Information disclosed in the leaked NTC Vulkan papers allows us to investigate the high probability of cooperation between the Russian private software development company and the Russian Ministry of Defense, namely, the GRU (Sandworm), and possibly others. While we could neither confirm nor deny the authenticity of the leaked documents, we have reason to believe that they are genuine, as we have noticed consistent patterns and details throughout the documents that we have examined, which Trustwave SpiderLabs will highlight below.
The documents highlight three software suites, which if fully developed, could allow Russian specialists to launch cyberattacks reaching political and military objectives. The software systems contain tools and capabilities (Scan-V and Amezit-V), training programs (Krystal-2V). Together they are a platform to practice and carry out different types of offensive cyber activities, such as cyber espionage, information operations, and attacks on operational technology systems.
At first glance, Amezit-V appears to represent totalitarian thinking in that its purpose is to follow a target's online behavior, check its social media posts, and push specific news and articles that amplify Russian disinformation and influence operations. Amezit -V’s suite of tools operates within global social media networks, such as Facebook, which could push out and increase the rate of disinformation and influence operations posts. This software system could build and form public opinion anywhere in the world by creating and using fake accounts (bots), social media groups, etc., and quickly taking down or promoting news stories.
Figure 1. The software system operational schema with data flows mentioned in the leaked documentation.
The software systems mentioned have a variety of offensive abilities that can target networks around the world. Scan-V can scan targeted systems, explore the target’s infrastructure, collect organizational data, and collect vulnerability information based on the targeted server’s software. Amezit-V is a complex suite of software tools that allow a variety of online operations.
It is a universal online environment manager, a software system (cyber weapon) that operates as a psychological operations enhancement device through its ability to manipulate public opinion. This is done by isolating network segments and introducing content that only furthers the attacker’s disinformation goals.
Krystal-2V is an educational and training platform teaching its operators to employ a variety of scenarios using offensive and defensive actions, including targeted critical infrastructure attacks.
The leaked documentation details Amezit V and Scan V being developed by the Russian IT company NTC Vulkan. The documentation also contains the requirements for Kristal-2V, including the software system description, system interface examples, and communication protocol from software system to inner storage system. Here “V” is a transcription of the Russian letter V (B) which is the third letter in the alphabet and could stand for third generation or version of the software system. In English it could be letter C to illustrate the third letter in the alphabet. We left a direct transcription as letter V.
ПАК «ЦУСС» (SHC CCSF)
The leaked Vulkan documents mention the development of ПАК «ЦУСС» “software and hardware complex for centralized control of special forces” (SHC CCSF).
Figure 2. Software and hardware complex for centralized control of special forces description.
Product name: software and hardware complex for centralized control of special forces.
Abbreviated product name: SHC CCSF.
SHC CCSF is designed for the integrated management of special forces and means and decision support in the preparation and conduct of special events.
Scope of SHC CCSF management of special forces and means, decision support in the preparation and conduct of special events.
The documentation also provides this additional information:
- setting tasks in the preparation and holding of special events and delegation of tasks, taking into account distributed input-output systems of information and hierarchies of user roles;
- presentation of situational information in graphical form to the operators of the Local Loop Control Subsystem (PU-L);
- transfer of data about objects to the APK "Scan-AS" ("Storage" subsystem);
- storage of forms of objects and scenarios of special events;
- data exchange between promising geographically distributed special units;
- integrated management of promising territorially distributed special units;
- administration of the components of the SHC CCSF;
- replication of data from external sources to the local storage of the APK "Scan-AS" ("Collection" subsystem);
- aggregation of the received information with the possibility of decentralized data processing;
- updating information about communication networks (ICS) and vulnerabilities of elements stored in a decentralized database (DB), based on data from external sources;
- visualization of information from the database on a heterogeneous graph with the ability to update the network topology and vulnerabilities based on data from external sources;
- manual entry of data on personnel, staff structure and binding to the network topology (name of departments, positions, e-mail, comments, etc.);
- construction, editing, and visualization of multilevel heterogeneous network infrastructure graphs.
The leaked documentation describes the SHC CCSF product including the operation and data flow that is going on inside its layers. Figure 3 shows the main information collection system description.
Figure 3. Schema of information flows of SHC CCSF.
The schema illustrates the information flow and its connections, access restrictions, API communication between nodes, data processing, storage, communication with the local processing network, and manual data transition from an “unsafe” to a “safe” environment with the restricted network by copying data independently via CD/DVD/USB. The document describes database structures and their fields and allows us to see the chunks of information that would be gathered into the databases.
