The NTC Vulkan Files:
Implications for Cybersecurity and Businesses


National habits and perspectives on waging war are apparent in cyberspace. From aggressive Israeli responses to regional cyber threats to China's cyber espionage activities aligned with Communist Party interests, nations exhibit unique cybersecurity practices. The recent NTC Vulkan leak, involving thousands of pages of secret documentation related to Moscow's cyber and information operations capabilities, highlights Russia's obsession with social control and non-kinetic interference.

Understanding the NTC Vulkan Files:

An unhappy employee of a contracting firm associated with Russian military and security services leaked over 5,000 documents, including manuals, reports, and software specification sheets, dating from 2016 to 2021. The documents detail applications and database resources developed by NTC Vulkan for use by Russian intelligence agencies, revealing links to known threat actors like Military Unit 74455 (Sandworm). 

Capabilities and Tools:
The leak provides insight into tools geared towards large-scale attack preparation and automated disinformation dissemination. Among these tools are "Skan-V" or "Scan," an information gathering application for operational reconnaissance, and "Amezit" and "Krystal-2B," both focusing on offensive operations against critical infrastructure targets and automating disinformation campaigns.  

Evolution of Russian Cyber Warfare:
The Vulkan leak demonstrates Russia's blended public-private digital security apparatus and an iterative evolution of its cyber warfare capabilities. Vulkan's close relationship with the state military-intelligence organs is similar to Moscow's connections with cybercriminal organizations, acting as private incubators of cyber warfighting capacity.

Information Confrontation:
Russian cyber developments align with the concept of "information confrontation" – non-standard methods of engagement to produce coercive leverage while avoiding escalation. Tools like Scan and Amezit reflect Russia's commitment to information control and scaling tactical effects to secure strategic gains.  

Empty space, drag to resize
Empty space, drag to resize
Misleading narratives: The Vulkan leaks debunk narratives of Russia's digital retreat from the open internet, emphasizing the need for vigilance and preparation.

Insider threats: Workforce diffusion from companies like NTC Vulkan to global technology firms poses potential insider threats. Employers should scrutinize those with employment history in the Russian economy and restrict access to critical systems.

Personalization of threats: Russia's cyber capabilities target sector- and firm-specific vulnerabilities at an unprecedented tempo. Defensive efforts must adapt to this evolving attacker perspective.

Optimism: As Russia's cyber capabilities evolve, their influence campaigns become more traceable. By understanding Moscow's unique political-strategic calculus, businesses can better combat the influence of incubation farms like NTC Vulkan.

Strategic Scalability and Cyber-Combined Arms: The Vulkan files suggest Russia is shifting toward a cyber-combined arms approach. The focus on infrastructure vulnerability assessment and compromise through automation, such as with Amezit, raises concerns. Although groups like Sandworm have been tied to major infrastructure attacks, those were well-resourced and time-intensive. The new tools enable automated attack surface assessment, reducing talent and resource demands while increasing the perceived political value of cumulative operations over single attacks.

Adapting to New Russian Cyber Threats:
As Russia adapts its execution of information confrontation, it learns from Chinese developments in social control and invests in the sophistication of operational capacities for network and psychological operations. The implications, however, remain tied to Russia's parochial context.

Monitoring and detection: Regularly monitor networks and systems for unusual activity and signs of intrusion. Implement advanced threat detection tools to identify and mitigate potential threats proactively.

Employee training and awareness: Educate employees about the risks of cyber warfare and the importance of following best practices in cybersecurity, including strong passwords, recognizing phishing attempts, and reporting suspicious activities.

Incident response planning: Develop and maintain an incident response plan to handle potential cyberattacks effectively. Regularly review and update the plan to adapt to new threats and tactics employed by adversaries.

Collaborate with industry partners: Share threat intelligence and best practices with industry partners, government agencies, and cybersecurity organizations to strengthen collective defense against cyber warfare.

Invest in cybersecurity infrastructure: Allocate sufficient resources to strengthen cybersecurity infrastructure, including hardware, software, and personnel. Regularly update and patch systems to address vulnerabilities and maintain robust security protocols.

The NTC Vulkan leaks highlight the evolving nature of cyber warfare and the need for businesses to adapt to emerging threats. By understanding Russia's unique cyber strategies and implementing proactive defense measures, businesses can better protect themselves from the implications of cyber warfare and maintain a secure operating environment.

Paul C Dwyer is the  ICTTF President, recognised as one of the world’s foremost experts on cyber security, risk and privacy.
Connect to Paul here.