Mar 31, 2023

A Russian cybersecurity company that calls the Kremlin and its agencies clients, has been laid bare in a cross-border investigation following a disgruntled employee’s leak of thousands of internal documents, giving a unique insight into Moscow’s modus operandi. The ‘Vulkan Files ‘, published on Thursday (30 March), relate to Russian company RTV Vulkan and shed light on how closely classical military, cyber operations, and psychological warfare intertwine under Moscow’s leadership. It is reported the files were handed over to German media Suddeutsche Zeitung on 24 February 2022 by a whistleblower who opposed the invasion of Ukraine. The contents were analysed by more than 50 journalists from eight countries working with media such as The Guardian, the Washington Post, and Le Monde, and led by Paper Trail Media and Der Spiegel. “Thousands of pages of secret documents reveal how the Moscow-based defence contractor NTC Vulkan helped Russian intelligence agencies to strengthen their ability to launch cyberattacks, sow disinformation and surveil the internet. The investigation uncovered NTC Vulkan’s links to ‘Sandworm’ and ‘Cozy Bear'”, writes Paper Trail Media. The leak reveals evidence of tools used to influence social media discussion, surveil and spy, manipulate public opinion, interfere in elections, and censor. It also shows the close relationship between Russian intelligence agencies and the company, who have been regulars on the speaking circuit on topics such as the fight against digital ‘extremism’. “The point is not to counter-attack aggressively. However, it is, of course, a case of ensuring we have the power to detect and stop the attacks. These competencies are needed,” said German Federal Minister of the Interior Nancy Faeser in reaction to the revelations. Background The leaked files include internal documents and agreements with software manufacturers as well as providing a de facto client list including the intelligence service for internal affairs, FSB, the foreign intelligence service, SWR, the military intelligence service GRU, and the GRU-unit 74455: hacker group Sandworm- a group likely responsible for power blackouts in Ukraine and actively supported the Russian invasion. The Russian cybersecurity company was previously accused by the Google Threat Analysis Group, TAG, of involvement in a malware campaign by the Russian hacker group ‘Cozy Bear’, dating back to 2012. The leaked documents describe various tools, notably for detecting security vulnerabilities and planning attacks against network infrastructure, censorship, disinformation, and surveillance. “As a reaction to the most recent sanctions … Scan-V Pursued since 2018, one of the tools for digital interception of enemies is called Scan-V, which collects information about the target, such as the network structure, departments, and employees, to spy from a distance. Knowledge acquisition is partially based on public sources, including websites informing about security loopholes. As part of a larger tool, it scans target systems for vulnerabilities to coordinate the attacks internally. All points of vulnerability are logged and stored in a database. Amezit The tool Amezit is designed for censorship, surveillance, and disinformation but also for detecting the loopholes and security gaps in the software of specific telecom equipment from companies such as Huawei, Juniper, and Cisco. To disrupt network traffic, known pages are imitated and false or manipulated content is spread there. For the purpose of disinformation, fake profiles are created en masse to disseminate pro-Kremlin content on a large scale via email, SMS, and social media. Public opinion can be influenced by pushing individual hashtags in a targeted manner. Bot databases provide the basis for these operations. The ‘Vulkan Files’ international research team identified several hundred accounts on Twitter that could be directly or indirectly linked to the documents. To be unable to attribute Russian identity to these activities and small details, instructions include creating mail accounts at Gmail, Yahoo, and Hotmail and payment transactions with cryptocurrency or prepaid credit cards. Furthermore, subsystem LPI/Legend aims to disguise the origin of data by either removing metadata or even deliberately falsifying it. Crystal-2V Crystal-2V concerns targeted attacks on critical infrastructure, including train and air traffic, electricity, and water supply. According to the ‘Vulkan Files’, it was in the simulation stage as no evidence was ever used. Project Fraction Project Fraction monitors regime-critical activities inside its borders and flags them. By assessing the mass evaluation of posts in social media, including Facebook, Twitter as well as the Russian VKontakte and Odnoklassniki, AI machines are deployed to highlight ‘dangerous’ content. Pro-Russian hacker group Killnet and its affiliate Legion targeted thousands of websites, including government websites, in a coordinated cyberattack on Friday, Italian police reported. Russian hackers used DDoS attacks to target the foreign ministry’s website, the education and cultural heritage ministry, … [Edited by Alice Taylor/Luca Bertuzzi]