This spring’s leak of the NTC Vulkan files caused an expected flurry of interest in the cyber and national security defense sectors of Western countries. Overnight, the entire world discovered that Russia’s iron fist of cyberwarfare was located less than a half-hour away from the Kremlin, tucked away in a dour Moscow suburb.
By now, reporters have produced countless articles analyzing the contents of the files. Technical analysts were left aghast—the files confirmed NTC Vulkan’s role in some of Russia’s most aggressive cyberwarfare campaigns and its connection to the GRU. Policy analysts were confronted with proof of Russia’s bellicose intentions against Western countries, as the files outlined maps identifying critical infrastructure grids as training targets in the West. This week, Strike Source will be looking at the implications of the files from the standpoint of what they reveal about Russia, a country under severe sanctions following the 2022 invasion of Ukraine. We will further examine the ways in which the Russian state’s use of contractors such as Vulkan sets a precedent for asymmetric warfare.
To understand Vulkan and its reach, one must take a look at the background of its founders. Anton Markov and Alexander Irzhavsky founded Vulkan in 2010; both men graduated from the prestigious St. Petersburg Military Academy and rose to the respective ranks of captain and major in the Russian Armed Forces. This location is especially noteworthy, as President Putin’s inner circle comes from the city of St. Petersburg, as does the top brass of Russia’s civilian and military espionage agencies. As alumni of one of Russia’s most prestigious military academies, the pair would likely have built countless powerful connections in the Ministry of Defense (Минобороны) and intelligence agencies. Considering their company’s position in the Russian military industrial complex, Markov and Irzhavsky likely had a fruitful time at the military academy.
Vulkan’s launch coincides with APT 29’s (a.k.a. Cozy Bear) first execution of the MiniDuke malware strain. Less than a year after its foundation, Vulkan was granted a special state license to work on secret military projects and contracts involving sensitive information, as well as state secrets. From there, the company quickly amassed a presence in the Russian cybersecurity industry; Vulkan’s vertiginous growth under Markov and Irzhavsky seemed to be unending. So did its list of clients, which featured some of the most prominent governmental agencies of the Russian Federation, pointing to the pair’s deeply rooted connections within the Russian military and intelligence apparatus.
In our previous piece, Strike Source detailed the ways in which NTC Vulkan presents itself as a run-of-the-mill cybersecurity consultancy, an unassuming hill amongst the scenery of mountaintops that make up the Russian cyber industry. Its services, running the gamut from security assessments to penetration tests, would not be out of place in a statement of work provided by Deloitte or KPMG. At the same time, as a small firm chaired in an unassuming Muscovite building and with a modest number of employees, NTC Vulkan has dealt with a variety of extremely high-profile clients both in Russia and abroad.
Of note in that list is the sheer number of Russian banking institutions for whom Vulkan has done work. These include Sberbank, Sberbank Insurances, and the Moscow Stock Exchange, to name the largest ones. Vulkan’s client list also includes critical infrastructure and power organizations with close ties to the Kremlin, the main ones in this category being Lukoil and the state-owned Gazprom. Finally, Vulkan has done work on a number of major Russian telecommunication companies, including Sberbank’s telecom branch and Rostelekom. This will be important to keep in mind for our next installment of the Vulkan story.
Surprisingly, Vulkan also did cybersecurity work for major Western companies. These include banks, such as France’s Peugeot Citroen Bank, the Italian Banca Intesa, and Toyota Financial Services, but also the defense and aeronautic giant Boeing. We do not have any insight into the assessments performed against these companies—however, one can guess these assessments’ nature based on the services offered by Vulkan.
Picture yourself as a Western company who has had a penetration test or audit performed by Vulkan, how would you be feeling now? Knowing what we know about Vulkan’s ties with the GRU, this would be worrisome, but the current geopolitical climate makes it downright alarming.
Vulkan and Russian Piracy
Of pivotal importance in this story is its backdrop of Russia embracing piracy and theft of intellectual property to dent the effect of Western sanctions on its economy.
