The Vulkan Files – TTG

As a part of Mandiant’s research on Russian cyber and information operations (IO) capabilities, Mandiant worked with a collective of media outlets, including Papertrail Media, Der Spiegel, Le Monde, and Washington Post, to analyze several documents belonging to a Russian IT contractor named NTC Vulkan (Russian: НТЦ Вулкан). The documents detail project requirements contracted with the Russian Ministry of Defense, including in at least one instance for GRU Unit 74455, also known as Sandworm Team. These projects include tools, training programs, and a red team platform for exercising various types of offensive cyber operations, including cyber espionage, IO, and operational technology (OT) attacks.

The documents, which are dated between 2016 and 2020, offer a brief snapshot of previous Russian investments and considerations in scaling cyber operations and capability development. However, Mandiant lacks evidence to prove that the capabilities we discuss have been implemented or are feasible. 

A note on source authenticity: Mandiant cannot conclusively confirm the authenticity of these documents based on limitations in our current visibility. However, we strongly suspect they are legitimate based on consistencies observed across the documents we reviewed, limited instances where we were able to validate details externally, and an apparent alignment between the capabilities detailed for development in these programs and those that we have previously observed used at high levels by Russian intelligence services.

NTC Vulkan is a Russian IT contractor based in Moscow, which publicly advertises working on contracts with large companies and government agencies within Russia. The company’s website cites compliance with Russian government standards but does not publicly state working with Russian state contractors, such as research institutes or Russian intelligence services. Based on our analysis of the leaked documentation, NTC Vulkan has held contracts with Russian intelligence services on projects to enable cyber and IO operations, potentially in tandem with cyber operations against OT targets.

The documents detail three projects: Scan, Amesit, and Krystal-2B. 

Table 1: Summary of main projects identified in NTC Vulkan documents

Comment: The appearance of the Vulcan Files bears a striking resemblance to Snowden’s leak of NSA surveillance practices and tools. In this case, it looks to be the work of a disgruntled employee of a Russian tech company doing work for the GRU, FSB and SVR. The Guardian describes the leaker thusly:

The Vulkan files, which date from 2016 to 2021, were leaked by an anonymous whistleblower angered by Russia’s war in Ukraine. Such leaks from Moscow are extremely rare. Days after the invasion in February last year, the source approached the German newspaper Süddeutsche Zeitung and said the GRU and FSB “hide behind” Vulkan.

“People should know the dangers of this,” the whistleblower said. “Because of the events in Ukraine, I decided to make this information public. The company is doing bad things and the Russian government is cowardly and wrong. I am angry about the invasion of Ukraine and the terrible things that are happening there. I hope you can use this information to show what is happening behind closed doors.”

Both The Guardian and Der Spiegel have written informative articles on the Vulkan Files. ZDF also has a good video on YouTube with English subtitles.

The project I find most interesting, although not most dangerous, is Amezit. Amezit’s primary target is the Russian internet and Russian internet users. It can take total control of the Russian internet, although I thought the FSB, and FAPSI before that, long had this capability. Much like the disinformation factory, the St Petersburg-based Internet Research Agency, Amezit is a tool for automated domestic propaganda. This is not surprising. A tenet of both Soviet and Russian information confrontation was to target the minds of the domestic populace, to perform a systematic campaign of reflexive control on the Russian people. This is far beyond just seeding a few stories among the media. The bright side in this is that Amezit can only be used where the physical infrastructure of the internet is controlled… at least for now.


This entry was posted in Intelligence, Russia, TTG. Bookmark the permalink.

22 Responses to The Vulkan Files – TTG

  1. SRW says:

    A little bit off the subject but I just read this blurb from the Financial Times:
    Russia Confiscates Passports of Senior Officials
    April 3, 2023

    “Russia’s security services are confiscating the passports of senior officials and state company executives to prevent overseas travel, as paranoia over leaks and defections spreads through President Vladimir Putin’s regime,” the Financial Times reports.

    “The increased pressure reflects deep suspicion in the Kremlin and FSB, the KGB’s successor agency, about the loyalty of Russia’s civilian elite, many of whom privately oppose the war in Ukraine and are chafing over its impact on their lifestyles.”

  2. JamesT says:

    So both the Russian government and the US government are trying to control the minds of their citizens. I have no doubt the the skill level and budget of the US team is much larger.

    • TTG says:


      Amezit is a Russian program. The US doesn’t have an equivalent program. I’ve been around the US IO community for years and have seen nothing like this or even a desire for anything like this. Sure the USG wants to get its message out its citizens and will use every trick in the “Madison Avenue” book to do so, but it’s not violating established laws and Constitutional protections to do so. Now the ability to monitor US-based communications is something we can do and often do, but even our capability to do this is exaggerated. Every word you say is not recorded by the USG. Commercial entities are much more engaged in this activity.

