In late March 2023, a consortium of journalists and investigators released analysis of “the Vulkan files”. Consisting of a trove of documents associated with a Russian contracting company working with intelligence and military authorities, the papers revealed a variety of ambitious, concerning programs such as “Scan-V” and “Amezit.” Both program, in the sense that they offer capabilities to acquire, maintain, and task infrastructure for cyber and information operations at scale, are deeply concerning, indicating a significant advancement in Russian-linked network warfare and related actions. However, placing these items in context reveals a murkier, far more troubling picture. After reviewing the capabilities of Amezit and Scan-V, we can see glimpses of other, historical programs in the advertised efficacy of these projects. Notably, we will consider other items that have leaked out over the years offering similar capabilities, albeit in different circumstances. Examples include Russia’s own SORM framework for domestic operations, China’s Great Firewall and (more significantly) Great Cannon programs, and items that emerged nearly a decade ago in the Snowden leaks such as the US’s alleged “Quantum” program. By analyzing these additional projects, we will observe a decade’s long trend in the systematization and increasing scale of cyber programs, especially with respect to automated exploitation and infrastructure management frameworks. Thus, Vulkan and related items, as significant as they are, represent a culmination of operational evolution and a prime example of the proliferation of capabilities following public disclosure. With programs such as Scan-V exposed, we should anticipate other entities seeking to mirror such capabilities, progressing beyond simple botnets and other distributed systems to effective management of dispersed capabilities for signals intelligence and cyber operations purposes.

1. Burrowing Through The Network:
Contextualizing The Vulkan Leaks
& State-Sponsored Offensive
Operations
Joe Slowik, Paralus LLC

2. Quick Background
● Current:
○ CTI & ICS/OT Consulting @ Paralus LLC
○ Threat Intelligence Management @ Huntress
● Previous:
○ Threat Intelligence & Detection Engineering Lead @ Gigamon
○ Threat Research @ DomainTools & Dragos
○ Incident Response Lead @ Los Alamos National Laboratory
○ “Various” @ US Navy

3. Agenda
● The Vulkan Files
● Vulkan & Russian Cyber Operations
● Orienting Vulkan Capabilities In Cyber History
● Future Of Offensive Cyber Operations
● Conclusions

4. The Vulkan Files

5. What Are The Vulkan Files?

6. What Are The Vulkan Files?

7. What Are The Vulkan Files?

8. What Are The Vulkan Files?

9. What Are The Vulkan Files?
Computer Technology Firm, Founded In 2010 By Russian Military
Veterans With Approval To Perform Classified Work.
NTC Vulkan

10. What Are The Vulkan Files?
Computer Technology Firm, Founded In 2010 By Russian Military
Veterans With Approval To Perform Classified Work.
NTC Vulkan
Unknown Entity Leaked Project Information And Documentation For
Various Projects To German Journalists
The Leaks

11. What Are The Vulkan Files?
Computer Technology Firm, Founded In 2010 By Russian Military
Veterans With Approval To Perform Classified Work.
NTC Vulkan
Unknown Entity Leaked Project Information And Documentation For
Various Projects To German Journalists
The Leaks
Rarely Do We See The “Nuts & Bolts” Of CNO Tool Development &
Procurement Processes - Lots Of Data To Go Through!
The
Significance

12. NTC Vulkan

13. Programs Of Interest

14. Programs Of Interest
Scan-V

15. Programs Of Interest
Scan-V
Amesit

16. Programs Of Interest
Scan-V
Amesit
Krystal-2V

17. Scan-V

18. Scan-V

19. Scan-V

20. Scan-V
Design

21. Scan-V
Design
● Distributed, Multi-Component System Crossing Various Information Boundaries
● Designed For Automated Tasking & Action Within Pre-Programmed Capabilities

22. Scan-V
Design
● Distributed, Multi-Component System Crossing Various Information Boundaries
● Designed For Automated Tasking & Action Within Pre-Programmed Capabilities
Purpose

23. Scan-V
Design
● Distributed, Multi-Component System Crossing Various Information Boundaries
● Designed For Automated Tasking & Action Within Pre-Programmed Capabilities
Purpose
● Combine External Scanning Functionality With Catalog Of Vulnerabilities & Exploits
● Automate Or Increase The Efficiency Of Cyber Operations, Infrastructure Harvesting

24. Amesit

25. Amesit
Information Operations & Collection Platform

26. Amesit
Information Operations & Collection Platform
Capable Of Capturing & Proxying Communication
Streams For Collection & Manipulation

27. Amesit
Information Operations & Collection Platform
Capable Of Capturing & Proxying Communication
Streams For Collection & Manipulation
Potential Applications In Both Foreign & Domestic
Targeting

28. Response To The Vulkan Leaks

29. Response To The Vulkan Leaks

30. Response To The Vulkan Leaks

31. Response To The Vulkan Leaks

32. Response To The Vulkan Leaks

33. Response To The Vulkan Leaks

34. Diving Into The Vulkan Leaks
The Vulkan Leaks Represent A
Significant Event In The History Of
Cyber Operations - We Need To Review
Just What’s Inside!

