• United States



CSO contributor

NTC Vulkan leak shows evolving Russian cyberwar capabilities

News Analysis
Apr 07, 202311 mins
Advanced Persistent ThreatsCritical InfrastructureCyberattacks

Documents from a Russian intelligence subcontractor provide insight into the Kremlin's cyberwar objectives and potential long-term threats to Western organizations.

National habits and perspectives on waging war are not just apparent in terrestrial conflict. In cyberspace, national ways of cyberwar clearly exist. From the unusually aggressive style of Israeli responses to regional cyber threat activities to the consistent correlation between Communist Party interests and China-attributed cyber espionage, a host of examples show that diverse geopolitical interests, national political imperatives, and institutional cultures seem to produce unique flavors of cybersecurity practice.

Now, the NTC Vulkan leak of thousands of pages of secret documentation related to the development of Moscow’s cyber and information operations capabilities adds more weight to this view. The documents paint a picture of a government obsessed with social control and committed to scaling their capacity for non-kinetic interference.

NTC Vulkan: What we know

An apparently unhappy employee of a contracting firm linked to Russian military and security services passed several thousand documents to a German reporter working for Süddeutsche Zeitung. They detailed a collaboration centered on fleshing out Moscow’s cyber conflict toolkit. The employee, who has remained anonymous and disappeared soon after the transfer of documents, claimed extreme discomfort with Vladimir Putin’s administration. “The company is doing bad things, and the Russian government is cowardly and wrong,” the whistle blower stated. “I am angry about the invasion of Ukraine and the terrible things that are happening there…. I hope you can use this information to show what is happening behind closed doors.”

The leaked documents constitute a cache of over 5,000 manuals, reports, company communications, software specification sheets, and other media covering a period between 2016 and 2021. The portfolio details applications and database resources developed by a company called NTC Vulkan for use by the intelligence agencies of the Russian Federation. Reporting on the leak highlights the close relationship held by the company across the period with key spy agencies and military units. These include the Federal Security Service (FSB), the Foreign Intelligence Service (SVR), and both military intelligence divisions of Russia’s armed forces: the Main Directorate (GRU) and Main Operational Directorate (GOU) of the General Staff.

Authoritative voices in Western cybersecurity circles have said the leak is remarkably credible. Representatives of five national intelligence agencies along with researchers from Mandiant and other cybersecurity companies have reviewed parts of the cache and stated that the tools and techniques being described match with existing intelligence on Russian capabilities.

These capabilities, which for the first time appear to link a private firm directly to known threat actors like Military Unit 74455 (the advanced persistent threat actor commonly known as Sandworm), include tools that are clearly geared toward large-scale attack preparation and the widespread, automated dissemination of disinformation. Several tools are described in some detail. One, a project called “Skan-V” or just “Scan,” appears to be a background taskmaster and coordination tool that can enable other software for malicious purpose. According to Mandiant analysis, the tool is an information gathering application that is focused on efficiently conducting early operational reconnaissance activities. Scan appears to be so comprehensive as to substantially automate cyber operations preparation.

Two other tools codenamed “Amezit” and “Krystal-2B,” respectively, detail methods and training simulations intended to prepare an operator workforce for offensive operations against critical infrastructure targets. Amezit also outlines techniques for automating disinformation campaigns by crawling social media for target-relevant intelligence, creating fake accounts en masse for disinformation dissemination activities, and rapidly drawing on burner assets to overcome verification checks put in place by technology companies to safeguard users. In short, the tools revealed by these recent leaks suggest a desire and an ability to extensively map foreign vulnerabilities and make the job of Russia’s cyber conflict operators as accessible and scalable as possible.

Russian cyber developments are evolutionary

From an analytic perspective, this leak of Vulkan company information paints a familiar picture of Russia’s blended public-private state digital security apparatus. The array of media and technical expert reports that have come out on the matter – none of which provide a full data dump of the leaked files – presents more intricate detail on the types of tools being developed for Moscow’s use than ever before. Tools like Scan and Amezit reflect an iterative evolution of Russia’s cyber warfare capabilities that counters the common Ukraine war-era narrative that Moscow’s digital prowess may have been as overblown as its conventional military power has proven to be.

The relationship between Vulkan and state military-intelligence organs is in many ways little different from the connections that exist between Moscow and various cybercriminal organizations. Private incubators of cyber warfighting capacity are as important as guarantors of Russian digital power as those official operational units that usually feature in headlines, like Fancy Bear or Gamaredon. Significantly, talent cultivation pipelines link university students to post-graduation opportunities via the façade of surprisingly pedestrian-looking technology companies. Where a company like Vulkan may not be profiting from the  permissiveness of criminal behavior on the part of Putin’s government, it certainly profits from Moscow’s desire to wage unconventional conflict. This provides an interesting revolving door for talent and capital between red and grey space.

What’s also familiar about the information leaked about Vulkan is the overarching focus on cyber contestation couched in terms of information competition. For Russia, the idea that Moscow is locked in some kind of existential contest with the West has never been cleanly about military insecurity vs. cultural-political imbalance. In part, this comes from deeply rooted ideas in Russia’s immense security apparatus that global competition is as much nonmilitary as it is a question of territory and tanks.

Chief of the Russian General Staff Valery Gerasimov is in no small part responsible for the prevalence of this view as a justification for waging unrestricted foreign interference campaigns. Gerasimov famously noted in 2013 that “[t]he role of nonmilitary means of achieving political and strategic goals has grown, and, in many cases, they have exceeded the power of force of weapons in their effectiveness.”

The popularity of this idea reflects Russia’s growing weakness in conventional military terms relative to both Western and Chinese defense forces since the end of the Cold War. It also underwrites and amplifies entrenched ideas about Russian competitiveness in global terms common in the country’s intelligence communities. Regardless, the work of Vulkan and, assumedly, other companies like it directly interacts with this view via the conceptual lens of something called “information confrontation” (informatsionnoye protivoborstvo).

