Leaked ‘Vulkan Files’ Reveal Plans For Russian Cyber ​​War | Abroad

The new international research project the ‘Vulkan Files’ sheds light on the shady tactics used by Russian intelligence agencies to carry out cyberattacks, deploy disinformation campaigns and prepare for attacks on key infrastructure. The Vulkan Files consist of more than 5,000 pages of confidential information leaked by a Russian cybersecurity expert because of his displeasure with the Russian invasion of Ukraine.


30-03-23, 19:19

Latest update:
30-03-23, 19:31

The Guardian, Washington Post

The anonymous source passed on the documents, which mainly cover the period from 2016 to 2021, to a German reporter. “People need to know the dangers of this,” the whistleblower said. “Due to the events in Ukraine, I have decided to make this information public. The company is doing bad things and the Russian government is cowardly and at fault. I am angry about the invasion of Ukraine and the terrible things that are happening there. I hope you can use this information to show what goes on behind closed doors.”


I hope you can use this information to show what goes on behind closed doors


Russian company NTC Vulkan appears to be your average cyber security firm, but leaked documents show that the firm is fully committed to expanding Russia’s cyber warfare capabilities. The work of NTC Vulkan is linked to the Russian secret service FSB, the Russian military intelligence service GRU and the Russian foreign intelligence service SVR.

Vulkan engineers create computer programs and databases that help Russian intelligence agencies and hacker groups better find vulnerabilities, coordinate attacks and monitor online activity. The documents also suggest that the company is involved in spreading disinformation, as well as creating training to remotely disrupt real targets, such as sea, air and rail control systems.

Hacking tools

One of the documents links a cyberattack tool to the dreaded hacker group “Sandworm,” which U.S. officials say twice shut down Ukraine’s power grid, disrupted the 2018 Winter Olympics, and in 2017 released NotPetya, the most economically destructive cyberattack in history. Code-named Scan-V, the tool scans for vulnerabilities over the Internet, which are then stored for use in future cyber-attacks.


Another system called Amezit provides a blueprint for monitoring and controlling the Internet in regions under Russian command. It is unclear whether Amezit will be deployed in occupied parts of Ukraine, but last year Russia took control of Ukrainian internet and telephone services in the occupied territories. Ukrainian citizens were forced to join Crimean telecom operators, and SIM cards were distributed in ‘filtration camps’ run by the FSB.

LOOK. Fled Ukrainians reveal the horror of Russian filtration camps

With PRR, another subsystem of Amezit, the Russian military creates false profiles on social media, which use stolen photos and are used for months to leave a realistic digital trail and then used to spread disinformation. The documents show screenshots of fake Twitter accounts from 2014 to earlier this year that, among other things, spread a conspiracy theory about Hillary Clinton and deny that Syrian civilians were killed in Russian airstrikes.

Attacks on infrastructure

A third system built by Vulkan – Crystal-2V – is even more dangerous. The training program appears to simulate attacks on a range of critical national infrastructure targets, such as railway lines, power stations, airports, waterways, ports and industrial control systems.

Some documents contain presumed illustrations of possible targets. For example, there is a map with dozens of dots in the US and an illustration with information about a Swiss nuclear power plant and the Swiss Ministry of Foreign Affairs.

A map of possible targets in the US. © rv


Five Western intelligence agencies and several cybersecurity companies that were able to view the Vulkan Files are convinced of their authenticity.

However, experts and officials who examined the documents could not find conclusive evidence that the cyber warfare tools were actually deployed by Russia, but the files mention tests and payments for work that Vulkan performed for the Russian security services and various associated research institutes. The company has both government and civilian customers.

The research project is led by journalists from Paper Trail Media and Der Spiegel. The Guardian, Le Monde, Süddeutsche Zeitung and The Washington Post, among others, contribute to the Vulkan Files.

What is Vulkan?

Vulkan was founded in 2010 by Anton Markov and Alexander Irzhavsky. Both men served in the Russian army in the past and graduated from the Saint Petersburg military academy, receiving the ranks of captain and major respectively. “They had good contacts in that direction,” says a former Vulkan employee.

The company was launched at a time when Russia was rapidly expanding its cyber capabilities. In 2011, Vulkan received special permits from the government to participate in classified military projects and state secrets. More than 120 people work there. About 60 of them are software developers. In addition, there would be a maximum of ten freelancers.

Vulkan’s corporate culture is more reminiscent of a Silicon Valley company than a spy company. There is a company football team, employees receive emails with fitness tips and birthday employees are put in the spotlight. The cheerful slogan “Make the world a better place” is the focus of a promo video. Patriotism is held in high esteem at Vulkan and many personnel studied at Moscow State Technical University, where many defense personnel traditionally dropped out.


Until the 2022 Russian invasion of Ukraine, Vulkan personnel traveled openly to Western Europe and attended IT and cybersecurity conferences, establishing contacts with delegates from Western security firms.

Ex-Vulkan employees now live in Germany, Ireland and other EU countries. Some work for large technology companies. Two work at Amazon Web Services and Siemens.

It is unclear whether former Vulkan engineers now in the West pose a security risk, or whether they have come to the attention of Western counterintelligence agencies. Most seem to have relatives in Russia, a vulnerability the FSB uses to pressure and coerce Russian professionals abroad.

A former Vulkan employee told a journalist he regretted his job. “In the beginning it was not clear what my work would be used for,” he said. “Over time I understood that I couldn’t go on and that I didn’t want to support the regime. I was afraid something would happen to me, or that I would end up in prison.”

Whistleblower: “I now live like a ghost”

There are also huge risks for the anonymous whistleblower behind the Vulkan Files. After all, the Russian regime is hunting traitors. The whistleblower is aware of the dangers, said during a short conversation with the German journalist via a secure chat app, but the person says he has taken extreme precautions by leaving his previous life behind and now living “as a ghost”. ”.

LOOK ALSO. Everything about the war between Russia and Ukraine in pictures