Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Leaks Reveal Moscow Source for Hacking, Disinformation Tools

Contractor Also Tapped to Develop Tools to Train Critical Infrastructure Hackers
Leaks Reveal Moscow Source for Hacking, Disinformation Tools
Russian President Vladimir Putin during a January 2019 press conference in Belgrade, Serbia (Image: Shutterstock)

Russian intelligence agencies' cyber operations are being bolstered by a Moscow-based firm that bills itself as an ordinary IT contractor specializing in information security.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

So reveal a consortium of media outlets to which an anonymous Russian insider leaked documents that reveal how the firm, NTC Vulkan, works as a cyber operations support contractor for the Russian government, according to individuals who reviewed the information.

"Vulkan's engineers have worked for Russian military and intelligence agencies to support hacking operations, train operatives before attacks on national infrastructure, spread disinformation and control sections of the internet," The Guardian reported. The leaked files, dated from 2016 to 2021, include emails, internal documents, project plans, budgets and contracts.

One of Vulkan's clients is hacking group Sandworm, Russia's GRU military intelligence agency hacking unit notorious for 2017's wave of NotPetya encryption attacks and attacks on Ukraine's energy grid. Sandworm has been active in cyber operations against Ukraine and its close allies since Russian President Vladimir Putin in February 2022 initiated a war of conquest against its European neighbor (see: Russian Sandworm APT Adds New Wiper to Its Arsenal).

One Vulkan project dubbed Amezit or Amesit is designed to help the Russian military automate large-scale disinformation operations across social media and other channels such as email and SMS texts using fake accounts populated by avatars that sport stolen photographs and extensive backstories. Another, called Krystal-2B, includes tools for training hacking teams to attack railways, pipeline and other operational technology environments.

The consortium of journalists investigating the leaks shared some of the files with Google's cybersecurity group, Mandiant, for review.

"These documents suggest that Russia sees attacks on civilian critical infrastructure and social media manipulation as one and the same mission, which is essentially an attack on the enemy's will to fight," John Hultquist, vice president of intelligence analysis at Mandiant, told The Guardian.

It is not clear from the leaks if any of the tools developed by Vulkan have been used as part of Russia's invasion of Ukraine.

Vulkan 'Files Appear to Be Authentic'

A whistleblower reportedly approached German newspaper Süddeutsche Zeitung in the days after Putin ordered the all-out invasion of Ukraine in February 2022, stating that Russian intelligence agencies use Vulkan to "hide behind."

The source later shared leaked information with Munich-based investigative journalism group Paper Trail Media, which with Der Spiegel led a project to review the information. The leaks were shared across 11 media outlets, including The Guardian, Le Monde and The Washington Post.

"Five western intelligence agencies confirmed the Vulkan files appear to be authentic," The Guardian reported. "The company and the Kremlin did not respond to multiple requests for comment."

Vulkan - Russian for volcano - works for a broad cross-section of the Russian government, including the federal security service, or FSB, which is in charge of domestic counterintelligence; the SVR foreign intelligence service; and the operational and intelligence divisions of the armed forces, the GOU and GRU, according to the leaks.

Vulkan was founded in 2010 by current CEO Anton Vladimirovich Markov. The Guardian reported that until Russia intensified its invasion of Ukraine in February 2022, Vulkan employees regularly attended European IT and cybersecurity conferences. Former employees now work for such businesses as Amazon Web Services and Siemens, it said.

As is typical for major governments, the Russian government relies on a vast military-industrial complex. Since 2011, Vulkan has received contracts to work on classified projects for the military and state, and currently it appears to sport about 120 employees, of which half are software developers, The Guardian reported.

The Vulkan website claims the company's partners include IBM and RSA and that its customers include Toyota Bank, Societe General Group and numerous Russian banks, including state-owned SberBank.

Tools, Training, Red Teaming

Mandiant reported that the leaks detail three projects - Scan-V, Amesit, Krystal-2B - tied to contracts with Russian intelligence services. It said the projects include "tools, training programs, and a red team platform" for "exercising" offensive cyber operations, including cyberespionage, information operations and targeting operational technology (see: Ukraine Tracks Increased Russian Focus on Cyberespionage).

"Capabilities documented in the contracted NTC Vulkan project Scan could help automate parts of the reconnaissance and preparation of operations," Mandiant reported.

Authorization for Scan-V appears to have come from Russian military unit 74455, better known as Sandworm, reported Der Spiegel.

Documentation for the Krystal-2B and Amesit programs - which appear to have crossover - "also displays interest in critical infrastructure targets, particularly energy utilities and oil and gas, but also water utilities and transportation systems, including rail, sea, and air," Mandiant reported.

Source: Mandiant (click to enlarge)

Mandiant reported that parts of Krystal-2B and Amesit are focused on simulating "OT test bed environments for rail and pipeline control systems." Attack scenarios contained in the commissioning document for railways include "manipulating the speed of trains, creating unauthorized track transfers, causing car traffic barriers to fail," all "with the explicit objective of causing train collisions and accidents," Mandiant reported.

For pipelines, capabilities required for simulation include "closing valves, shutting down pumps, overfilling tanks, spilling materials and causing pump cavitation and overheating," Mandiant reported.

While there's no indication of how these capabilities would be used against real-world OT systems, Mandiant reported that the tools mirror the capabilities and actions of Russian hacking groups it has tracked. The firm said that while it "lacks evidence to prove that the capabilities we discuss have been implemented or are feasible," the leaked contracts between the Russian state and the Moscow IT contractor have clear implications for defenders.

"As we continue to observe the intensification of threat activity from Russian-sponsored actors in parallel to the invasion in Ukraine, defenders should remain aware about the capabilities and priorities reflected in these documents to be prepared for protecting critical infrastructure and services," Mandiant said.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.