a rare opportunity for an inside look at Russian cyber warfare.
Ukraine at D+400: the Vulkan papers.
The situation on the ground in Ukraine remains much the same as it's been over the past week: desultory Russian infantry attacks around Bakhmut and Russian missile strikes against civilian targets. The New York Times reports Ukrainian assessments that Russia has exhausted its readily available reserves in attempts to take Bakhmut, and Military.com reviews the missteps that have neutralized Russia's heavy numerical advantage in armor.
In diplomatic developments, the BBC reports that Russia is offering to trade food to North Korea in exchange for weapons. The US says that a Russian delegation has been dispatched to Pyongyang to look for whatever munitions and weapons the DPRK may be willing to spare. Back in New York, at the UN, Russia is preparing to assume the chair of the Security Council as its turn comes up in the Council's regular rotation. The Guardian writes, "The US, Britain, France and their supporters on the council are likely to show their disapproval by downgrading the level of their representation at Russian-hosted events over the course of the month, but no member state is known to be planning any form of boycott or other protest." The Hill notes in passing that the last time Russia held the chair was in February 2022, the month Russia invaded Ukraine.
The Vulkan papers.
NTC Vulkan, a Moscow-based IT consultancy, has been exposed as a major contractor to all three of the principal Russian intelligence services, the GRU, the SVR, and the FSB. Vulkan's specialty is the development of tools for cyberattack. Der Spiegel, one of a group of media outlets that broke the story, sources it to a major leak. "This is all chronicled in 1,000 secret documents that include 5,299 pages full of project plans, instructions and internal emails from Vulkan from the years 2016 to 2021," Spiegel writes. "Despite being all in Russian and extremely technical in nature, they provide unique insight into the depths of Russian cyberwarfare plans. In a militarized country that doesn’t just fight with warplanes, tanks and artillery, but with hackers and software."
The media consortium that received and shared the leaks includes German, French, British, and American papers: Der Spiegel, iStories, Paper Trail Media, Süddeutsche Zeitung, Le Monde, the Guardian, and the Washington Post. Süddeutsche Zeitung was the first to break the story, as "an exclusive look inside the war room of Putin's cyber army."
The Vulkan papers reveal that the company is engaged in supporting a full range of offensive cyber operations. Its services and products extend to espionage, disinformation, and disruptive attacks intended to sabotage infrastructure, and the company also provides training to its customers in the security and intelligence organs. The Washington Post, another recipient of the leaks, ascribes them to a disaffected insider who's motivated by opposition to Mr. Putin's war against Ukraine. "An anonymous person provided the documents from the contractor, NTC Vulkan, to a German reporter after expressing outrage about Russia’s attack on Ukraine," the Post reports. "The leak, an unusual occurrence for Russia’s secretive military industrial complex, demonstrates another unintended consequence of President Vladimir Putin’s decision to take his country to war." The anonymous leaker (who told his German contact, when declining to provide identification, that he or she intended to "vanish like a ghost" for obvious reasons of personal security) explained the motivation of his or actions: “The company is doing bad things, and the Russian government is cowardly and wrong.... I am angry about the invasion of Ukraine and the terrible things that are happening there. I hope you can use this information to show what is happening behind closed doors.”
Vulkan itself is a tech start-up, believed to have been founded in 2010, it's thought to have "about 135 employees." The leaked documents include evidence of extensive and detailed reconnaissance of targets in both Ukraine and the many Western countries who've been hostile to Russia's war. The Post outlines what it takes to be the major takeaways from the documents:
- "Russia’s military has been looking to scale cyberattacks, using new technologies and platforms." It's a well-organized effort, not a contribution to a slapdash hacktivist program.
- "Vulkan’s software combs internet networks for targets and intrusion points." The leaked files show extensive cyber battlespace preparation.
- "War has unintended consequences." One of those consequences may have been the creation of a Russian insider threat.
- "One of Vulkan’s clients appears to be Russia’s most notorious hacking group, dubbed Sandworm by Western cybersecurity analysts." Sandworm is believed to have been behind the attacks on Ukraine's power grid, on the 2018 Winter Olympics, and the NotPetya pseudoransomware.