      • Sam says:

        Sure the USG wants to get its message out its citizens and will use every trick in the “Madison Avenue” book to do so, but it’s not violating established laws and Constitutional protections to do so.


        What about what was disclosed by Twitter Files, where the US national security apparatus was determining who and what opinions that contradicted the government narrative on covidianism would be censored surreptitiously?

        I was under the impression that the US intelligence apparatus was prohibited from domestic propaganda.

        • TTG says:


          Twitter was never directed or threatened to censor any content by government entities including the FBI and/or the Trump White House. The FBI did warn Twitter that the Hunter Biden laptop stories may not be true or may contain planted info. They did not prohibit Twitter from publishing those stories. Nor they they prohibit the NY Post from publishing those stories. The Trump White House often asked Twitter, not forced Twitter, to take down posts. Lots of people and organizations did that. I think it was the Democrats, not the FBI, that pushed Twitter not to publish Hunter Biden dick pics. Republicans were mightily upset that the dick pics weren’t published, but I also think that decision was due to a standing Twitter policy on pornography, not the Republican or Democratic stance on the dick pics. Twitter decides what’s published, not published, amplified and not amplified. The whole idea of shaping content like this strikes me as manipulative, but that’s a private business problem, not a government problem.

          • Sam says:


            I don’t believe the US intelligence apparatus role in censorship was as benign as you state.

            In his last days in office, President Barack Obama made the decision to set the country on a new course. On Dec. 23, 2016, he signed into law the Countering Foreign Propaganda and Disinformation Act, which used the language of defending the homeland to launch an open-ended, offensive information war.


            ““Follow the science,” they said throughout the pandemic. You can’t do that if you suppress scientific debate.”
            — Prof. Dan Halperin in @WSJopinion


            The Biden White House pressured Meta to moderate “vaccine-skeptical” content on WhatsApp

            This is fundamentally different from social media, since WhatsApp is used for private communication

            My report, based on legal documents obtained through discovery


            8.This story is important for two reasons. One, as Orwellian proof-of-concept, the Virality Project was a smash success. Government, academia, and an oligopoly of would-be corporate competitors organized quickly behind a secret, unified effort to control political messaging.


            One would have to be asleep to not know of the censorship of dissenting scientific voices to the covidian orthodoxy. You believe the government played no role in this but in the several court cases and Matt Taibbi’s reporting on the emails among government officials and social media companies there is evidence of coercion. Which of course wasn’t necessary as the media powers were already in on the covidian narrative.

            This episode is a stark reminder of how quickly even in the US an “emergency” can be created and citizens rights endowed by their Creator can be abrogated without Congress legislation. Any American despite their partisan stripe should step up to prevent authoritarianism. We know it can happen swiftly as we experienced it!

          • Fred says:


            Trump, of course, did not direct the government to do any of those things. Bureaucratic employees aligned with the other political parties did exactly those things.

          • TTG says:


            People within Trump’s White House did do those things as did people within Biden’s campaign.

            “Both parties had access to these tools. For instance, in 2020, requests from both the Trump White House and the Biden campaign were received and honored,” he said, adding that “celebrities and unknowns alike could be removed or reviewed at the behest of a political party.”

      • JamesT says:


        I respect your knowledge and expertise in this area. You have been on the inside and you know way more about this stuff than I can ever hope to.

        That said – I know how the internet works and I don’t understand what “Amezit’s primary target is the Russian internet and Russian internet users. It can take total control of the Russian internet …” means exactly.

        I presume it means they can control what Russian ip addresses that Russians connect to – so they can take down a website located in Russia. But Russians can use Whatsapp and Twitter – and those servers and those companies are located outside Russia so Russia can’t control them. Russia has tried to block such apps in the past and has failed. And unlike the US govt, Putin can’t send Twitter execs spreadsheets full of Twitter users who he wants banned.

        I speculated a couple of days ago about an upcoming war between America’s government and America’s teenagers concerning Tiktok. I opined that America’s teenagers will win that conflict. If the US government in fact successfully bans Tiktok then I will be forced to conclude that the US government can control its citizens “internet” more successfully than Russia can control their citizens “internet”. But I am putting my faith in American teenagers to outwit their elders.

        • TTG says:


          Russia has been working on a project to unplug themselves from the global internet in an emergency since 2014. I don’t know if they have that capability now or not, but they can probably, at least, get close. This Amezit project might be part of that effort. Right now, I doubt they have any intention to do so. I thought I read that several major providers have stopped providing services to Russia. I also heard that Yandex is having trouble paying their bills and is having serious outages as a result. This won’t disconnect Russia. The internet is pretty resilient unless you want to be cut off, even then, I doubt if it’s easy.

