Just days after the start of Russia’s full-scale invasion of Ukraine, an anonymous source linked the German newspaper Süddeutsche Zeitung. He says he wants to share documents about spyware being developed at the behest of Russian special services. “I decided to give you this information because of the events in Ukraine,” he explains his motivation.
Later, the source hands the journalists an archive of documents about a little-known IT company from Moscow: “Behind it are the GRU and the FSB,” he explains. Thus, journalists from 11 media outlets, including Süddeutsche Zeitung, The Guardian, Washington Post, Le Monde, Paper Trail Media, Important Stories, get to the archive of “Vulkan”, a small company that, on behalf of the Ministry of Defense, the FSB and the Office of foreign intelligence develops software for Russian cyberattacks, running a troll factory and isolating the Internet.
Journalists examine the archive. A fruit of this research is also the publication of the Russian independent publication “Important Stories”which we present here.
Contractor of orders from all special services
The office of the Vulkan Scientific and Technical Center is located in the north-eastern part of Moscow. The company employs a little more than 130 people, revenues in 2021 slightly exceed a billion rubles. Its founders are Anton Markov and Alexander Irzhavski. “Specialists carry out projects to analyze the security of hardware and software systems, as well as to study the security of microelectronic devices,” is how the company describes its activities on its website with surprising frankness.
The company does “research the security” of various facilities, but not for the purpose of protection, but at the behest of the Russian special services. Judging by Vulkan’s internal documents, various units of the SVR, the Ministry of Defense and the FSB were its main clients.
For example, one of the main customers is military unit 33949. In the last three years alone, it has transferred more than 200 million rubles to the enterprise for the development of various programs under the state defense order. Military unit 33949 is one of the most important units of the SVR. It was there that Alexander Poteev, a former colonel of the secret intelligence department, served. He worked in perhaps the most important division of the Foreign Intelligence Service, the “American” one, which is responsible for the service’s activities in the United States. In 2010, Poteev fled to America and handed over to the FBI a deeply conspiratorial network of Russian intelligence agents.
Another important client of Vulkan is military unit 64829. Behind this cipher is the Center for Information Security (CIS) of the FSB, known for the fact that many hackers work under its cover, as well as for the fact that FSB officers who served, there they were recently convicted of treason. Over the past three years, the Central Intelligence Agency of the FSB has transferred more than 100 million rubles to Vulkan for the development of various software.
But the bulk of the firm’s archive relates to projects for the Ministry of Defence.
In 2016, Vulkan began developing software under the codename “Amesite”. The order is from the Department for Prospective Interspecies Research and Special Projects of the Russian Ministry of Defense. This is how the purpose of the project is described in the documents: “Development of a hardware and software complex (APK “Amezit”) for informational limitation of a local area and formation of an autonomous segment of a network for data transmission in given territories”. Here are the tasks assigned to “Amezit”:
“Monitoring and analysis of information in data transmission channels, including the Internet, in certain territories”;
“Blocking access to illegitimate data transmission channels, including Internet resources, in certain territories”;
“Redirecting client requests to legal Internet resources in certain territories”;
“Improving the efficiency of placement and distribution (boosting ratings) of special materials in data transmission channels.”
In other words, the Russian Ministry of Defense orders Vulkan a tool that will: a) monitor all Internet users in a given territory; b) blocks sites undesirable for them from the point of view of the Ministry of Defense; c) and will enforce bot-promoted propaganda articles instead.
Information security experts, to whom the publication showed the documents, believe that this system was created for use abroad, including in Ukraine. One of the basic conditions for the functioning of the complex is physical access to telecommunication equipment.
There is no information in the Vulkan archive about where and how this part of “Amesite” was used, which is responsible for isolating the Internet. However, journalists have managed to find examples of how “promotion of special materials” works in real life.
The principle of operation of the “subsystem for the preparation, placement and promotion of special materials” is described in a separate user guide. The main features of the program are briefly listed there like this:
“Automated placement in social networks, blogs, microblogs, forums of special materials”;
“Improving distribution efficiency (increasing ratings) of special materials”;
“Automated registration of user accounts using personal data of a fictitious person”;
“Creating a copy of a real-life entity’s profile”;
“Maintenance of at least 100 user profiles in social networks from one workplace”;
“Ensuring a ‘real user effect’ in the process of disseminating information materials through technical means of promoting materials.”
In other words, this Amesite subsystem is the control room of a huge troll factory. In fact, with the help of this program, a serviceman from the Ministry of Defense can create hundreds of bots in various social networks (Facebook, Twitter, YouTube) with one click and then “entrust” them with various tasks: publish posts and videos, comment, like, get comments on articles.
There are screenshots of the UI in the Vulkan archive. Thanks to them, the journalists were able to find some of the bots created by “Amezit” and track what real campaigns they participated in.
One of the first Twitter campaigns where the Vulcan developers tested their trolls was called #pidobama. Despite its name, the bots’ tweets had no effect on the then-President of the United States. They were published for one month – from mid-December 2014 to mid-January 2015. All tweets are of the same type and written in Russian. “We don’t need big upheavals, we need a great Russia!” – wrote the user @AndreevSergej5 – a middle-aged man with three parrots on his avatar. “When people are stupid, they are easy to manage,” a certain Tatyana Bolshakova – a young woman, judging by the avatar – agrees with him. In total, about 70 “users” are participating in the #pidobama campaign – and all of them were automatically created by “Amezit”. Thanks to this test campaign, journalists were able to find out the names of many bots and see what other promotions they were involved in.
In April 2017, parliamentary elections were held in Armenia. A few days before the election day, experts drew attention to suspicious activity on Twitter: dozens of accounts began to publish a screenshot of a letter from the US Agency for International Development (USAID), which allegedly proves the interference of the US authorities in the elections. The letter is obviously fake, written in bad English. Dozens of bots posted it with the same text: “NGOs are preparing to derail the elections in Armenia.” Among them are the trolls from the Vulcan factory. Journalists managed to identify them thanks to their unique avatars: for some reason, the developers of “Amesite” used images of participants in the Canadian reality show Top Chef Canada to create bots.
In 2017, the commander of the special reserve of the Main Intelligence Directorate (GUR) of the Ministry of Defense of Ukraine, Colonel Maxim Shapoval, was killed in Kyiv. The killers blew up his car with a radio-controlled magnetic mine. GUR blames the Russian authorities for the murder.
After the assassination, bots created by Vulkan developers began posting tweets with roughly the same title: “The usual practice of the SBU (Ukrainian counterintelligence) is to organize an assassination” and a link to the same article on VKontakte, which outlines a conspiracy version of the killing by the Ukrainian special services of their own colleagues.
Vulcan trolls campaigned against Hillary Clinton before the 2016 US presidential election, when Republican Donald Trump won. Later, US law enforcement was able to prove that the Russian leadership interfered in the voting process, including with the help of bots that supported Trump. Vulcan trolls are blowing up an English-language article about how Hillary Clinton was involved in dubious deals with Italian politician Matteo Renzi.
Vulkan’s involvement in developing Russian cyberattack software, running a troll factory and isolating the Internet was not known until now. The company is not on the sanctions lists of either the US or the European Union. Vulkan’s management has refused to answer questions from journalists.