cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Leaks from a Russian contractor reveal state plans for hacking and misinformation campaigns

A disgruntled employee of a Russian defence contractor has shared a raft of documents and mock-ups with a German journalist after expressing disgust at Russia’s ongoing war in Ukraine.

user icon David Hollingworth
Fri, 31 Mar 2023
Leaks from a Russian contractor reveal state plans for hacking and misinformation campaigns
expand image

The files from NTC Vulkan — headquartered in Moscow — reveal a series of planning documents for spreading misinformation via social media and for targeting critical civilian infrastructure in countries from the US to Switzerland.

The leaked documents — now known as the Vulkan Papers — have been examined by a number of leading news outlets (including the Washington Post and Germany’s Der Spiegel) and security and intelligence experts and seem to be legitimate. A number of current Vulkan employees, speaking anonymously, have also confirmed the papers as the real deal.

The documents were shared in the early days of Russia’s invasion.


“The company is doing bad things, and the Russian government is cowardly and wrong,” the leaker told a German journalist, according to the Washington Post.

Not all of the files seem to represent actual actions on behalf of Vulkan or the Russian government, though.

“The documents do, however, refer to state-mandated testing, changes desired by the clients and finished projects, strongly suggesting that at least trial versions of some of the programs were activated,” the Washington Post reported.

Vulkan is known to have close ties with Russia’s foreign intelligence service, the SVR, and likely has close ties with the GRU as well. Contractors are as important to Russia’s offensive cyber operations as contractors such as Wagner are to its kinetic operations.

The documents included test phishing emails that had been sent to and from Vulkan addresses, as well as diagrams representing the concentration of internet infrastructure in the continental USA. Other files seem to be project design documents to coordinate and spin up offensive operations spread between different cyber units.

Project Amezit does seem to have been put into wider use, however. This project covers the creation of large numbers of fake social media accounts using banks of SIM cards. Reporters from Le Monde, Paper Trail Media, and Der Spiegel believe they have found evidence that these systems have been used in a number of misinformation campaigns in a number of countries — including in the 2016 US presidential campaign.

Another document includes a map for tracking IP addresses and physical infrastructure, as well as operating systems running at those locations. The Muhleberg Nuclear Power Plant, west of Bern in Switzerland and offline since 2019, is one such tracked location.

The Amezit platform was also part of a 2018 training program to teach operators how to “disable [incapacitate] control systems for rail, air and sea transport”, though it is unclear if this program ever reached operational capacity.

The papers have been examined by five Western intelligence agencies.

“This wasn’t meant to be ever seen publicly,” an intelligence official told the Washington Post, speaking anonymously.

“But it makes sense to pay attention. Because you better understand what the GRU is trying to do.”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.