The software system provides a communication interface to other “hardware-software complex Distributed Control Systems.” In other words, the software suite developed by NTC Vulkan is ready to communicate and integrate with other software systems.
Documents in the published schema leaked the location of one of the data centers in Kursk, a city in Russia. Further research revealed a connection between НИИЦ г. Курск (a Scientific Research Center) in the city of Kursk, and it appears that this organization is related to the Ministry of Defense of the Russian Federation. Figure 4 identifies one of the points of the software system’s operation, also located in Kursk.
Figure 4. The schema introduces one of the points of the software system operation, Kursk, Russian Federation.
The leaked documents also describe the DB synchronization processes. The SHC CCSF description includes software and hardware requirements for the software system implementation. These requirements are shown below.
Hardware for operators
DELL XPS 15 9575 - Dell Notebook
DatAshur Pro 64 Gb - Encrypted USB Memory Stick
DVD-RW Dell 784-BBBI USB - external DVD±RW (±R DL) / DVD-RAM drive
Winyao USB 1000F-SX - USB toFiber network adapter (1000Mb/s)
USB 2.0 AF/BM - USB Female adapter
FS.COM S5800-8TF12S - 12 Port Ethernet switch
Minimal Server requirements
2x Intel Xeon Х5680 3,33 GHz/64GB RAM/8TB Drive
Table 1. Software system hardware requirements mentioned in documentation.
TileServer GL (was OpenStreetMap)
Map representation application
Free and open-source service networking platform to automate network configurations, discover services, and enable secure connectivity across any cloud or runtime, developed by HashiCorp
Fully encrypted, 100% open source video conferencing free solution — with no account needed
An open source solution for implementing DHCP servers, relay agents, and clients. ISC DHCP supports both IPv4 and IPv6, and is suitable for use in high-volume and high-reliability applications
A suite of software for interacting with the Domain Name System. Its most prominent component, named, performs both of the main DNS server roles, acting as an authoritative name server for DNS zones and as a recursive resolver in the network
Linux Base OS
Windows 10 Pro
Windows Base OS
Windows Professional 8.1
Windows Base OS
Secret Net Studio version > 8.
Comprehensive solution for protecting workstations and servers. Allows you to monitor the integrity of the OS, monitor the connection and many others.
Kaspersky Endpoint Security > 10
Microsoft Office > Standard 2016
The lists did not include any Russian-based developed software, except for Kaspersky. It seems that the Russian software industry does not have alternatives for globally recognized products, even while developing such special operations software tools.
Figure 3 shows us the placement of one of the software modules for Scan-V in all its operational flow.
Scan-V is a part of the ПАК «ЦУСС» (SHC CCSF) software system. It is used to scan targets specified by the main software system. Scan-V uses different scanning techniques to gather all possible information about the target, including management and organizational data in the target’s databases.
The data format protocol allows us not only to see how data is structured but also reflects the software that was used to scan and gather information about targets.
- Scanners: Nmap, Nessus Network Monitor, some Russian unidentified application.
- Targeted items: Cisco parameters, Email files, Email Databases, traffic Pcaps (recorded traffic).
- Informational resources are widely known: ripe.net, arin.net, Shodan, mitre.org, nist.gov.
All of the scanners, targeted items and informational resources mentioned above are publicly available or have an affordable subscription.
Specifically, this data transfer protocol illustrates the main connection between NTC Vulkan and the Russian Ministry of Defense, particularly to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, formerly the Main Intelligence Directorate (GRU).
Figure 5. Data transfer description protocol, one of the signatories mentioning a GRU military unit (74455) on the page above.
Scan-V has a graphics interface to make the work easier for its operators.
The interface allows management control, role distribution, and checks task progress according to the operator’s role.
Figure 6. The login Form of the Scan-V graphical interface.
Figure 7. A scalable dashboard with a news/task feed, ongoing tasks, projects, calendar (for the operator).
The dashboard, depending upon the user’s role, can be tailored to introduce different information from general feeds to a list of tasks and ongoing campaigns.
The software suite has the ability to work with special regional operation scenarios using an illustrative approach.
Figure 8. Sample Screen Form for Working with Special Operations Scenarios (Map)
The operational scenario can be viewed closely in this representation.
Figure 9. An example of a screen form for working with special operations scenarios (graph)
We can also see management screens with complex illustrations of ongoing scenarios (campaigns).
