The ‘Vulkan’ leak: documents from a little-known firm reveal Russia's digital authoritarianism strategy

Eleven international publications, including Suddeutsche Zeitung, the Paper Trail Media & Spiegel consortium, The Guardian, The Washington Post, and the Russian outlet Important Stories, published reviews of over 5,000 internal Vulkan documents last week. Manuals, technical specifications, internal emails, financial reports, and contracts for software developed by Vulkan for the Ministry of Defence, the FSB, and the Foreign Intelligence Service are among the items in the leaked archive.

Containing documents spanning the period between 2016 and 2021, the archive is the first leak to reliably uncover parts of Russia's complex digital authoritarianism infrastructure, which aims to achieve three main objectives: 1) conducting cyberattacks in ‘unfriendly’ countries; 2) astroturfing, which is the imitation of public opinion on social media, and generating corresponding fake content; and 3) censorship, in particular, isolating certain segments of the Internet from the outside world and filling them with fake and pro-government content.

Until now, perceptions of Russia's activities in these fields were limited to suspicions of collaboration between Russian secret services and a number of hacker groups, as well as fragmented, albeit numerous, testimonies regarding the activities of Prigozhin's ‘troll factory’. Vulkan's activities consisted of providing software to help the government achieve its goals in the three aforementioned areas, so this leak is significant because it allows for a detailed map of the Kremlin's cyber activity.

One of the most notable systems created as part of these orders is Scan-V, a software system that connects Vulkan to the notorious hacker group Sandworm. US intelligence agencies suspect that Sandworm’s hackers have twice caused power outages in Ukraine, disrupted the Olympics in South Korea, and launched the NotPetya virus, which proved to be one of the most damaging viruses in history, in terms of its impact to the global economy. Scan-V serves as a kind of industrial base for hackers' operations: it identifies and collects vulnerabilities in computer systems all over the world for future exploitation. According to The Washington Post, potential hacking targets include the Swiss Ministry of Foreign Affairs, nuclear power plants, US Internet server maintenance centres, and other civilian infrastructure.

Another piece of software known as Krystal-2 teaches the Russian military to hack critical network infrastructure and tamper with air, sea, and rail transport. Another notable Vulkan creation is the Amezit system, Important Stories note. The Russian Ministry of Defence can use this system to monitor all Internet users in a given territory, to block sites deemed undesirable by censors and to force the ‘correct’ content onto those users. However, there have been no documented instances of this technology's use. At the same time, one of the Amezit subsystems functions as a command centre for ‘troll factories,’ enabling bot creation and content generation on the Internet with just a few mouse clicks. This is essentially astroturfing software (in our previous article ‘Putin's Fans or Kremlin Bots?’ we discuss the technologies used to create artificial public opinion and artificial public campaigns on social networks). Amezit is capable of creating hundreds of bots on Facebook, Twitter, and YouTube that mimic real users by posting, liking, and commenting, boosting the popularity of pro-government content, and thus promoting the narratives desired by the government, while also creating the appearance of ‘correct’ public opinion.

This functionality of Amezit was first tested in the #pidobama Twitter campaign, with real-world implementation on the eve of the 2016 US presidential election, when bots were actively posting tweets against Hillary Clinton and in support of Trump. Following that, Amezit's artificial users were involved in the development of a conspiracy theory surrounding the murder of Colonel Maxim Shapoval, head of the special forces of Ukraine's Chief Intelligence Directorate, the denial of information about civilian deaths in Syria caused by Russian bombing, and attempts to influence public opinion during Armenia's parliamentary elections in 2017.

‘This leak suggests that Russia views attacks on critical civilian infrastructure and social media manipulation as parts of the same mission, which boils down to an attack on the enemy's will to fight,’ cyber threat experts who reviewed the Vulkan documents note. ‘The leak confirms that Putin sees himself as a leader locked in a perpetual war against the West,’ the Guardian adds. ‘Meanwhile, Putin's desire for total control within Russia grows, and Russia is edging closer to China regarding Internet access.’

Western countries clearly feel threatened by a Russian president who himself has never used the Internet. The paradox is that Russian activity in this field is, for one thing, vulnerable to leaks and, for another, ineffective. For example, since Russia’s full-scale invasion of Ukraine, experts have repeatedly highlighted the weak and uncoordinated nature of Russian cyber operations, which have had little impact on the course of hostilities. This is despite the Kremlin's apparent focus on this area in recent years.