Piracy is deeply entrenched within the realm of Russian cyberspace, with many citizens, either due to financial constraints or a lack of inclination, routinely torrenting music albums, games, and movies. Putin’s administration was seemingly aware of this and leaned into it following the 2022 invasion of Ukraine by effectively legalizing piracy of Western intellectual property as the first sanctions hit Moscow.
Putting two and two together, one can draw some interesting conclusions based on the fact that Vulkan may have had access to select Western firms’ environments to conduct assessments. Any of the reports, files, or evidence gathered during audits, penetration tests, or assessments would be up for grabs. If these hadn’t already been shared with their GRU partners, the Kremlin’s blessing of intellectual property theft gave them the power to distribute sensitive information as they saw fit. In many ways, this is an unprecedented situation which will have to be monitored to understand the potential exposure of Western organizations that have dealt with Vulkan.
A Tale of Two Evgeny’s
To understand the impact that the Vulkan story has on cyberwarfare, it is worth considering warfare as falling in two broad categories—symmetric and asymmetric.
Symmetric war is what most of us think when we think of war and is what takes place when countries’ militaries face off. Asymmetric warfare sees parties in a conflict use unconventional methods to attack their adversary. Cyberwarfare is a staple of asymmetric fighting: it is discreet, it targets entities or facilities to cause disruption, and it does not wait for formal declarations of war.
With the involvement of private military contractors (PMCs) in the Ukrainian war theater, the most notable of which is PMC Wagner, Russia has shown an unconventional approach to war. Evgeny Prigozhin, the blustery Wagner boss, regularly berates the top brass of the Russian army via Telegram videos, yet his men and Russian troops continue to work together to take Ukrainian positions.
A similar dynamic can be seen between the GRU and NTC Vulkan, with both parties working towards the same goal.
If Prigozhin’s red-faced rants truly make him the face of “regular” warfare, Evgeny Serebryakov, Sandworm’s new top official at the GRU, embodies the stealthy nature of cyberwarfare. Unknown amongst the general public but a familiar face to Western intelligence, Serebryakov embodies the veil of anonymity that characterizes state-backed cyber threat actors.
In 2018, Serebryakov ran a cyberespionage ring in the Netherlands for which he was caught and imprisoned. Ostensibly, this has not dented his stardom in Moscow; he is regularly in touch with generals, who normally never speak to underlings in the GRU’s strict hierarchy, and has been promoted to the head of Sandworm in 2022. His appointment shows that he is “apparently too good to dump.”
Although quite a bit of time has passed since Sandworm’s (a.k.a. Voodoo Bear) largest exploits, it’s important to remember they include the NotPetya ransomware, blackouts at the 2018 Korea Winter Olympics, and widespread cyberattacks against Ukraine.
The partnership between the GRU’s Sandworm and Vulkan to develop tools speaks to the two-facedness of the organization. On the surface, Vulkan serves a prestigious clientele, but just below you will find that it arms the most dangerous forces in the cyber underworld.
The rise of infamous but skilled figures such as Serebryakov, the deference shown to them in elite Muscovite intelligence and defense circles, as well as the sophistication of NTC Vulkan, complete with training contingencies for up-and-coming hackers, shows that Russia is increasingly leaning into cyberwarfare and considering it an important part of its arsenal. Vulkan is no unsuspecting mountain, but a noxious, erupting volcano which leaves its ashen marks streaked across the cyber landscape.
Overall, the Vulkan leaks have raised more questions than answers, especially relating to the variety of issues facing organizations which have worked with Vulkan, given the group’s proximity and contact with the GRU.
Looking at the evolution in leadership of sophisticated hacking groups working in the fold of the GRU, we were able to identify a definite pivot in the Kremlin’s approach to cyberwarfare. In this context, one cannot help but wonder what more destructive and daring attacks are on the horizon, especially as the war in Ukraine keeps on.
In the third and final part of this series, we will dig deeper than researchers have before, by unearthing the tools developed by Vulkan, their implications, and further information which has yet to be covered.