Figure 10. An example of a report showing an overview of current activities status
The other illustrations show management of the data and different visual presentations. The construction, editing, and visualization of multilevel heterogeneous graphs of network infrastructure take place in a graphical form. Examples of screenshots from a software suite working with topology can be seen in the following figures: Figures 11 and 12 - visualization of elements and tools for working with nodes, and links.
Figure 11. An example of a screenshot from a software suite working with topology (visualization, tools for working with nodes and links)
Figure 12. An example of a screenshot from a software suite working with topology (tools for work)
The software allows the operator to set up a visualization and representation view. It also accepts work done simultaneously by more than one operator.
This is probably the first example of a graphical interface illustrating operations conducted by the Russian Federation’s special forces.
Kristal-2V is a hardware-software system for training units and subunits of specialists tasked with carrying out information warfare. The training system can most likely train up to 30 students simultaneously.
The scope of Kristal-2V includes comprehensive information security training for specialists in in the following areas:
- blocking access to resources of the global public information system;
- incapacitation of railway and air (maritime) transport control systems;
- violation of the normal operation of power supply and life support systems;
- identification of vulnerabilities of critical information infrastructure objects to informational and technical impacts.
The subsystems of the Kristal-2V could conduct developed training scenarios:
- subsystem for processing scenarios for blocking access to GIS OP resources;
- a subsystem for working out scenarios to counter the disruption of the functioning of railway and air (sea) transport control systems;
- subsystem for working out scenarios to counter the disruption of the functioning of power supply and life support systems;
- subsystem for processing scenarios of typical Information Security tasks;
The software package includes lectures, presentations, laboratory work, conducting educational games, and simulators. The Kristal-2V subsystems should be able to provide the following functions:
- Simulation of the operation of a collective access node in the GIS OP;
- Simulation of the operation of the access node in the GIS OP of the telecommunications operator of the territorial level;
- Development of measures to block access to the GIS OP by implementing denial of service attacks on the bandwidth of network equipment;
- Development of measures to block access to the GIS OP using the open source software of the APK "Amezit" and methods of their application;
- Simulation of the operation of railway junction automation systems;
- Simulation of the operation of the elements of the air transport control system at the technological sections of the air terminal complex (airport, aerodrome);
- Imitation of the operation of the elements of the maritime transport management system of the sea (river) port;
- Development of methods for obtaining unauthorized access to a local computer and technological networks of transport infrastructure facilities;
- Development of methods of intervention in the technological processes of transport management;
- Development of the application of the open source software of the APK "Amezit" in order to disable (disable) the control systems of railway, air and sea transport;
- Simulation of the operation of power supply management systems;
- Simulation of the operation of the elements of the water supply management system;
- Development of methods for obtaining unauthorized access to a local computer and technological networks of infrastructure and life support facilities of settlements and industrial zones;
- Development of intervention methods in technological management processes at infrastructure and life support facilities;
- Development of the use of open source software of the AIC "Amezit" in order to disrupt the normal operation of control systems at infrastructure and life support facilities;
The word Amezit or Amesite stands for a mineral discovered in the Chester Emery Mines, Chester, Hampden Co., Massachusetts, USA in 1876. Upon closer look, another unusual name mentioned in the documents was Gorgon Medusa (similar to the tentacles of an octopus, Gorgon Medusa is a reference to something with many legs or hands, akin to Amezit’s variety of capabilities). The software according to the leaked “PROGRAM AND METHODS OF PRELIMINARY TESTS of the prototype "Amezit-V"” shows terrifying capabilities of the software. And we could even ask ourselves if this is software or malware?
Figure 13. “PROGRAM AND METHODS OF PRELIMINARY TESTS of the prototype "Amezit-V"” title page.
This software system has incredible capabilities. Amezit-V seems to be software that collects information from various resources, including social networks, social media, forums, and portals in targeted regions. It is able to find the source of information or the initial post and can be used to detect fake information.
It has built-in abilities to manage networking hardware while having physical access to it and could route networking traffic through predefined communication channels, both ground and wireless.
Figure 14. Unexpected abilities according to Name of tests and checks from the leaked preliminary tests document.
3.3 Checking the control of third-party telecommunications equipment at the distribution level and core level without authorization and with physical access to it.
3.4 Checking the collection, recording, and display of information
3.5 Checking traffic routing and its transmission to technical means of primary information analysis
3.6 Checking automatic network configuration using DHCP, NTP, and DNS protocols
3.7 Checking traffic prioritization using TOS
3.8 Checking load balancing with dynamic resource allocation
3.9 Verification of automated management of relay modules with the provision of a single graphical interface
It seems that the software suite is equipped with networking management capabilities. Item 3.5 shows Amezit-V’s ability to record network traffic, which makes it a dangerous and powerful tool.
