Important Stories translation: Who creates programs for the Russian special services to isolate the Internet, spy on users and promote propaganda articles
"Important stories" studied the archive of "Vulkan" - a little-known IT company from Moscow, which is working on secret projects for the SVR, the FSB and the Ministry of Defense
DATE: MAR 30 2023
AUTHOR: ROMAN ANIN
Translation of Important Stories Investigation:
Just days after the start of Russia's full-scale invasion of Ukraine, the German newspaper Süddeutsche Zeitung was contacted by an anonymous source. He said that he wanted to share documents about spyware, which is being developed by order of the Russian special services. “I decided to give you this information because of the events in Ukraine,” he immediately explained his motivation.
Later, the source handed over to journalists an archive of documents about a little-known IT company from Moscow: “The GRU and the FSB are behind it,” he explained. This is how we ended up with the archive of Vulkan, a small company that, on behalf of the Ministry of Defense, the FSB, and the Foreign Intelligence Service, develops software for Russian cyberattacks, managing a troll factory and isolating the Internet.
"Important Stories", together with journalists from the Süddeutsche Zeitung, The Guardian, Washington Post, Paper Trail Media, and other publications, studied the archive.
Contractor of all special services
The office of the Scientific and Technical Center Vulkan is located in the northeast of Moscow. The company employs a little more than 130 people, and revenue in 2021 slightly exceeded a billion rubles. Its founders are Anton Markov and Alexander Irzhavsky. “Specialists are conducting projects to analyze the security of hardware and software systems, as well as to study the security of microelectronic devices,” this is how Vulkan describes its activities on the site with surprising frankness.
The company is indeed "investigating the security" of various facilities, but not for the purpose of protecting them, but by order of the Russian special services. Judging by the internal documents of Vulkan, various units of the SVR, the Ministry of Defense, and the FSB were its major customers.
For example, one of the major clients is military unit 33949. Over the past three years alone, it has transferred more than 200 million rubles to the company for the development of various programs under the state defense order. Military unit 33949 is one of the most important units of the SVR. It was there that Alexander Poteev, a former colonel of the illegal intelligence department, served. He worked in perhaps the most important department of the Foreign Intelligence Service, the "American" department, which was responsible for the activities of "illegal immigrants" in the United States. In 2010, Poteev fled to America and turned over to the FBI a deeply conspiratorial network of Russian intelligence agents.
Another important client of Vulkan was military unit 64829. Behind this cipher lies the Information Security Center (CIB) of the FSB, known for the fact that many hackers work under its cover, as well as for the fact that the FSB officers who served there were recently convicted of treason. Over the past three years, the Central Information Bureau of the FSB has transferred more than 100 million rubles to Vulkan for the development of various software.
But the main part of the Vulkan archive concerns projects for the Ministry of Defense.
"Amesite"
In 2016, Vulkan began developing software under the Amezit code. The customer of the work was the Department of Advanced Interspecific Research and Special Projects of the Russian Ministry of Defense. This is how the goal of the project was described in the documents: “Development of a hardware and software complex (APK Amezit) for informational restriction of a local area and the formation of an autonomous segment of a data transmission network in given territories.” But what tasks were assigned to "Amezit":
“monitoring and analysis of information in data transmission channels, including on the Internet, in specified territories”;
"blocking access to illegitimate data transmission channels, including Internet resources, in specified territories";
"redirecting client requests to legitimate Internet resources in specified territories";
"improving the efficiency of placement and distribution (raising ratings) of special materials in data transmission channels."
In other words, the Russian Ministry of Defense ordered Vulkan a tool that will: a) monitor all Internet users in a given territory; b) block them for being undesirable, from the point of view of the Ministry of Defense, sites; c) and instead of them, impose propaganda articles promoted by bots.
Information security experts to whom we showed the documents believe that this system was created for use abroad, including in Ukraine. One of the main conditions for the operation of the complex was physical access to telecommunications equipment.
There is no data in the Vulkan archive about where and how that part of Amezite, which is responsible for isolating the Internet, was used. However, we were able to find examples of how the promotion of special materials worked in real life.
troll factory
The principle of operation of the “subsystem for preparing, placing and promoting special materials” is described in a separate user manual. For example, the main functions of the program are briefly listed there:
“automated placement in social networks, blogs, microblogs, forums of special materials”;
“Improving the efficiency of distribution (raising the ratings) of special materials”;
“automated registration of user accounts using the personal data of a fictitious person”;
“creating a copy of the profile of a real-life subject”;
“support for at least 100 social network user profiles from one workplace”;
"Ensuring the" effect of a real user "in the process of dissemination of information materials by technical means of promotion of materials."
In other words, this subsystem of Amezite is the control room for a huge troll factory. In fact, with the help of this program, a serviceman of the Ministry of Defense can create hundreds of bots in a variety of social networks (Facebook, Twitter, YouTube) in one click, and then “entrust” them with various tasks: publish posts and videos, comment, like, wind up views on articles.
There are screenshots of the program interface in the Vulkan archive. Thanks to them, we were able to find some of the bots created by Amezit and trace which real campaigns they were involved in.
Troll Campaigns
One of the first Twitter campaigns in which the developers of Vulkan tested their trolls was called #pidobama. Despite their name, the bot tweets had no effect on the then-President of the United States. They were published for a month - from mid-December 2014 to mid-January 2015. All tweets were of the same type and written in Russian. “We don’t need great upheavals, we need a great Russia!” - wrote the user @AndreevSergej5 - a middle-aged man with three parrots on his avatar. “When people are stupid, they are easy to manage,” a certain Tatyana Bolshakova, a young woman, agreed with him, judging by the avatar. In total, about 70 “users” participated in the #pidobama campaign - and all of them were created automatically by Amezite. Thanks to this test campaign, we were able to find out the names of many bots and see what other promotions they participated in.
In April 2017, parliamentary elections were held in Armenia. A few days before election day, experts drew attention to suspicious activity on Twitter: dozens of accounts began to publish a screenshot of a letter from the United States Agency for International Development (USAID), which allegedly proved the interference of the American authorities in the elections. The letter was an obvious fake, written in bad English. Dozens of bots posted it with the same caption: “NGOs are preparing to disrupt the elections in Armenia.” Among them were trolls from the Vulkan factory. We were able to identify them thanks to their unique avatars: for some reason, the developers of Amezit used images of participants in the Canadian reality show Top Chef Canada to create bots.
In 2017, the commander of the special reserve of the Main Directorate of Intelligence (GUR) of the Ministry of Defense of Ukraine, Colonel Maxim Shapoval, was killed in Kyiv. The killer blew up his car with a radio-controlled magnetic mine. GUR accuses the Russian authorities of the murder.
After the murder, the bots created by the developers of Vulkan began to publish tweets with approximately the same headline: “The usual practice of the SBU is to organize a murder,” and a link to the same article on VKontakte, which outlined the conspiracy version of the murder by Ukrainian special services of their own Colleagues.
The Vulkan trolls also campaigned against Hillary Clinton ahead of the 2016 US presidential election. Then Republican Donald Trump won. Later, American law enforcement agencies managed to prove that the Russian leadership interfered in the voting process, including with the help of bots that supported Trump. The Vulkan trolls "hyped" an English-language article alleging that Hillary Clinton was involved in dubious deals with Italian politician Matteo Renzi.
Vulkan's involvement in developing software for Russian cyberattacks, running a troll factory, and isolating the Internet was not previously known. The company is not on the sanctions lists of either the United States or the European Union. The leadership of Vulkan refused to answer questions from journalists.