35. Vulkan & Russian Cyber Operations

36. Diving Into The Vulkan Leaks
NTC
Vulkan

37. Diving Into The Vulkan Leaks
NTC
Vulkan
Scan-V
Amesit
Krystal-2V
MiniDuke

38. Diving Into The Vulkan Leaks
NTC
Vulkan
Scan-V
Amesit
Krystal-2V
MiniDuke
GRU
74455
FSB Radio
Research
Institute
SVR

39. Vulkan & Russia’s “Cyber Hydra”
For Various Reasons, Research
Institutes & External Entities Generally
Perform Dedicated Work For One
Element Of Russia’s Cyber Forces…

40. Vulkan & Russia’s “Cyber Hydra”
For Various Reasons, Research
Institutes & External Entities Generally
Perform Dedicated Work For One
Element Of Russia’s Cyber Forces…
NTC Vulkan Worked With EACH Element
Of Russian External Cyber Ops - GRU,
FSB, & SVR - Not Completely Unique
But Rare!

41. RU Cyber & The Private Sector

42. RU Cyber & The Private Sector
TsNIIKhM &
XENOTIME

43. RU Cyber & The Private Sector
TsNIIKhM &
XENOTIME
SVA Institute &
SVR

44. RU Cyber & The Private Sector
TsNIIKhM &
XENOTIME
ODT & FSB’s
Fronton Botnet
SVA Institute &
SVR

45. RU Cyber & The Private Sector
TsNIIKhM &
XENOTIME
ODT & FSB’s
Fronton Botnet
Kvant Institute &
FSB
SVA Institute &
SVR

46. RU Cyber & The Private Sector
TsNIIKhM &
XENOTIME
ODT & FSB’s
Fronton Botnet
Kvant Institute &
FSB
SVA Institute &
SVR
INCONTROLLER /
PIPEDREAM?

47. RU Cyber & The Private Sector
TsNIIKhM &
XENOTIME
ODT & FSB’s
Fronton Botnet
Kvant Institute &
FSB
SVA Institute &
SVR
INCONTROLLER /
PIPEDREAM?

48. Privatization Of Cyber Development
NTC Vulkan Is Both An Example And A
Pioneer Of Increasingly Outsourced
Cyber Development & Engineering Work
For State-Directed Operations!

49. Privatization Of Cyber Development
NTC Vulkan Is Both An Example And A
Pioneer Of Increasingly Outsourced
Cyber Development & Engineering Work
For State-Directed Operations!
NOTE: This Is
NOT Just
Russia!

50. Scan-V & Sandworm

51. Scan-V & Sandworm
Sandworm
Historically
Leverages
Compromised,
Legitimate
Infrastructure

52. Scan-V & Sandworm
Sandworm
Historically
Leverages
Compromised,
Legitimate
Infrastructure
Multiple
Examples -
Ranging From
Industroyer To
CyclopsBlink

53. Scan-V & Sandworm
Sandworm
Historically
Leverages
Compromised,
Legitimate
Infrastructure
Multiple
Examples -
Ranging From
Industroyer To
CyclopsBlink
Building Out
C2
Infrastructure
Scales More
Effectively
With
Automation!

54. Scan-V & Sandworm

55. Scan-V & Sandworm
Stockpile
Vulnerabilities

56. Scan-V & Sandworm
Stockpile
Vulnerabilities
Identify Vulnerable
Nodes

57. Scan-V & Sandworm
Stockpile
Vulnerabilities
Identify Vulnerable
Nodes
Victims Become Part
Of Proxy Chains

58. Scan-V & Sandworm

59. Scan-V & Sandworm
Yo, Check
Out My
ORB!

60. The “So What” Behind Vulkan

61. The “So What” Behind Vulkan
Focus On Scalability & Control Of Widespread
Operations

62. The “So What” Behind Vulkan
Focus On Scalability & Control Of Widespread
Operations
Enables Greater Efficiency & Increases Extent Of
Cyber Activity

63. The “So What” Behind Vulkan
Focus On Scalability & Control Of Widespread
Operations
Enables Greater Efficiency & Increases Extent Of
Cyber Activity
Transition From “One Operator, One Op” To Massive,
Distributed Campaigns

