Flash Report: Whistleblower Documents Disclose Russian Government Cyberwarfare Tactics

Key Findings

• A Russian government subcontractor employee has leaked thousands of documents detailing Russia’s cyberwarfare capabilities.
• The leaked files, now called the Vulkan Files, have drawn comparisons to the immensity and importance of the documents leaked by Edward Snowden in the United States in 2013.
• These files demonstrate the Russian government’s focus on its cyberwarfare capabilities and its multilayered approach to advancing these capabilities.
• The Vulkan Files likely diminish the ability of the Russian government to utilize plausible deniability to distance itself from cyber actions that have taken place in parallel with its military actions.

Analyst Commentary

An unnamed whistleblower has provided nearly a dozen European and American media outlets with thousands of documents from a Russian government subcontractor named Vulkan.^[1] The whistleblower, who indicated that they were disillusioned by Russia’s war in Ukraine, began providing the documents to the media outlets shortly after Russia’s invasion of Ukraine in February 2022. Since that time, the various media outlets—which include the United States’ Washington Post, Germany’s Der Spiegel, the United Kingdom’s The Guardian, and France’s Le Monde—have worked together to analyze invoices, emails, and projects that Vulkan has been engaged with since 2016 and draw conclusions about the Russian government’s cyberwarfare capabilities.^[2][3]

The files indicate the Russian government has contracted for a multilayered approach to cyberwarfare. This includes utilizing Vulkan’s technology to map out the internet to identify vulnerabilities to be cataloged for possible exploitation later, monitoring and surveilling certain parts of the internet, and creating fraudulent social media accounts in order to spread propaganda around various topics.^[4] 

The leaked documents offer a rare glimpse into the depth and breadth of the cyberwarfare tactics that the Russian government has strategically focused on over the last decade and demonstrate the lengths to which Russia will go to obtain such tools to have at its disposal. This exposure has drawn comparisons to the 2013 leaks by U.S. National Security Agency contractor Edward Snowden, which included thousands of documents detailing surveillance being conducted throughout the world.^[5]

Despite suspicions to the contrary, the Russian government had thus far been able to maintain plausible deniability regarding cybercriminals advancing foreign policy goals through cyberattacks that were in support of the state but not directly linked to the government. However, the findings from the Vulkan Files likely demonstrate that there are direct links between the cybercriminals’ actions and the Russian government, as Vulkan has been tied to both Russian security services and Sandworm—the Russian military hacking group accused of launching the NotPetya malware.^[6] As shown below, these leaked files demonstrate the measures that the Russian government has taken not only to monitor and surveil the internet where possible and engage in offensive attacks but also to manipulate the internet in its favor.

Scope Note

ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 8:00 AM (DST) on April 3, 2023; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

^[1] hXXps://www.theguardian[.]com/technology/2023/mar/30/vulkan-files-leak-reveals-putins-global-and-domestic-cyberwarfare-tactics

^[2] hXXps://www.theregister[.]com/2023/03/31/vulkan_files_russia/

^[3] hXXps://www.lemonde[.]fr/en/pixels/article/2023/03/30/inside-vulkan-the-digital-weapons-factory-of-russian-intelligence-services_6021230_13.html

^[4] hXXps://www.washingtonpost[.]com/national-security/2023/03/30/russian-cyberwarfare-documents-vulkan-files/

^[5] hXXps://www.theguardian[.]com/world/interactive/2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded

^[6] hXXps://www.spiegel[.]de/international/world/the-vulkan-files-a-look-inside-putin-s-secret-plans-for-cyber-warfare-a-4324e76f-cb20-4312-96c8-1101c5655236