Vulkan Files Exposes Russia's Cyberwar Strategies

Sicherheit (Pexels, allgemeine Nutzung)[German]Files leaked from a whistle blower to German news magazine Süddeutsche Zeitung show how Russia under Putin is planning cyberwar. An evaluation by a media collective shows: Train and air lines are to be attaced, as well as energy supply and critical infrastructure. And our security culture continues to rely naively on increased digitization, including the cloud and up-to-date virus scanners.


The background

Shortly after Russia's invasion of Ukraine, an anonymous source provided the Süddeutsche Zeitung (SZ) with thousands of internal documents from a Russian IT company called NTC Vulkan and the remark "People should know what dangers this poses". These documents, known as "Vulkan Files", were analyzed by a media collective (Süddeutsche Zeitung, ZDF frontal, Spiegel, etc.) and provide an accurate picture of what strategies the Kremlin is pursuing with a cyber war. Security vendor Mandiant has also published an articles about the topic with technical details (see also the following tweet).

Vulkan Files

The Vulkan files

The Russian company Vulkan, based in Moscow, acts outwardly as a software developer. The internal documents prove that this company also works for Russian intelligence services: the GRU military intelligence service, the FSB domestic intelligence service and the SWR foreign intelligence service, writes German broadcasting station ZDF in this article. Training documents in the Vulkan Files reveal that the company develops software that can be used to train cyberattacks that:

  • "Crippling control systems of rail, air, and marine transportation."
  • "Disrupt energy companies and critical infrastructure."
  • "Identifying vulnerabilities of critical infrastructure to attack."

Vulkan has a tool called Skan-W, a crawler that scans the Internet for vulnerabilities that attackers can use to penetrate foreign servers and retrieve information and cause damage. According to Google, Vulkan appears to have been active since 2012 and links it to the Russian APT group Cozy Bear. The latter is responsible for numerous attacks on organizations and companies.

Russia is also pursuing the goal of controlling and monitoring communications and the Internet in occupied territories. Vulkan has the technology to do this, for example in the form of "Amesit" software. This can block access to unwanted data channels and, according to Vulkan files, redirect users to desired Internet resources in designated territories. Russian intelligence expert Andrei Soldatov, who was involved in the research on the "Vulkan Files," is quoted in the ZDF report as saying, "Their goal is complete control over the information in the territory they are trying to penetrate. So you go into an area, take control of communications and then use that control to spread disinformation,manipulate social media and suppress information."


Cookies helps to fund this blog: Cookie settings


This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *