[M] Lea Rossa / DER SPIEGEL; Fotos: Vulkan Files (4); Gavriil Grigorov / dpa; Bobylev Sergei / Itar-Tass / action press; Wikimedia Commons; Sebastien Bozon / AFP; Denis Charlet / AFP

The "Vulkan Files" A Look Inside Putin's Secret Plans for Cyber-Warfare

Elite hackers from Russia have their sights set on airports and power plants around the world, along with the internet. Confidential data from Moscow, obtained by DER SPIEGEL and its partners, now provide a look inside their arsenal of cyber-weapons and reveal their strategy.

A fine, late-winter drizzle is falling on a Moscow that has yet to completely free itself from its winter bleakness. Heaps of dirty snow are still piled up in front of the gray office building in the Sokolinaya Gora district in the eastern part of the city. It is an unremarkable structure in an unremarkable neighborhood, not far from the Preobrazhenskoye Cemetery, where an eternal flame burns in honor of the Soviet Union’s World War II dead. Outside the building, there is no barbed-wire and no threatening guards.

It's all quite normal. And it’s all a ruse.

The company headquartered here at Ulica Ibragimova 31 is called NTC Vulkan, and it presents itself as a completely normal, IT consulting firm, a small company with software expertise. Its website claims the company has a close relationship with IBM and lists Toyota Bank as a customer. One of its specialties: "Information security management.” It is a carefully constructed façade that holds up at first glance. And at second glance. But it’s not the whole truth.

Those wishing to go inside for a closer look at the frequently darkened offices full of computers, servers and other high-tech electronic equipment, must pass through security doors and a phalanx of cameras. After all, the building is home to programmers and hackers with a sinister mission: sowing chaos and causing destruction.

Vulkan headquarters in northeastern Moscow.

Vulkan headquarters in northeastern Moscow.



For example: Paralyzing the computer systems of an airport so that the tower can no longer communicate with planes. Or triggering train derailments using a software program that deactivates all safety controls. Or interrupting power supplies.

All those things are elements of cyberwarfare, a specialty of Russian secret service agencies. And Vulkan works for those agencies: for the military intelligence agency GRU, the domestic intelligence agency FSB and for the foreign and economic intelligence agency SVR. "To begin with, it wasn’t clear what my work would be used for,” says one former employee, who has since left the country. "Later, I understood that we weren’t just collecting data. But that it was being used by the Russian secret service.”

The systems developed by Vulkan bear anodyne codenames like "Scan-V,” "Crystal-2V,” and "Amezit,” but their purposes are anything but normal. They have been programmed to assist the Russian military in finding the digital vulnerabilities of adversaries, thus making cyberattacks far easier to carry out. They can ambush enemy communications systems and take them over. And they can spread disinformation.

This is all chronicled in 1,000 secret documents that include 5,299 pages full of project plans, instructions and internal emails from Vulkan from the years 2016 to 2021. Despite being all in Russian and extremely technical in nature, they provide unique insight into the depths of Russian cyberwarfare plans. In a militarized country that doesn’t just fight with warplanes, tanks and artillery, but with hackers and software.

This strategy is especially apparent in Ukraine, which has been so unrelentingly attacked by Russian hackers since the invasion in February 2022 that experts have begun referring to it as the "first comprehensive cyberwar” ever seen. The Russians attack important companies and government agencies and interrupt internet service, and even managed to paralyze a communications satellite.

But cyberattacks in other parts of the world have also become increasingly brazen and dangerous.