10.04.23 Propaganda Review

The ‘Vulkan’ leak: documents from a little-known firm reveal Russia's digital authoritarianism strategy


The release of an extensive archive of documents from Vulkan, a company that develops software for cyber operations for the Russian Ministry of Defence, the FSB, and the Foreign Intelligence Service, has revealed the main strategic directions of Russia's future cyber aggression. These strategies include cyberattacks against unfriendly nations, isolating the Internet in certain areas from the outside world, and astroturfing — promoting fake or propaganda content on social media to imitate genuine public opinion. However, so far Russia has only achieved practical success with the use of the latter. Attempts to isolate the Internet have not been accomplished, and its cyberattack potential has proven to be limited, as demonstrated by the hostilities in Ukraine. Russian activities in cyberspace remain vulnerable to leaks, and cyberattacks are not coordinated in terms of strategic objectives and interaction with troops. Russia appears to be more aggressive than capable, as it has been in other areas.

Eleven international publications, including Suddeutsche Zeitung, the Paper Trail Media & Spiegel consortium, The Guardian, The Washington Post, and the Russian outlet Important Stories, published reviews of over 5,000 internal Vulkan documents last week. Manuals, technical specifications, internal emails, financial reports, and contracts for software developed by Vulkan for the Ministry of Defence, the FSB, and the Foreign Intelligence Service are among the items in the leaked archive.

Containing documents spanning the period between 2016 and 2021, the archive is the first leak to reliably uncover parts of Russia's complex digital authoritarianism infrastructure, which aims to achieve three main objectives: 1) conducting cyberattacks in ‘unfriendly’ countries; 2) astroturfing, which is the imitation of public opinion on social media, and generating corresponding fake content; and 3) censorship, in particular, isolating certain segments of the Internet from the outside world and filling them with fake and pro-government content.

Until now, perceptions of Russia's activities in these fields were limited to suspicions of collaboration between Russian secret services and a number of hacker groups, as well as fragmented, albeit numerous, testimonies regarding the activities of Prigozhin's ‘troll factory’. Vulkan's activities consisted of providing software to help the government achieve its goals in the three aforementioned areas, so this leak is significant because it allows for a detailed map of the Kremlin's cyber activity.

One of the most notable systems created as part of these orders is Scan-V, a software system that connects Vulkan to the notorious hacker group Sandworm. US intelligence agencies suspect that Sandworm’s hackers have twice caused power outages in Ukraine, disrupted the Olympics in South Korea, and launched the NotPetya virus, which proved to be one of the most damaging viruses in history, in terms of its impact to the global economy. Scan-V serves as a kind of industrial base for hackers' operations: it identifies and collects vulnerabilities in computer systems all over the world for future exploitation. According to The Washington Post, potential hacking targets include the Swiss Ministry of Foreign Affairs, nuclear power plants, US Internet server maintenance centres, and other civilian infrastructure.

Another piece of software known as Krystal-2 teaches the Russian military to hack critical network infrastructure and tamper with air, sea, and rail transport. Another notable Vulkan creation is the Amezit system, Important Stories note. The Russian Ministry of Defence can use this system to monitor all Internet users in a given territory, to block sites deemed undesirable by censors and to force the ‘correct’ content onto those users. However, there have been no documented instances of this technology's use. At the same time, one of the Amezit subsystems functions as a command centre for ‘troll factories,’ enabling bot creation and content generation on the Internet with just a few mouse clicks. This is essentially astroturfing software (in our previous article ‘Putin's Fans or Kremlin Bots?’ we discuss the technologies used to create artificial public opinion and artificial public campaigns on social networks). Amezit is capable of creating hundreds of bots on Facebook, Twitter, and YouTube that mimic real users by posting, liking, and commenting, boosting the popularity of pro-government content, and thus promoting the narratives desired by the government, while also creating the appearance of ‘correct’ public opinion.

This functionality of Amezit was first tested in the #pidobama Twitter campaign, with real-world implementation on the eve of the 2016 US presidential election, when bots were actively posting tweets against Hillary Clinton and in support of Trump. Following that, Amezit's artificial users were involved in the development of a conspiracy theory surrounding the murder of Colonel Maxim Shapoval, head of the special forces of Ukraine's Chief Intelligence Directorate, the denial of information about civilian deaths in Syria caused by Russian bombing, and attempts to influence public opinion during Armenia's parliamentary elections in 2017.

‘This leak suggests that Russia views attacks on critical civilian infrastructure and social media manipulation as parts of the same mission, which boils down to an attack on the enemy's will to fight,’ cyber threat experts who reviewed the Vulkan documents note. ‘The leak confirms that Putin sees himself as a leader locked in a perpetual war against the West,’ the Guardian adds. ‘Meanwhile, Putin's desire for total control within Russia grows, and Russia is edging closer to China regarding Internet access.’

Western countries clearly feel threatened by a Russian president who himself has never used the Internet. The paradox is that Russian activity in this field is, for one thing, vulnerable to leaks and, for another, ineffective. For example, since Russia’s full-scale invasion of Ukraine, experts have repeatedly highlighted the weak and uncoordinated nature of Russian cyber operations, which have had little impact on the course of hostilities. This is despite the Kremlin's apparent focus on this area in recent years.

The Russian government's astroturfing efforts are more effective because they increase the potential of genuine local radicals and populists. Ministers from eight European countries, including Ukraine, Moldova, and Poland, signed an open letter in late March urging the heads of major social media platforms to be more aggressive in their attempts to prevent the spread of harmful content. Nonetheless, in Europe's opinion, Beijing remains the main threat in cyberspace. Ursula von der Leyen recently urged the European Union to ‘develop “new defensive tools” in the fields of quantum computing and artificial intelligence to deal with an increasingly assertive China.’ Russia appears aggressive in its promotion of technologies of ‘digital authoritarianism,’ as it does in other areas, but it remains vulnerable and institutionally weak in its application of these technologies.