64. Vulkan In Cyber History

65. Is Vulkan Activity Unique?

66. Is Vulkan Activity Unique?

67. Scan-V - Similar Examples?

68. Scan-V - Similar Examples?
Russia!

69. Scan-V - Similar Examples?
Russia! China!

70. Scan-V - Similar Examples?
Russia! China!
USA?

71. Scan-V - Similar Examples?

72. Russia & Cyber Manipulation

73. Russia & Cyber Manipulation
Building
Compromised
Networks
Monitoring &
Manipulating
Information

74. Russia & Cyber Manipulation
Building
Compromised
Networks
Monitoring &
Manipulating
Information
VPNFilter
CyclopsBlink
SORM

75. VPNFilter & CyclopsBlink

76. VPNFilter & CyclopsBlink
Network-Device Targeting Capabilities

77. VPNFilter & CyclopsBlink
Network-Device Targeting Capabilities
Leverage Compromised Nodes To Proxy Traffic, Or
Engage In DDoS Activity

78. VPNFilter & CyclopsBlink
Network-Device Targeting Capabilities
Leverage Compromised Nodes To Proxy Traffic, Or
Engage In DDoS Activity
Evidence Of Further Capabilities (e.g., VPNFilter
Modbus Capture Module)

79. VPNFilter & CyclopsBlink
Scan-V Represents A Mechanism To
Automate, Control, & Manage A Network
Of Collection Nodes & ORBs For Cyber
Operations - Scalability & Efficiency!

80. SORM

81. SORM

82. SORM To Amesit
Amesit Enables A Mobile, Flexible
Deployment Of SORM-Like Capabilities,
Including For INFORMATION &
INFLUENCE OPERATION PURPOSES.
Can Also Be “Forward Deployed.”

83. What About PRC?

84. What About PRC?

85. What About PRC?

86. What About PRC?

87. PRC CNO & IO Operations

88. PRC CNO & IO Operations
Great Cannon
Is Nearly 10
Years Old Now
- Disclosed In
2015!

89. PRC CNO & IO Operations
Great Cannon
Is Nearly 10
Years Old Now
- Disclosed In
2015!
PRC (Likely)
Continues To
Invest &
Innovate In
Cyber
Operations

90. PRC CNO & IO Operations
Great Cannon
Is Nearly 10
Years Old Now
- Disclosed In
2015!
PRC (Likely)
Continues To
Invest &
Innovate In
Cyber
Operations
Widespread
Intrusion Ops -
Exchange,
Barracuda
ESGs,
Emphasize
This!

91. PRC CNO & IO Operations
Great Firewall & Great Cannon
Functionality Give Glimpses Of Similar
Ambitions & Programs - Main Question
Is Scalability & Management Of These
Capabilities & Widespread Intrusion
Campaigns

92. The United States & FVEY
Hey - Remember The
Snowden Leaks?

93. The United States & FVEY
Hey - Remember The
Snowden Leaks?
NOTE THAT THE FOLLOWING SLIDES
ARE BASED ON PUBLIC COMMENTARY
AND POSTING HERE NEITHER
CONFIRMS NOR DENIES THE ACCURACY
OR VERACITY OF THESE ITEMS!

94. NSA Leaks & Implications

95. NSA Leaks & Implications
Popular Conception

96. NSA Leaks & Implications
Popular Conception
● Emphasis On Privacy Violations & Other Elements Detrimental To Open Democracies
● Clearly Important - But Hardly The Limit Of What Was Disclosed

97. NSA Leaks & Implications
Popular Conception
● Emphasis On Privacy Violations & Other Elements Detrimental To Open Democracies
● Clearly Important - But Hardly The Limit Of What Was Disclosed
Additional Details

98. NSA Leaks & Implications
Popular Conception
● Emphasis On Privacy Violations & Other Elements Detrimental To Open Democracies
● Clearly Important - But Hardly The Limit Of What Was Disclosed
Additional Details
● Snowden (And Potentially Others) Disclosed SIGNIFICANT Information On CNO
Capabilities & Tradecraft Beyond Privacy & Legality Issues!
● Less-Heralded But Arguably More Significant Were Widespread, Automated
Exploitation & Control Frameworks

99. A Quantum Of Exploitation

100. A Quantum Of Exploitation

101. A Quantum Of Exploitation

102. Automated Exploitation At Scale

103. Automated Exploitation At Scale
QUANTUM, TURBINE, Etc.
Represent Automated
Exploit Systems

104. Automated Exploitation At Scale
QUANTUM, TURBINE, Etc.
Represent Automated
Exploit Systems
Disclosed Publicly In Early
2010’s - Possibility
Adversaries Identified Earlier

