An evaluation of the Vulkan files by many media and journalists shows that Russia's secret services FSB, GRU and SWR commission domestic companies to develop software and databases for cyber attacks, to look for vulnerabilities and to make them available to state hacker groups such as Sandworm.
The linchpin of the story are the Vulkan files, which were passed anonymously to the reporter Hannes Munzinger. Thousands of pages of secret material contain training documents for the Russian cyber army. The possible targets of attacks are summarized in these documents: paralyzing control systems for rail, air and ship transport, disrupting the functions of energy companies, and attacks on critical infrastructure.
Protection aid for Russian state hackers
More than 50 journalists from well-known media such as SZ, Der Spiegel, paper trail media and ZDF were involved in evaluating the documents. The ZDF team of the Frontal show has the Evaluation processed in a very detailed report, which is available in the media library.
The documents document the tasks of the Russian company Vulkan: they are to provide a worldwide database of vulnerabilities, manufacture tools for attacks, and develop software for taking over networks and completely reversing the content. In this way, entire network sections in occupied areas should only show the results of disinformation. The appropriate software Amesit-W takes care of this task. Russian intelligence authorities are already working with program parts such as PMS and PRR - presumably to control the Internet content of the occupied territories in Ukraine.
Second battlefield in cyberspace
Analyzes of the Vulkan files show that Russia is actually testing all of its cyber weapons in Ukraine or using them directly. For example, the APT group Sandworm was initially an independent actor with no state connection, but is now acting openly. Because the group is now known to be the special unit 74455 of the Russian military intelligence service GRU.
At the beginning of the Ukraine war, the Sandworm group attacked public facilities, communications and facilities controlling the wider infrastructure. This alone caused a lot of collateral damage, such as the attack on KA-SAT, which not only provided the Ukraine with Internet but is also used by European customers. After KA-SAT was paralyzed, access to 5.000 German wind turbines was also disrupted. Control was no longer possible.
The current change in strategy also shows that state hackers, such as Sandworm, are acting in accordance with the Russian command: for some time now, the hackers have been attacking almost exclusively critical infrastructure, such as electricity and water supply, thermal power plants and other KRITIS facilities. At the same time, the Russian army is also attacking these targets with drones and missiles.
Attacks under the cover of APT groups
In Europe, more and more governments and companies are being attacked that are in any way collaborating with Ukraine or supporting sanctions against Russia. This is also shown by the many reports from the security specialists, such as the fact that there is much more jamming and destroying software out there. Check Point also stated this in its report. This type of software is not used in a ransom or spy business. In geopolitical conflicts, they are part of the arsenal of cyber weapons that specifically destroy data and structures.
Editor/sel