Amezit-V has built-in network control level security abilities. It could centralize control and monitoring of equipment resistant to unauthorized access, check the state of telecommunications equipment, prompt detection of attempts to obtain unauthorized access to them, as well as centralize control and monitoring of OS hardware abnormal reboots, and other subsystem information security violations. An additional security test mentioned in the documentation is to check that Amezit-V is not detected as a part of the governmental infrastructure.
The next section shows tests that are checking Amezit-V's abilities to collect user information. It can be seen that this self-protection and checking capability has more of a domination than protection purpose. It seems that measures are taken to ensure that Amezit-V is not dropped from the controlled segment of the network. The next illustration shows the spying abilities of the software suite:
Figure 15. Tests that are checking abilities to collect user information in Name of tests and checks from the leaked preliminary tests
4.2 Checking the organization of intermediate control nodes in order to analyze connections and identify information when using protocols such as IPSEC
4.3 Checking automatic recognition and selection of files
4.4 Verification of preventing the use of user anonymization technologies
4.5 Checking blocking and redirection of client requests (HTTP/HTTPS) to legitimate GIS OP resources (mirrors)
4.6 Checking the possibility of selecting a given subscriber
4.7 Checking the formation, display and export of lists of subscribers-senders and subscribers-recipients with topological links between them
4.8 Checking the maintenance of network activity statistics
4.9 Checking registration in the information exchange drive (in full) for the subscriber specified by the operator
4.10 Checking traffic visualization and link analysis of connection participants to the required level
4.11 Checking the implementation of distributed computing in order to find key information
The ability of initial user monitoring is terrifying. The users inside the network would not be able to hide anything from this software system’s monitoring capabilities. The additional ability to redirect user requests to “legitimate” resources (4.5) feels like a serious censure or a way to create fake news. We do not have evidence that “legitimate” globally recognized information resources or social network websites could be faked. In theory, Amezit-V could redirect user requests to fake pages or redirect traffic to spread disinformation.
Its other OSINT abilities include social network monitoring, following divisive or controversial topics, determining the tenor of the information, finding the initial source of the information, information collecting, providing its operators with a list of new information resources to add to the system, and a graphical representation of the information collected. Amezit-V could create an automated compilation of analytical reports on various events, objects, and persons within a specific timeframe, according to time, address, regional parameters, and according to the source of their occurrence. These actions could be initiated not only worldwide, but in specific geographical regions, too.
Amezit-V has a module that should counter the opposing force, and theoretically, other intruders. The software could conduct the following actions to protect itself from external attacks:
- Identification of data transmission channels of communication and control systems of the opposing side
- Disruption of normal functioning of communication equipment
- Determination of the operating mode and composition of telecommunication equipment
- Identification of data transmission channels of critical information objects
- Identification of information resources of the opposing party
- Performance of data relaying functions in order to implement a covert exchange between the technical means of monitoring the Internet and Internet GIS resources using protocols of the TCP / IP family
Reacting to unauthorized access attempts, Amezit-V tries to evade detection.
Figure 16. List of tests to prevent detection of the Amezit-V presence in the network from Name of tests and checks from the leaked preliminary tests.
8.3 Checking the construction of virtual transport routes of data relaying that are rational in terms of secrecy and speed of information exchange
8.4 Checking the connection of automated workstations of the operators of the "Amezit" to the data exchange system, which does not require additional settings for users
8.5 Checking the automatic creation of virtual routes
8.6 Checking the concealment of personalizing information about the means of data transmission from the means of monitoring and analysis of the opposing party
8.7 Checking the concealment of information about nationality
8.8 Checking data masking on relay nodes for legitimate user requests to public services
The software system does a very good job staying hidden. Therefore, we have not detected this software in the wild. The system mimics its requests to the common user request by adding noise to the data.
We previously mentioned that Amezit-V works well with social networks. It allows the automated creation of user profiles and groups in popular social networks and pushes crafted material to form public opinion or meet any other goals.
It is possible that the same modules are allowed to check and follow users on social media networks, gather data on users’ activities, and store their posts, checking if the user was trying to establish a connection in the controlled network by email, private messages in social networks, SMS, MMS, or even IP-calls.