- "Disinformation campaigns also can be put on automatic pilot, at least in part." Vulkan automates influence operations to achieve coordinated inauthenticity at scale.
- "Hacking can go beyond the digital world," that is, some of Vulkan's services include support of attacks with physical consequences for adversaries' infrastructure, including "systems for controlling air, sea and rail operations."
Among the more interesting revelations in the files are descriptions of Vulkan's tools. Security firm Mandiant sifted through the leaked files for the Post, and, while they're reticent about authentication, they offer an appreciation of three of Vulkan's more striking products:
- Scan (or "Skan"): "A comprehensive framework likely used to enable cyber operations. Scan consists of a variety of methods for large-scale data collection and contains comprehensive documentation on how to structure databases to store and handle such information. Based on the signatories, Scan documentation was contracted (at least in part) by GRU Unit 7445, or Sandworm Team."
- Amesit (or "Amezit"): "A framework used to control the online information environment and manipulate public opinion, enhance psychological operations, and store and organize data for upstream communication of efforts. Information confrontation and psychological operations in Amesit are designed to support IO and OT-related operations."
- Krystal-2B: "A training platform for exercising coordinated IO/OT attacks against transportation and utility industries using Amesit. The exercise’s program highlights particular scenarios against OT environments and Russian infrastructure. Krystal-2B may be a red teaming or defensively focused exercise, but demonstrates interest in coordinating IO/OT attacks." Krystal-2B relies on tooling from Amesit, and documents associated with it show some of the specific interest Russian operators have in attacks against process-level systems. "For rail systems, this includes manipulating the speed of trains, creating unauthorized track transfers, causing car traffic barriers to fail, and causing combined heat and power (CHP) units to fail, with the explicit objective of causing train collisions and accidents. For pipeline systems, this includes closing valves, shutting down pumps, overfilling tanks, spilling materials, and causing pump cavitation and overheating."
Taken as a whole, the documents show that Russia is devoting considerable attention to cyber battlespace preparation. Neither Vulkan nor Russian officials responded to requests by the Washington Post and others for comment.
Both sides view weapons-locating radars as high-value targets.
"As of 23 March 2023, Ukrainian Special Operation Forces released footage of a Russian ZOOPARK-1M counter-battery radar being destroyed in the Donetsk area," the UK's Ministry of Defence writes in this morning's situation report. Weapons-locating radars have been valuable to both sides, and Ukraine has received such systems from Western governments since the early weeks of the war. "Efforts by both sides to neutralise their opponent’s counter-battery radars have been a constant element of the conflict. These systems are relatively few in number but are a significant force multiplier. They allow commanders to rapidly locate and strike enemy artillery. However, because they have an active electromagnetic signature, they are vulnerable to being detected and destroyed." Russia seems to be running low on them. "Russia has lost at least six ZOOPARK-1M and likely only has a very limited number left in Ukraine. Regenerating counter-battery radar fleets is likely a key priority for both sides, but Russia will likely struggle because the systems rely on supplies of high-tech electronics which have been disrupted by sanctions."
Reaction to the FSB's arrest of an American journalist.
White House Press Secretary Karine Jean-Pierre spoke about the detention of Mr. Gershkovich at a press briefing yesterday, "These espionage charges are ridiculous. The targeting of American citizens by the Russian government is unacceptable. We condemn the detention of Mr. Gershkovich in the strongest — in the strongest terms. We also condemn the Russian government’s continued targeting and repression of journalists." She drew a lesson from the detention for all Americans: stay out of Russia. "I want to strongly reiterate that Americans should heed the U.S. government’s warning to not travel to Russia."
US Senator Menendez (Democrat of New York) who chairs the Senate Foreign Relations Committee, reacted to the FSB's arrest of the Wall Street Journal's Evan Gershkovich. “Mr. Gershkovich's detention is outrageous,” the Senator said in an interview carried by MSNBC. “It follows the pattern of Putin arresting, detaining, taking Americans hostage. He is fearful of what a free press will do to his authoritarianism, and that’s why he often engages in labeling journalists either terrorists or foreign agents. He should be released immediately, and we will be engaged vigorously with the Administration not only in calling for his removal, but in finding ways to have Russia pay an additional consequence for this.”