105. Automated Exploitation At Scale
QUANTUM, TURBINE, Etc.
Represent Automated
Exploit Systems
Disclosed Publicly In Early
2010’s - Possibility
Adversaries Identified Earlier
Alleged FVEY “State Of
The Art” In 2010 Now
Reflected In RU, PRC Ops

106. Snowden, Vulkan, & Beyond
IF TRUE - Snowden Leaks Were
Arguably A DISASTER For US, Related
CNO & SIGINT Capabilities By
Disclosing Methodology…

107. Snowden, Vulkan, & Beyond
IF TRUE - Snowden Leaks Were
Arguably A DISASTER For US, Related
CNO & SIGINT Capabilities By
Disclosing Methodology…
…It Also Appears That Multiple Parties
Were Taking Notes On How To Build
Similar (Or More Ambitious) Programs
Based On Disclosures!

108. The Future Of Offensive Cyber

109. Popular Conception Of CNO

110. Realistic Depiction Of CNO

111. Future Applications Of CNO

112. The Road To Scalable Cyber

113. The Road To Scalable Cyber
Cyber Talent Is Expensive - Codifying Capabilities In Technology &
Programs Is Key To Expansive & Efficient Action!
Personnel

114. The Road To Scalable Cyber
Cyber Talent Is Expensive - Codifying Capabilities In Technology &
Programs Is Key To Expansive & Efficient Action!
Personnel
Global Ambitions Require Global Actions. Assumptions On Targeting &
Focus Go Out The Window - Especially When Targets Can Be “Means
To An End!”
Targeting

115. The Road To Scalable Cyber
Cyber Talent Is Expensive - Codifying Capabilities In Technology &
Programs Is Key To Expansive & Efficient Action!
Personnel
Global Ambitions Require Global Actions. Assumptions On Targeting &
Focus Go Out The Window - Especially When Targets Can Be “Means
To An End!”
Targeting
Top-Tier Threat Actors Know How Defenders & CTI Analysts Operate -
They Will Work To Evade Known Analytical Tradecraft & Minimize
Touchpoints Wherever Possible!
Operational
Security

116. NTC Vulkan & CNO
Vulkan Capabilities Are LAGGING
Indicators - This Activity Has Already
Taken Place!

117. NTC Vulkan & CNO
Vulkan Capabilities Are LAGGING
Indicators - This Activity Has Already
Taken Place!
We Need To Anticipate Greater Degrees
Of Automation, Queueing, & Reactive
Targeting!

118. What Should We Expect?

119. What Should We Expect?
Greater
Automation &
Improved
Scalability

120. What Should We Expect?
Greater
Automation &
Improved
Scalability
Leverage
“Neutral Web”
For Offensive
Action

121. What Should We Expect?
Greater
Automation &
Improved
Scalability
Reduced
Reliance On
“Rockstars” -
Commoditization
Leverage
“Neutral Web”
For Offensive
Action

122. What Should We Expect?
Greater
Automation &
Improved
Scalability
Reduced
Reliance On
“Rockstars” -
Commoditization
Leverage
“Neutral Web”
For Offensive
Action
Actual,
Meaningful
Applications Of
ML/AI

123. Conclusions

124. Where Are We Now?

125. Where Are We Now?
But…

126. Capability Inspiration & Proliferation

127. Capability Inspiration & Proliferation
Adversaries Learn From “Other Adversary”
Operations & Open Source Research

128. Capability Inspiration & Proliferation
Adversaries Learn From “Other Adversary”
Operations & Open Source Research
Today’s Leak Or Disclosure Is Inspiration For
Tomorrow’s Capability & Evolution

129. Capability Inspiration & Proliferation
Adversaries Learn From “Other Adversary”
Operations & Open Source Research
Today’s Leak Or Disclosure Is Inspiration For
Tomorrow’s Capability & Evolution
CNO Is NOT A Static Field - But A Constantly
Evolving One With Multiple Factors

130. Guidance For Defenders

131. Guidance For Defenders
Adversaries
Are
CONSTANTLY
Growing &
Evolving

132. Guidance For Defenders
Adversaries
Are
CONSTANTLY
Growing &
Evolving
Legacy
Techniques &
Tradecraft For
Defense &
Identification
WILL FAIL

133. Guidance For Defenders
Adversaries
Are
CONSTANTLY
Growing &
Evolving
Legacy
Techniques &
Tradecraft For
Defense &
Identification
WILL FAIL
Emphasis On
Behavioral
Analysis &
Anomaly
Detection,
Enrichment
Required!