Information confrontation is both a concept and a tactic. In the former sense, it is the idea that nonstandard methods of engagement can produce coercive leverage while avoiding escalation. This can be done by either by influencing enemy populations and military forces or by  subverting the function of real information networks. These approaches are called informational-psychological confrontation and informational-technical confrontation, respectively. Tactically, information confrontation is guided by a simple imperative: Work to short-circuit Western military superiority without direct kinetic engagement. That way, the gameboard of the future might be rigged to nullify Russian disadvantages.

Strategic scalability and a shift toward cyber-combined arms?

With Vulkan, the tactical manifestation of information confrontation and the lineage of Russian efforts to resource a nonconventional contest with Western superiority is clear. While Russia clearly struggled during the first year of the information war tied to the invasion of Ukraine, this leaked pre-war portfolio suggests that Moscow has likely done anything but despair of those failures. Military failures have led to the prioritization of conventional force development during 2022, but the more recent resurgence of groups like Killnet and a surging focus on the spread of disinformation across Western Europe and the Middle East speaks to Russia’s macro commitment to eventual victory via information control.

In fairness, while the detail contained in these leaks does paint an evolutionary picture of Russian strategy, they also should not simplistically be thought of as more of the same. While the use of a private company to build tools for offensive intelligence and military operational units is far from unexpected, the tools and intentions showcase in Vulkan documents suggests a capacity to innovate and to produce more sophisticated versions of the Russian way of cyberwar.

The focus on infrastructure vulnerability assessment and compromise in the context of greater automation via tools like Amezit is particularly concerning. Though groups like Sandworm have been tied to major infrastructure attacks like the 2015 and 2016 compromises of Ukrainian energy systems, those attacks used compromised cultivated by human operators years in advance and relied on extensive legacy knowledge of target personnel, physical infrastructure, and network architecture. They were well-resourced and time-intensive.

Today, the scope of possible engagement with these new tools changes. Automated attack surface assessment draws down talent and resource demands, incentivizes looser constraints on targeting, and increases the perceived political value of cumulative operations over single attacks.

To some degree, this appears to reflect lessons learned for the first two decades of Russian dabbling with informational-technical and informational-psychological operations enabled by web technologies. In line with current US thinking on cyber operations, Moscow likely sees a need not only to interfere to compete, but to be able to scale tactical effects to secure tangible strategic gains.

This further sophistication of digital capacity constitutes an interesting counterposition to the narratives surrounding the lack of a “cyber blitzkrieg” from Russia in the first stages of the Ukraine invasion. Specifically, the fact of Russian sophistication in cyberspace reinforces the idea that Moscow’s cybersecurity posture is a beast of blended political-security calculations. The Russians are clearly capable of adapting their execution of the information confrontation approach to conflict, learning lessons about social control from Chinese developments, and investing in the sophistication of operational capacities for network and psychological operations. The implications, however, are still inevitably couched in a parochial context.

Takeaways from the NTC Vulkan leak for Western industry

The Vulkan leaks hold several important takeaways for Western cybersecurity practitioners and industry stakeholders. One is that common narratives surrounding Russia’s digital retreat from the open internet over the last year can be misleading. Tools like those developed by NTC Vulkan and the clear desire to build novel methods of interference suggest, in line with prevailing Russian thinking about information confrontation, that Moscow sees non-Russian IP space as a natural operating environment despite few points of societal interconnection.

If the reported content of these Vulkan documents is accurate, then there is significant concern regarding workforce diffusion from companies like NTC Vulkan to technology firms across the globe. Not all individuals that have aided Moscow’s cyber threat regime have done so knowingly; others have and may constitute a realistic insider threat for Western firms and governments. Employers would do well to invest in heightened scrutiny of those with employment in the Russian economy over the past decade and to be smart with the distribution of access to critical systems, infrastructure, know-how and personnel.

The picture painted by Vulkan documents also needs to be recognized for the personalization of threat potential it represents. Russia has built its cyber capabilities to overcome limitations encountered in the last decade of low-intensity engagement with the West. This effort reflects a systematization of capacity to wage information confrontation campaigns across both Western and third-party IP networks.

However, the tactical implications of the tools that accomplish this strategic capacity link less to a blanket, generic cyber threat than to one that maps sector- and firm-specific vulnerabilities at unprecedented tempo. The tools also automatically furnish Russian operators with a networked understanding of the attack surface linking companies to customers and citizens. Cyber defensive efforts must surely internalize this evolution of attacker perspective.

Finally, there is reason to be optimistic. One concerning feature of the Vulkan leaks is the degree to which cyber technical and psychological capabilities are being developed in similarly sophisticated ways. Typically, less sophisticated operations – social influence campaigns – are harder to detect and more resilient to methods designed to defeat them than are conventional cyber operation against network infrastructure. The payoff is that they are much harder to scale into any tangible strategic gain. Here, tools like Amezit might alter this dynamic by making audiences more accessible more quickly.

The upside is that influence campaigns underwritten by key tools and analytic methods are much more traceable than most informational-psychological operations tend to be. Cybersecurity stakeholders in the West must remember that developments like those described in these leaks occur in adversarial context. Methods of systematically engaging foreign populations take on signatures of those tools that enable such scope of interference. This is particularly true the more there is overlap in the employment of cyber operations with informational-psychological characteristics, which is already a clear focus of Russian operations. Analysis of Moscow’s unique political-strategic calculus tells us a lot about when to expect cyber methods applied to secure Russian interests. The opportunities for combating the influence of incubation farms like NTC Vulkan remain immense.