The user created by Amezit-V (bot) is trying to be protected. However, the system has tests to avoid generated user being detected as a bot:
Figure 17. The set of events should be tested to prevent generated user disclosure in Name of tests and checks from the leaked preliminary tests.
9.16 Verification of the information support of events for the distribution of special materials in supported services
9.17 Verification of ensuring the “real user effect” in the process of distribution of informational materials
9.18 Check mechanisms to prevent disclosure of nationality and departmental affiliation
9.19 Verification of automated interaction with open-source software of the linguistic support subsystem
The generated user (bot) will be supported at a very good level, which makes us think again about talking to strangers on social networks and sharing information.
After the social media capabilities tests, Amezit-V performs vulnerabilities search tests. According to the test description, it seems that the system will test all surrounding hardware and software for vulnerabilities.
Figure 18. The list of tests for vulnerability detection ability in Name of tests and checks from the leaked preliminary tests.
10.1 Verifying the detection of current critical system software vulnerabilities
10.2 Verifying the detection of current critical server software vulnerabilities
10.3 Verifying the detection of current critical vulnerabilities in information security software
10.4 Checking the structural and static analysis of program sources
10.5 Verification of software dynamic analysis
10.6 Checking the automated recognition of standard library functions used
10.7 Verification of signature analysis of potentially hazardous operations
10.8 Checking the restoration of the functioning logic and protocols of network interaction of third-party software
The list of tests shows what the reconnaissance module is looking for. It is trying to gather as much information as possible, including the ability to restore third-party software operation after conducting its own operations. Unfortunately, we do not have other descriptions related to the techniques and scanner that the system is going to use.
To illustrate some of Amezit-V software system’s abilities, continued review of the leaked documentation shows requirements for the hardware that Amezit-V should be able to access:
In accordance with the requirements of clauses 3.2.1, 220.127.116.11 of the ToR for the Amezit-V R&D SC, the SPO PAS must ensure the management of third-party telecommunications equipment at the distribution level and core level without authorization and with physical access to it for the following equipment models:
- Huawei S5XXX series;
- Juniper series MX40, MX80, MX10, MX104;
- Cisco 2000, 2500, 3000, 680x0-Based 4000, 7000 series;
- Extreme Networks Summit x430, x440, x450, x460 series;
- D-Link DGS-3627, DGS-3620-28, DES-3200-10, DES-3200-24 series.
Additional leaked documents illustrate the access networking hardware equipment test:
To check the software method for gaining access to the equipment on the operator's workstation, run the access software, specifying the IP address 10.10.10.113 of the D-link DGS-1100-24 router as a parameter.
View the results of the access software. Make sure that entries containing password information for accessing the management console of the D-link DGS-1100-24 router have been generated, the password is found - "12345".
It is highly possible that John the Ripper was used (the password brute force tool), but in fact, we do not know what exploits or techniques are hidden inside the application.
The documentation in the Vulkan papers mentioned that Amezit-V could be installed in different machines in different geographical locations, and its operators are able to connect to the systems and gather information from them.
As we can see from the hardware requirements and software used in these projects, even Russian groups are using globally recognized services, brands and software to connect to European and U.S.-based security services.
Amezit-V has worm-like abilities, the ability to spread malware, take control of surrounding networks and move forward. Its deterrent is well set up, has security-protected environments with the latest patches and constant monitoring. Further documentation in the Vulkan papers shows that Amezit-V may have been developed between 2016 and 2018.
Scan-V is a software suite with a variety of methods for collecting large amounts of data, most likely to gather information on vulnerabilities to enable cyber operations and further cyberattacks, and it contains extensive documentation on how it structures databases to store and handle the information. Based on signatures seen in some of the leaked documents, it appears that Scan-V documentation was contracted, at least, by GRU Unit 7445, also known as Sandworm. Leaked documentation shows that Scan-V could have been developed between 2018 and 2019.
Krystal-2V is a training platform, a hardware-software system used to conduct training exercises in coordinated IO/OT attacks using Amezit-V and probably other software. This training platform focuses on specific scenarios of attacks against OT environments and Russian infrastructure. Krystal-2V appears to have offensive and defensive training exercise capabilities. Leaked documentation shows that Krystal-2V could have been developed between 2018 and 2020.
It is extremely difficult to develop the systems that are described in the leaked NTC Vulkan papers, but if this company has been able to do it, the Russian cyber troops have in their hands a spectrum of powerful offensive and defensive software that could influence a population's mindset, not only in specific geographical regions, but maybe even from your browser.