Foreign media conducted an investigation and made public the files of the Russian firm Vulkan, which is a hacker group. Here is what is known about them

dev.ua

March 31, 2023

The Guardian published the data of an investigation conducted by 11 mass media, within which the Russian company NTC Vulkan, which works for the Russian military and intelligence, was exposed.

Here is what is known about them.

What is known about Vulkan

Vulkan was used to conduct hacking operations, train operatives before attacks on national infrastructure, spread disinformation, and control sections of the Internet.

Vulkan is associated with the hacker group Sandworm, which is also called the "Kremlin Sandworm". They are considered a unit of the GRU. Sandworm hackers launched the NotPetya virus in 2015, and also carried out attacks on Ukrainian energy facilities in 2022. One of the largest Vulkan projects was implemented with the blessing of the Kremlin's most notorious cyberwarrior unit known as Sandworm.

In addition, in the files released from Vulcan, there is one created by an employee on New Year's Eve 2019. It contained the words: "APT Magma Bear." It refers to Russian state hacking groups such as Cozy Bear and Fancy Bear, and appears to point to Vulkan's own shady activities.

What hackers use

Among the tools used by criminals are:

Scan-V , which searches the Internet for vulnerabilities that are then stored for use in future cyberattacks.
Amezit , a plan to monitor and control the Internet in Russian-controlled regions, and provides disinformation through fake social media profiles.
Crystal-2V , a program to train cyber operators in the techniques needed to disable rail, air, and maritime infrastructure.

How they were calculated

Data about Vulkan, namely files dating from 2016 to 2021, was made public by an anonymous whistleblower, an opponent of Russia's war in Ukraine, in February of last year, contacting the German newspaper Süddeutsche Zeitung. He said that the GRU and the FSB were "hiding behind" Vulkan.

The person later shared the data and additional information with Munich-based startup Paper Trail Media. For several months, journalists from 11 media outlets, including the Guardian, the Washington Post and Le Monde, investigated the files in a consortium led by Paper Trail Media and Der Spiegel.

Five Western intelligence agencies confirmed the authenticity of the Vulkan files. The company and the Kremlin did not respond to multiple requests for comment.

What is known about the Russian company NTC Vulkan

About the founders

Anton Markov, executive director of Vulcan, founded the company in 2010 together with Oleksandr Irzhavskyi. Both graduated from the St. Petersburg Military Academy and previously served in the army, reaching the ranks of captain and major, respectively.

Anton Markov, executive director of "Vulkan"

About the field of activity

The enterprise is part of the military-industrial complex of Russia.

Since 2011, "Vulkan" has received special state licenses to work on secret military projects and state secrets. It is a mid-sized technology company with over 120 employees, about 60 of whom are software developers. It is not known how many private contractors have access to "sensitive" projects in Russia, but according to some estimates, there are no more than a dozen of them.

"Vulkan" reports that it specializes in "information security"; officially, his clients are large Russian state companies. Among them are Sberbank, the country's largest bank, the national airline Aeroflot and Russian railways.

About employees

Some of the employees are graduates of the Bauman State Technical University, which has a long history of feeding conscripts to the Ministry of Defense.

Work processes are organized according to the principles of strict operational secrecy, while employees are never told what other departments are working on. In addition, the company has a corporate culture that is more like a technology giant.

Containing the released files

The files include emails, internal documents, project plans, budgets and contracts. Inside is information calling for an understanding of the Kremlin's massive cyber efforts at a time when it is waging a brutal war against Ukraine.

Some of the leaked documents contain what appear to be illustrative examples of potential targets. One contains a map showing dots throughout the United States. Another contains details of a nuclear power plant in Switzerland.

One document shows how engineers recommend Russia expand its own capabilities using hacking tools stolen in 2016 from the US National Security Agency and posted online.

About Vulkan attacks

A special unit within the GRU's "main special technology center," Sandworm is known internally as field number 74455. This code appears in the Vulkan files as "approval batch" in the white paper. It describes a "data exchange protocol" between what is apparently already an existing military database containing information about software and hardware flaws and a new system that Vulkan has been tasked with creating: Scan-V.

The Scan project was commissioned in May 2018 by the Institute of Engineering Physics, a research institution in the Moscow region closely associated with the GRU. All details were classified. It is unclear whether Sandworm was the intended user of the system, but in May 2020 a team from Vulkan visited a military facility in Khimki, the same city on the outskirts of Moscow where the hacking unit is based, to test the Scan system.

There is no information in the leaked files about Russian malicious code or malware used for hacking operations. But a Google analyst said the tech firm linked Vulkan to a malware operation called MiniDuke in 2012. SVR, Russia's foreign intelligence service, used MiniDuke in phishing campaigns. The leak reveals that a secret branch of the SVR, Military Unit 33949, has hired Vulcan to work on several projects. The company called its client a "sanatorium" and a "prophylactic."

Internet Control, Surveillance and Disinformation

Amezit

In 2018, a team of Vulkan employees met with FSB representatives at the Radio Broadcasting Research Institute in Rostov-on-Don. They hired a subcontractor from Vulkan to help build a new system called Amezit, which was also linked in the files to the Russian military.

Amezit aims to take over and control the internet. Internet traffic deemed politically harmful can be removed before it spreads.

Military spies can identify people who browse web pages, see what they access on the Internet, and track information that users share.

The Vulkan files contain documents related to an FSB operation to monitor social media use in Russia on a gigantic scale, using semantic analysis to detect "hostile" content.

Fraction

According to a source familiar with Vulkan's work, the firm developed a bulk collection program for the FSB called Fraction. He combs through sites like Facebook or Odnoklassniki (the Russian equivalent) looking for keywords. The goal is to identify potential opposition parties based on the data.

PRR

Journalists were able to track the real activity of fake Vulkan-related social media accounts as part of the Amezit subsystem, codenamed PRR.

This Amezit subsystem allows the Russian military to conduct large-scale covert disinformation operations on social media and the Internet by creating accounts that resemble real people on the Internet or avatars. The avatars have names and stolen personal photos, which are then cultivated over months to create a realistic digital footprint.

Automation of internal propaganda

The Vulkan files show how the Russian military hired a private contractor to build automated domestic propaganda tools used by the St. Petersburg-based Internet Research Agency.

"Crystal-2B"

Another Amezit-related project developed by Vulkan, codenamed Crystal-2B, is a training platform for Russian cyber operators. Capable of using up to 30 listeners simultaneously, it appears to simulate attacks on a range of critical national infrastructure targets: rail lines, power plants, airports, waterways, ports and industrial control systems.

Просмотры:

Шукати в цьому блозі

Розслідування, osint розвідка, osint Україна, osint open source intelligence.