Recent revelations about the close cooperation between the Kremlin and NTC Volcanoa Russian cybersecurity consultancy with ties to the military, provides rare insights into how Putin’s regime is weaponizing cyberspace.
More than 5,000 documents were leaked by an anonymous person whistleblower, angry at Russia’s actions in the war in Ukraine. They claim to reveal details about hacking tools to take control of vulnerable servers; domestic and international disinformation campaigns; and ways to digitally monitor potential threats to the regime.
While caution is always advised before accepting claims of cyber capabilities, it is noteworthy that several Western intelligence agencies have them confirmed the documents seem genuine.
The leak also confirms the view of many strategists that the Russian government views offensive cyber capabilities as part of a holistic effort to demote its enemies. Think of sowing distrust via social media, collecting compromise (compromising material) and the ability to attack critical infrastructure.
That list of enemies is long and has grown since Putin’s full-scale invasion of Ukraine in February 2022. Foreign policy concept identifies the United States as the “main source of threats” to Russian security.
But Ukraine, every member of NATO and the European Union, and several other states are identified as “unfriendly countries”, including Australia, Japan, Singapore and New Zealand.
War in the shadows
Russia uses a range of methods to wage war in cyberspace.
At one end of the spectrum, it uses groups linked to official agencies, such as the GRU (military intelligence) and the FSB (so-called domestic intelligence, but also conducts missions abroad).
The groups of the GRU include Sandworm And Fantasy bear. another group, Cozy bearis affiliated with the FSB.
One or more of these groups have been responsible for a series of high-profile cyber-attacks against a range of targets, including:
At the other end of the spectrum, Russian intelligence operations regularly employ armies of bots and trolls, as well as unsuspecting “citizen curators”, to spread false stories.
This is cheap and increases the distance between the attacker and his agents, allowing for plausible deniability.
Like biological warfare, it also weapons the targets to spread the narrative disease for it.
Russian information campaigns are active worldwide, among nations it regards as both its friends and its adversaries. Russian armed media can be found in Africawhere the Russian paramilitary organization Wagner has been particularly active, as well as in South Asia and Australia.
Read more: Russian trolls targeted Australian voters on Twitter via #auspol and #MH17
In many ways, Russian intelligence operations mimic the geopolitical doctrine of the Soviet Union during the Cold War. This was aimed at courting areas of the world where the West was weakest.
But in the gray space between official agencies, useful idiots, and ignorant proxies is one area the Russian cyber war is increasingly emphasizing: outsourcing. Some of these, like Vulkan, retain an aura of prestige as consulting firms that do government work as well as contracting with other companies.
They also include the Internet Research Agency in St. Petersburg, which was used to coordinate social media attacks against the US Democratic Party during the 2018 midterm elections, leading to a charge by the Ministry of Justice.
Others are [organised criminal gangs] such as the aptly named “EvilCorp” (https://www.state.gov/transnational-organized-crime-rewards-program-2/maksim-viktorovich-yakubets/) which uses malware to collect people’s banking or personal information.
Australia’s private health insurance company breach in November 2022 Medibank was one example, which exposed sensitive patient health data, such as treatments for drug addiction or HIV.
The Vulkan Revelations
The Vulkan leak adds more detail to what we know about Russian methods, tactics and targets in cyberspace. The GRU group Sandworm is identified as authorized Vulkan to help build “Skan-V”, a piece of software that can monitor the internet to detect vulnerable servers for hacking.
Another Vulkan project, known as “Fraction”, is designed to check social media sites for keywords to identify opponents of the regime, both at home and abroad.
An even larger project Vulkan appears to have been involved in was “Amezit”. This is a tool that allows operators to take control of the Internet, both in Russia and in other countries, and hijack information flows.
To function, users must be able to control physical infrastructure, such as cell phone towers and wireless Internet exchanges. Amezit can then be used to impersonate legitimate sites and social media profiles, remove content that could be considered hostile and replace it with disinformation.
Given the requirement to have physical infrastructure in place, it is clear that Azemit was designed not just as a piece of software, but to interact with the coercive instruments of a state.
This has both internal and external applications. Domestically, it could be used to silence dissent in troubled regions of Russia. In a war zone, such as Ukraine, it could be used alongside the Russian armed forces to intercept government communications and swap real sources of information for false ones.
Read more: As Russia wages a cyber war on Ukraine, here’s how Australia (and the rest of the world) could take collateral damage
The Vulkan leak also contained information about physical objects. While not a concise list of targets, the software allowed users to map out the physical infrastructure. This included airports around the world, the Swiss Foreign Office and the Muhlberg nuclear power plant near Bern.
In addition, the document drop contained mapped clusters of internet servers in the United States. And the Skan-V project identified a site in the US labeled “Fairfieldas a potentially vulnerable point of entry.
If the documents are correct, Vulkan’s work for the Russian government shows just how extensive the Kremlin’s efforts have been to monitor its digital infrastructure, gather information about vulnerabilities and develop the capability to hijack it.
Combating Russian cyber attacks
Cyber threats are insidious because they can be used in multiple combinations and target different targets. Hack-and-leak campaigns against influential figures can be mixed with attempts to sabotage vital infrastructure, conduct corporate espionage, undermine social cohesion and trust, and push fringe narratives to the political center.
They can be introduced drop by drop into the digital ecosystem. Or, as with the campaign that accompanied the Russian takeover of Crimea in 2014, they can be deployed all at once in a cyber storm.
This makes cyber-attacks very difficult to build resistance to, and even more difficult to deter. They are a potentially massively disruptive weapon that can lead to real casualties. For example, shutting down the power grid in a city can lead to deaths of people on ventilators in hospitals, traffic accidents and exposure to extreme cold in certain regions.
Read more: A year later, Russia’s war on Ukraine threatens to redraw the map of world politics – and 2023 will be crucial
But such attacks also target outside infrastructure and industry social pressure points: the institutions, ideas and people of a state. This makes them particularly useful in attacking democracies, making the open and free exchange of views a potential vulnerability.
As the Vulkan leaks show, hostile governments have bigger ambitions in cyberspace than turning off the lights. They try to encourage us to doubt what we believe to be true and turn us against each other.
The recognition that this will be a crucial step in preventing the toxic seeds of disinformation from taking root.