Russian cyberwar is supported to a great degree by private contractors, according to a leak that media outlets are referring to as the “Vulkan Files.” A whistleblower from Russia-based NTC Vulkan has provided the Guardian, the Washington Post and a number of other media outlets with thousands of internal documents that outline how the Russian government and intelligence services collaborate with the tech contractor on hacking campaigns.
These connections to Russian cyberwar run deep. The documents indicate Vulkan develops tools for government disinformation campaigns on social media, supports domestic surveillance and attacks on the critical infrastructure of foreign countries, and trains members of state-supported threat groups. All of this is done in secret, as Vulkan also works with private companies in Russia and keeps the government connections out of the public eye.
Public-private partnerships in Russian cyberwar exposed
The Vulkan Files do not link Russia’s state-backed hacking teams to specific cyber attacks, something that would be an extremely rare piece of direct evidence. However, they do show what targets the government is interested in, and what sort of support Vulkan provides to advanced persistent threat groups.
Very few contractors are thought to be involved with Russian cyberwar, with only about a dozen known to possess the level of clearance such a relationship would require. The Vulkan Files indicate that the company handles a wide variety of support tasks. One of the areas it appears to be most active in is social media, both in terms of developing tools to disseminate propaganda (via masses of fake accounts) and to spy on domestic subjects by searching through keywords and phrases.
The Vulkan Files also indicate the contractor has developed a scanning tool for APT groups that continually probes across the internet for vulnerabilities and files them away for potential later use. It has also designed a training system that teaches state hackers specific techniques for use in attacking foreign critical infrastructure and transportation systems, among other tools that are clearly meant for threat groups working on government orders.
Strong emphasis on social media control, critical infrastructure in Vulkan Files
The roughly 5,000 documents provided to news outlets come from a disgruntled former employee who parted ways with the company shortly after Ukraine was invaded. The cache provides evidence that Vulkan is working directly with Russian intelligence and defense services, but it seems to have a particularly strong connection with the “Sandworm” hacking group known for the NotPetya virus. More recently, Sandworm is suspected to be focusing on attacks on Ukraine’s utilities.
The media sources that have reviewed the Vulkan Files say that they appear to be legitimate, and they were apparently scrutinized for roughly a year (by some 11 outlets) before the stories began to be published. The documents primarily provide insight into Russian cyberwar activities from 2016 to 2021, but some included server target maps also provide some insight into what Russia’s future plans might be.