Leaked IT contractor files detail Kremlin's stockpile of cyber-weapons

An unidentified whistleblower has provided several media organizations with access to leaked documents from NTC Vulkan – a Moscow IT consultancy – that allegedly show how the firm supports Russia's military and intelligence agencies with cyber warfare tools.

Journalists from Der Spiegel and Munich-based investigative group Paper Trail Media – in conjunction with The Guardian, ZDF, Der Standard (Austria), the Swiss Tamedia Group, The Washington Post, Süddeutsche Zeitung and Le Monde – have spent the past few months working with the whistleblower, and have just published a set of articles describing these documents, referred to as The Vulkan Files.

The leak is similar to the 2013 disclosures of US classified surveillance information from former NSA contractor Edward Snowden, coincidentally now a Russian citizen.

According to The Guardian, this latest whistleblower chose to distribute the secret Russian documents due to anger over Russia's bloody invasion of Ukraine and a desire to see the information reveal some of what is going on inside Russia.

The files, reportedly confirmed by five Western intelligence agencies, describe various Russian hacking tools implicated in major security incidents – such as a reported blackout in Ukraine, and the disruption of the Olympics in South Korea – and in the creation of the infamous NotPetya malware.

They show links between NTC Vulkan and several Russian intelligence and military agencies, including the FSB, GRU, and SRV intelligence apparatus. We're told the leaked documents also include maps of US energy infrastructure.

The Russian IT company has nothing to do with the similarly named Vulkan 3D graphics platform, which is overseen by the non-profit Khronos Group.

Google-owned Mandiant helped interpret the documents, and considers them probably – though not unequivocally – legitimate.

"The documents detail project requirements contracted with the Russian Ministry of Defense, including in at least one instance for GRU Unit 74455, also known as Sandworm Team. These projects include tools, training programs, and a red team platform for practising various types of offensive cyber operations, including espionage, IO [information operations], and operational technology (OT) attacks."

In 2020, the US Justice Department indicted six Russian GRU officers for allegedly carrying out attacks on the Seoul Olympics, Ukraine, France's 2017 elections, and other incidents. The officers remain at large – presumably in Russia.

The leaked files also reportedly link NTC Vulkan to a Russian hacking group called APT29 or CozyBear, based on information from Google security researchers.

• Xi, Putin declare intent to rule the world of AI, infosec
• Unknown actors deploy malware to steal data in occupied regions of Ukraine
• Putin to staffers: Throw out your iPhones, or 'give it to the kids'
• Pro-Putin scammers trick politicians and celebrities into low-tech hoax video calls

One of the tools cited in the Vulkan Files is called Scan-V, which as its name suggests appears to have been designed to scan the internet for vulnerabilities and store what it finds for later analysis and exploitation.

Another, called Amezit, is described by Mandiant as "a framework used to control the online information environment and manipulate public opinion, enhance psychological operations, and store and organize data for upstream communication of efforts."

A third, called Krystal-2B, is said to be a training platform for coordinating attacks on transportation and utility infrastructure using Amezit.

Gabby Roncone, a cyber security researcher with Mandiant, said the projects associated with NTC Vulkan covers cyber espionage, information operations, and operational technology (critical infrastructure) targeting.

"The thing about these projects contracted by NTC Vulkan is that they all seem to support the broader strategic goals of information confrontation," said Roncone. "The strategy of information confrontation has largely influenced RU cyber operations in Ukraine in my opinion."

NTC Vulkan did not immediately respond to a request for comment. The IT firm, on its website, claims to help more than 200 companies protect their businesses. ®