The Washington Post joined a consortium of news organizations, led by Paper Trail Media and Der Spiegel in Germany, to investigate NTC Vulkan, a software and cybersecurity company that has commercial and government clients. The reporting, which took more than a year, included the study and translation of the documents along with interviews with former employees, cybersecurity experts and intelligence officials from Western nations.
Here are seven takeaways from the Vulkan Files:
1. Russia’s military has been looking to scale cyberattacks, using new technologies and platforms. Moscow’s cyberwarriors are not a disparate collection of hackers launching ransomware for quick scores. Instead, they are part of a robust, state-sponsored effort using the full power of the Russian security state and private companies to identify critical targets and enemies’ vulnerabilities. The leaked documents detail plans — and software platforms bursting with capabilities — to identify and coordinate attacks in real-time and improve efficiencies. The two main projects, called Amezit and Skan, help enable social media disinformation campaigns and map out targets that are vulnerable to hacking. A third program, Crystal-2, offers training related to malicious, real-world attacks on critical infrastructure, including air, sea and rail transport.
2. Vulkan’s software combs internet networks for targets and intrusion points. The projects allow clients — namely Russian military intelligence operatives — to point and click on potential targets and illuminate computer networks, email addresses and software that could be used to compromise systems. Maps and other illustrations in the documents make clear that some of these potential targets are in Europe and the United States. One image shows a U.S. map with circles over what appear to be concentrations of internet servers. Another map in the trove shows Muhleberg Nuclear Power Plant in Switzerland, outside Bern, along with the Swiss Ministry of Foreign Affairs. It is not clear whether those were actual targets or just hypothetical ones used for training.
3. War has unintended consequences: The anonymous person who provided the Vulkan Files to a German reporter claimed to be motivated by outrage over Russia’s invasion of Ukraine, saying, “I am angry about … the terrible things that are happening there.”
While there’s no way to verify the intentions of this person, whose identity remains unknown, the documents appear real to intelligence analysts and cybersecurity experts who reviewed them. The trove includes manuals, technical specifications, emails, financial records and design details for software, including mock-ups and other illustrations.
4. One of Vulkan’s clients appears to be Russia’s most notorious hacking group, dubbed Sandworm by Western cybersecurity analysts: Key evidence appears in a couple of places in the trove, most explicitly where an official for Sandworm’s military unit, code-named 74455, approves a data transfer protocol for one of the software platforms that Vulkan was building in 2019.
U.S. and Western officials have attributed to Sandworm numerous spectacular hacks, including the disruption of the Opening Ceremonies of the 2018 Winter Olympics and the 2017 release of NotPetya, malware initially aimed at Ukraine that ultimately caused more than $10 billion of damage by snarling shipping and other corporate activity worldwide. Experts think Sandworm, which also twice caused power blackouts in Ukraine, remains active in cyberattacks supporting the Russian invasion there.
5. Disinformation campaigns also can be put on automatic pilot, at least in part: The documents show that automated systems allow operators to make fake accounts — on Facebook, Twitter, YouTube and other platforms — while also using a piece of hardware called a “sim bank” to reply en masse to verification text messages.
Vulkan’s software also is designed to allow operators to harvest photos and other information to build these fake accounts and to time their online activities in a realistic way. Once the fake accounts have been created, they can be used to post information, add friends, send direct messages, upload photos and videos and “like” the posts of others.
6. Hacking can go beyond the digital world: A document for a training program called Crystal-2 speaks explicitly about the ability to disrupt real-world infrastructure, including systems for controlling air, sea and rail operations.
Cybersecurity experts who reviewed the documents were split on whether these references describe offensive techniques or defensive ones intended to help protect Russian infrastructure against outside attack. At a minimum, Vulkan software appears to have a role in training about how to disrupt these kinds of real-world targets.
7. Vulkan’s employees do more than just work: A piece of malicious software generated by a company employee is actually an invitation to a New Year’s Eve party.
When someone clicks on a document link in an email, the malware creates an image of a bear alongside a champagne bottle and two champagne glasses. The invitation wishes recipients “a wonderful holiday season and a healthy and peaceful New Year!”
In the background, Soviet military music plays.
About the Vulkan Files
This investigation was a collaboration among journalists from eight countries working at 11 news organizations, including The Washington Post. Leading the project were Paper Trail Media and Der Spiegel in Germany. Also participating from that country were Süddeutsche Zeitung and ZDF. Other partners include the Guardian in Britain, Le Monde in France, Tamedia in Switzerland, the Danish Broadcasting Corporation in Denmark, Der Standard in Austria and iStories, a news site covering Russia that is based in Latvia.
Editing by Ben Pauker. Copy editing by Gilbert Dunkley.