Connect with us

Hi, what are you looking for?



Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks

Documents show that Russian IT company NTC Vulkan was requested to develop offensive tools for government-backed hacking group Sandworm.

Documents leaked from Russian IT contractor NTC Vulkan show the company’s possible involvement in the development of offensive hacking tools, including for the advanced persistent threat (APT) actor known as Sandworm, Mandiant reports.

Based in Moscow, NTC Vulkan advertises its collaboration with Russian organizations and government agencies, without mentioning any involvement in the operations of state-sponsored groups or intelligence services.

Documents dated between 2016 and 2020, however, show that the company has been contracted by Russian intelligence, including the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) Unit 74455 (also known as Sandworm, Telebots, Iron Viking and Voodoo Bear), for the development of tools, training programs, and an intrusion platform.

The leaked documents, referred to as The Vulkan Files, were obtained by a whistleblower and analyzed by Mandiant in collaboration with several major media outlets in Europe and the United States. 

While it is unclear whether the required capabilities have been indeed implemented, the documents, which Mandiant believes to be legitimate, do show NTC Vulkan’s involvement in projects to enable Russia’s cyber and information operations (IO), potentially targeting operational technology (OT) systems.

“Mandiant did not identify any evidence indicating how or when the tools could be used. However, based on our analysis of the capabilities, we consider it feasible that the projects represent only some pieces of a variety of capabilities pursued by Russian-sponsored actors to conduct different types of cyber operations,” Mandiant notes.

Three projects are detailed in the analyzed documents, namely Scan (dated 2018-2019, supports large-scale data collection), Amesit (also called Amezit and dated 2016-2018, the tool supports IO and OT-related operations), and Krystal-2B (2018-2020, a framework for simulating coordinated IO/OT attacks via Amesit).

Advertisement. Scroll to continue reading.

A comprehensive tool for information gathering, Scan can harvest network, configuration, and vulnerability details, along with other types of data, automating reconnaissance in preparation of operations and requiring coordination across operators.

“A framework like the one suggested in the Scan project illustrates how the GRU may be trying to enable fast-paced operations with high coordination among regional units. A once-segmented GRU cyber operation may become streamlined and more efficient using a framework like Scan,” Mandiant notes.

Focused on forming and manipulating public opinion, Amesit can manage the full information operations lifecycle, including the monitoring of media, creation and dissemination of content, and assessing an operation’s effectiveness.

Designed to support offensive and defensive exercises, Krystal-2B is a training platform for attacks targeting OT environments in coordination with IO components and uses Amesit for disruption. The platform simulates attack scenarios targeting transportation and utility systems.

“Amesit and Krystal-2B demonstrate a high value placed on the psychological impact of offensive cyberattacks, specifically OT operations, by highlighting the role of information operations in determining the impact of an ICS incident. The combination of different tactics in cyber operations is familiar to Russian cyber operations,” Mandiant notes.

The documentation associated with the three projects provides requirements on data collection and processing, describes capabilities available for operators, and outlines attack paths and methods to avoid identification, while showing Russian intelligence’s interest in critical infrastructure targets, such as energy, oil and gas, and water utilities and transportation systems.

Related: Cyber Insights 2023 | The Geopolitical Effect

Related: Microsoft Links Prestige Ransomware Attacks to Russian State-Sponsored Hackers

Related: Russian Cyberspies Targeting Ukraine Pose as Telecoms Providers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...