An inconspicuous office is in Moscow’s north-eastern suburbs. A sign reads: “Business Centre.” Nearby are modern residential blocks and a rambling old cemetery, home to ivy-covered war memorials. The area is where Peter the Great once trained his mighty army. Inside the six-story building, a new generation is helping Russian military operations. Its weapons are more advanced than those of Peter the Great’s era, not pikes and halberds, but hacking and disinformation tools.[1]
The software engineers behind these systems are employees of NTC Vulkan. On the surface, it looks like only a cybersecurity consulting firm. Since a leak of secret files from the company has exposed its work bolstering Vladimir Putin’s cyberwarfare capabilities. Thousands of pages of secret documents reveal how Vulkan’s engineers have worked for Russian military and intelligence agencies to support hacking operations, train operatives before attacks on national infrastructure, spread disinformation and control sections of the internet.
The company’s work is linked to the federal security service or FSB, the domestic spy agency; the operational and intelligence divisions of the armed forces, known as the GOU and GRU; and the SVR, Russia’s foreign intelligence organization. Recently, documents leaked from NTC Vulkan show the company’s possible involvement in the development of offensive hacking tools, including for the advanced persistent threat (APT) actor known as Sandworm, cyber threat investigators reported.
See: https://redskyalliance.org/xindustry/sandworm-under-the-gun-for-war-crimes
NTC Vulkan advertises its collaboration with Russian organizations and government agencies, without mentioning any involvement in the operations of state-sponsored groups or intelligence services. Documents dated between 2016 and 2020, however, show that the company has been contracted by Russian intelligence, including the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) Unit 74455 (also known as Sandworm, Telebots, Iron Viking and Voodoo Bear), for the development of tools, training programs, and an intrusion platform. The leaked documents, referred to as The Vulkan Files, were obtained by a whistleblower and analyzed by cyber threat experts in collaboration with several major media outlets in Europe and the US.
While it is unclear whether the required capabilities have been implemented, the documents, which investigators believe to be legitimate, show NTC Vulkan’s involvement in projects to enable Russia’s cyber and information operations (IO), potentially targeting operational technology (OT) systems. The investigators did not identify any evidence indicating how or when the tools could be used. However, based on an analysis of the capabilities, they consider it feasible that the projects represent only some pieces of a variety of capabilities pursued by Russian-sponsored actors to conduct different types of cyber operations.
Three projects are detailed in the analyzed documents, namely Scan (dated 2018-2019, supports large-scale data collection), Amesit (also called Amezit and dated 2016-2018, the tool supports IO and OT-related operations), and Krystal-2B (2018-2020, a framework for simulating coordinated IO/OT attacks via Amesit). A comprehensive tool for information gathering, Scan can harvest network, configuration, and vulnerability details, along with other types of data, automating reconnaissance in preparation of operations and requiring coordination across operators. A framework like the one suggested in the Scan project illustrates how the GRU may be trying to enable fast-paced operations with high coordination among regional units. A once-segmented GRU cyber operation may become streamlined and more efficient using a framework like Scan. Focused on forming and manipulating public opinion, Amesit can manage the full information operations lifecycle, including the monitoring of media, creation and dissemination of content, and assessing an operation’s effectiveness.
Designed to support offensive and defensive exercises, Krystal-2B is a training platform for attacks targeting OT environments in coordination with IO components and uses Amesit for disruption. The platform simulates attack scenarios targeting transportation and utility systems. Amesit and Krystal-2B demonstrate a high value placed on the psychological impact of offensive cyberattacks, specifically OT operations, by highlighting the role of information operations in determining the impact of an ICS incident. The combination of different tactics in cyber operations is familiar to Russian cyber operations.
The documentation associated with the three projects provides requirements on data collection and processing, describes capabilities available for operators, and outlines attack paths and methods to avoid identification, while showing Russian intelligence’s interest in critical infrastructure targets, such as energy, oil and gas, and water utilities and transportation systems.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
• Website: https://www. wapacklabs. com/
• LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.securityweek.com/leaked-documents-detail-russias-cyberwarfare-tools-including-for-ot-attacks/
Comments