134. Guidance For Defenders
If Adversaries Are Moving
Towards Greater
Automation &
Efficiencies, Defenders
Will Be LOST If We Do
Not Do The Same!

135. Advice For Offense

136. Advice For Offense
Human-Drive Operations Are
Rapidly Being Replaced In Ops

137. Advice For Offense
Human-Drive Operations Are
Rapidly Being Replaced In Ops
Adversary Emulation &
Success Requires
Understanding Trends

138. Advice For Offense
Human-Drive Operations Are
Rapidly Being Replaced In Ops
Adversary Emulation &
Success Requires
Understanding Trends
Testing & Probing Will Become
More Technically Challenging!

139. Where Do We Go From Here?
Networks Of Various Types Will
Continue To Be Weaponized By Diverse
Parties, Either As End-Targets Or Means
To Reaching Them…

140. Where Do We Go From Here?
Networks Of Various Types Will
Continue To Be Weaponized By Diverse
Parties, Either As End-Targets Or Means
To Reaching Them…
…The Increasing Scale & Velocity Of
Campaigns Will Make Defense &
Response Challenging - But Not
Impossible!

141. Questions?

142. Selected Works Cited
● The Vulkan Files - Papertrail Media (https://www.papertrailmedia.de/investigations/vulkan-files/)
● Vulkan Files - Der Spiegel (https://www.spiegel.de/thema/vulkanfiles/)
● “Secret Trove Offers Rare Look Into Russian Cyberwar Ambitions” - Craig Timberg, Ellen Nakashima, Hannes Munzinger, & Hakan Tanriverdi, The
Washington Post (https://www.washingtonpost.com/national-security/2023/03/30/russian-cyberwarfare-documents-vulkan-files/)
● “‘Vulkan Files’ Leak Reveals Putin’s Global And Domestic Cyberwarfare Tactics” - Luke Harding, Stiliyana Simeonova, Manisha Ganguly, & Dan Sabbagh,
The Guardian (https://www.theguardian.com/technology/2023/mar/30/vulkan-files-leak-reveals-putins-global-and-domestic-cyberwarfare-tactics)
● “Contracts Identify Cyber Operations Projects From Russian Company NTC Vulkan” - Alden Wahlstrom, Gabby Roncone, Keith Lunden, & Daniel
Kapellmann Zafra, Mandiant (https://www.mandiant.com/resources/blog/cyber-operations-russian-vulkan)
● “Dragos Analyzes Russian Programs Threatening Critical Civilian Infrastructure” - Kevin Woolf & Bryce Livingston, Dragos
(https://hub.dragos.com/hubfs/Dragos_IntelBrief_Russian-Programs-Threatening-Critical_Infrastructure.pdf)
● “Zeroing In On XENOTIME” - Joe Slowik, VirusBulletin
(https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Zeroing-in-on-XENOTIME-analysis-of-the-entities-responsible-for-the-Tri
ton-event.pdf)
● CyberWatchers Twitter Thread (https://threadreaderapp.com/thread/1615358254409986053.html)
● “New VPNFilter Malware Targets At Least 500k Networking Devices Worldwide” - William Largent, Cisco Talos
(https://blog.talosintelligence.com/vpnfilter/)
● “New Sandworm Malware Cyclops Blink Replaces VPNFilter” - US CISA (https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-054a)
● “The Great Firewall Of China: Xi Jinping’s Internet Shutdown” - Elizabeth C. Economy, The Guardian
(https://www.theguardian.com/news/2018/jun/29/the-great-firewall-of-china-xi-jinpings-internet-shutdown)
● “China’s Great Cannon” - Bill Marczak, Nicholas Weaver, Jakub Dalek, Roya Ensafi, David Fifield, Sarah McKune, Arn Rey, John Scott-Railton, Ron Deibert, &
Vern Paxson, The Citizen Lab (https://citizenlab.ca/2015/04/chinas-great-cannon/)
● “A Close Look At The NSA’s Most Powerful Internet Attack Tool” - Nicolas Weaver, Wired (https://www.wired.com/2014/03/quantum/)
● “NSA’s Automated Hacking Engine Offers Hands-Free Pwning Of The World” - Sean Gallagher, Ars Technica
(https://arstechnica.com/information-technology/2014/03/nsas-automated-hacking-engine-offers-hands-free-pwning-of-the-world/)
● “Hack Like The NSA: The Quantum Insert” - otw, HackersArise (https://www.hackers-arise.com/post/2016/09/09/hack-like-the-nsa-the-quantum-insert)

143. Contact Info:
● joe@paralus.co
● @jfslowik - X/Mastodon/Bsky
● Signal (Talk To Me First!)