          Their monitoring and censorship efforts are pretty robust. SORM has been around for ages. New monitoring/censorship efforts in the Main Radio Frequency Center have been supercharged in the last year. A Belarussian hacking team called Cyberpartisans stole a buttload of documents describing these new programs last October. I haven’t seen any of those files.

          • TTG says:


            I forgot to add I’m with you 100% on TikTok. Unless a concerted effort to push a major Chinese propaganda or disinformation campaign is discovered on TikTok, I don’t see a problem. Those efforts have been found on FaceBook and Twitter yet no one’s panties are in a wad over banning those platforms. Facebook and Twitter are probably collecting more info on their users than TikTok. I don’t trust them with that information any more than I’d trust TikTok and China with it. But if our selfie obsessed population want to continue oversharing, no one’s going to stop them.

            None of those programs should be allowed on government computers or smartphones. I would think a lot of corporations wouldn’t want those apps on corporate devices either. That’s just common sense. But Americans aren’t going to give up their smartphones or any of these social apps in their private lives.

          • LeaNder says:

            I also heard that Yandex is having trouble paying their bills and is having serious outages as a result

            Yes, ‘Life isn’t fair’? By now our BSI. Federal Office for Information Security warns against the use of Kaspersky too.

            Translated with (free version)

            Why does the BSI warn against the use of Kaspersky antivirus software?

            Anti-virus software has profound rights of intervention in PCs, smartphones, laptops and other IT infrastructures. Trust in the reliability and self-protection of the respective manufacturer as well as its authentic ability to act is therefore crucial for the safe use of such systems. If there are doubts about this, antivirus software poses a particular risk to an IT infrastructure that is to be protected, precisely because of its deep rights of intervention. In the context of the war that Russia is waging against Ukraine, a Russian IT manufacturer could itself carry out offensive operations, or be forced to attack target systems against its will, or be spied on as the victim of a cyber operation without its knowledge, or be misused as a tool for attacks against its own customers. All users of antivirus software can be affected by such operations, companies and authorities with special security interests as well as operators of critical infrastructures in particular. Therefore, the BSI recommends replacing applications from Kaspersky’s portfolio of antivirus software with alternative products.

            I don’t chance anything, but ‘rights of intervention’ stands for ‘Eingriffsrechte’, which alludes to the fact that Virussoftware operates on the level of system rights, which are profound. I am at a loss at moment how to translate it.

            Could, would? A lot of Western firms support the Ukraine one way or another.

            My licence will soon be up for its regular 2-year renewal. I use Kaspersky for several decades now. But the warning shows up in comment sections. Back to Russiagate in variations???

          • LeaNder says:

            I don’t change anything

  3. Babeltuap says:

    I’m sure Twitter, Google and FB had a real choice…meh. When the Fed comes knocking you do as told. FBI knew the laptop was legit. They had the actual laptop and the best computer experts on the planet look at it. The story was killed.

    • TTG says:


      These companies and most others do not show the FBI the respect or deference you seem to think they do. These companies know the law, have lawyers and are not afraid to use them. I’ve seen the FBI try to get cooperation from these companies for years. They get only what these companies want to give them when they want to do so. The FBI has the laptop, but hasn’t disclosed results of their analysis. Others who have performed forensic analyses on copies of the hard drive authenticate some data and have found anomalies and problems with a lot of the data. The story wasn’t killed. It was published by the New York Post.

      • Babeltuap says:

        Believe what you want TTG. Others like myself believe the exact opposite:

        “We just kept finding these government agencies… These people used to work at the FBI. The CIA shows up, Department of Homeland Security, and the story quickly shifted for us from it was just very progressive people being biased in their content moderation to this huge operation by US government officials, government contractors, and all of these sketchy NGOs, basically demanding that Twitter censor people.

        It became clear to us that the government had turned its propaganda and disinformation campaigns waged abroad against the American people…”

      • Fred says:


        The story wasn’t killed, no not at all. The ability of the NY Post to have its truthful story about the criminal conduct of the Biden family was just suppressed by other media outlets with the collusive efforts of the US Government.

    • TTG says:

      Gordon Reed,

      Murray raises a good point. When are these files, even in cyrillic, going to be released to the public? I’d like to see the 300 some odd page manual for Amezit. On the other hand, the files contain a lot of emails from Russian developers now working for Western IT companies. I think some discretion is a prudent move.

  4. scott s. says:

    Amezit sounds like a good fit for the Restrict Act. Maybe Warner can get Vulkan on board. (and here I thought Vulkan was referring to a new graphics API!)

  5. Peter Williams says:

    One has to wonder about a report that still refers to Russian Military Intelligence as the GRU when it was renamed GU years ago. Bit like referring to the CIA as OSS.

    • Leith says:

      It is still commonly referred to as the GRU. It really does not make sense to call it GU, the ‘main directorate’, as there are other main directorates within the General Staff.

Comments are closed.