Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks

Documents leaked from Russian IT contractor NTC Vulkan show the company’s possible involvement in the development of offensive hacking tools, including for the advanced persistent threat (APT) actor known as Sandworm, Mandiant reports.

Based in Moscow, NTC Vulkan advertises its collaboration with Russian organizations and government agencies, without mentioning any involvement in the operations of state-sponsored groups or intelligence services.

Documents dated between 2016 and 2020, however, show that the company has been contracted by Russian intelligence, including the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) Unit 74455 (also known as Sandworm, Telebots, Iron Viking and Voodoo Bear), for the development of tools, training programs, and an intrusion platform.

The leaked documents, referred to as The Vulkan Files, were obtained by a whistleblower and analyzed by Mandiant in collaboration with several major media outlets in Europe and the United States.

While it is unclear whether the required capabilities have been indeed implemented, the documents, which Mandiant believes to be legitimate, do show NTC Vulkan’s involvement in projects to enable Russia’s cyber and information operations (IO), potentially targeting operational technology (OT) systems.

“Mandiant did not identify any evidence indicating how or when the tools could be used. However, based on our analysis of the capabilities, we consider it feasible that the projects represent only some pieces of a variety of capabilities pursued by Russian-sponsored actors to conduct different types of cyber operations,” Mandiant notes.

Three projects are detailed in the analyzed documents, namely Scan (dated 2018-2019, supports large-scale data collection), Amesit (also called Amezit and dated 2016-2018, the tool supports IO and OT-related operations), and Krystal-2B (2018-2020, a framework for simulating coordinated IO/OT attacks via Amesit).

A comprehensive tool for information gathering, Scan can harvest network, configuration, and vulnerability details, along with other types of data, automating reconnaissance in preparation of operations and requiring coordination across operators.

“A framework like the one suggested in the Scan project illustrates how the GRU may be trying to enable fast-paced operations with high coordination among regional units. A once-segmented GRU cyber operation may become streamlined and more efficient using a framework like Scan,” Mandiant notes.

Focused on forming and manipulating public opinion, Amesit can manage the full information operations lifecycle, including the monitoring of media, creation and dissemination of content, and assessing an operation’s effectiveness.

Designed to support offensive and defensive exercises, Krystal-2B is a training platform for attacks targeting OT environments in coordination with IO components and uses Amesit for disruption. The platform simulates attack scenarios targeting transportation and utility systems.

“Amesit and Krystal-2B demonstrate a high value placed on the psychological impact of offensive cyberattacks, specifically OT operations, by highlighting the role of information operations in determining the impact of an ICS incident. The combination of different tactics in cyber operations is familiar to Russian cyber operations,” Mandiant notes.

The documentation associated with the three projects provides requirements on data collection and processing, describes capabilities available for operators, and outlines attack paths and methods to avoid identification, while showing Russian intelligence’s interest in critical infrastructure targets, such as energy, oil and gas, and water utilities and transportation systems.

Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks