Recently, an anonymous whistleblower provided the Süddeutsche Zeitung (SZ) with thousands of secret documents from Moscow-based IT company NTC Vulkan. These documents, dubbed the “Vulkan Files,” shed light on the cyber warfare tactics of the Russian government. Journalists from SZ, along with their counterparts at Spiegel, ZDF Frontal, The Guardian, The Washington Post, and the Austrian Standard, evaluated the papers. These documents reveal that Vulkan employees have been collaborating with Russian military and intelligence services on joint hacking operations, disseminating disinformation, and training agents to attack critical infrastructure. Their goal was to control and censor parts of the internet, and they wanted to strike online worldwide.
NTC Vulkan presents itself as a company that develops software and drives IT security, but in reality, it also works for the Russian military intelligence agency GRU, the domestic intelligence agency FSB, and the foreign intelligence agency SWR. The documents include training material for commissioned programs such as shutting down control systems for rail, air, and ship transport, disrupting energy companies, and identifying weak points to attack. The documents also mention the Swiss nuclear power plant in Mühleberg, which is now shut down. Experts had previously identified security gaps in the plant. The Swiss Ministry of Foreign Affairs and the Ukrainian embassy in Bern are also mentioned in the documents.
The key product developed by Vulkan is Skan-W (or Scan-W), which can scan the internet for vulnerabilities that attackers can use to penetrate external servers and cause damage. This tool is connected to Sandworm, a notorious hacking group responsible for causing power outages in Ukraine, and disrupting the Olympics in South Korea. The military intelligence service GRU, behind Sandworm, is said to have circulated the most economically damaging malware in history with NotPetya. Western security researchers have pointed out that the cyber attack on the US provider Viasat and its KA-Sat network for satellite internet, parallel to Russia’s armed attack on Ukraine, was caused by wiper malware known as AcidRain. The destructive program disabled tens of thousands of broadband modems worldwide and has similarities to a plug-in of the Sandworm cluster’s VPNFilter botnet malware.
According to the SZ, another emerging system, dubbed Amesit (or Amezit), is a blueprint for Internet surveillance and control in regions under Russian command. This means that entire regions could be cut off from the free internet. The vast network of fake profiles on social media enables the massive spread of disinformation. Vulcan’s Crystal-2V is a training program for cyber operators, teaching them the methods needed to shut down rail, air, and maritime infrastructure.
Vulkan has reportedly received installment payments worth several million euros in over 17,000 transfer transactions for developing these programs. The payments were directed to institutes closely linked to intelligence agencies and the military. There are also close contacts with large Moscow universities. Vulkan specifically advertises for young talent among graduates, and representatives held a course at Lomonosov University on infiltrating social networks.
Konstantin von Notz, the deputy leader of the Greens in the Bundestag and the chairman of the parliamentary control body responsible for the secret services, fears that “hundreds of cyber weapons” are being developed like those detailed in the Vulkan Files. The files reveal that Vulkan is only one of 30 or more Russian companies competing for lucrative government contracts for cyber warfare.
