{"id":51251,"date":"2023-03-30T19:54:07","date_gmt":"2023-03-30T19:54:07","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/34481\/Secret-Trove-Offers-Rare-Look-Into-Russian-Cyberwar-Ambitions.html"},"modified":"2023-03-30T19:54:07","modified_gmt":"2023-03-30T19:54:07","slug":"secret-trove-offers-rare-look-into-russian-cyberwar-ambitions","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\/","title":{"rendered":"Secret Trove Offers Rare Look Into Russian Cyberwar Ambitions"},"content":{"rendered":"<div class=\"grid-full-bleed\" readability=\"7.8137614678899\">\n<div class=\"center pt-lg pt-lg-mod-ns grid-layout \" readability=\"11.03119266055\">\n<p><h2 class=\"ma-auto font--subhead font-light offblack subheadline mb-sm mb-md-ns\">More than 5,000 pages of documents from a Moscow-based contractor offer unusual glimpses into planning and training for security services, including the notorious hacking group Sandworm<\/h2>\n<\/p>\n<div class=\"grid-center w-100\">\n<div class=\"flex print-byline print-mt-none justify-center\" readability=\"4.7990654205607\">\n<div class=\"byline-wrapper flex-column flex items-ns-center\" readability=\"5.9065420560748\">\n<div class=\"mb-xxs\" data-qa=\"author-byline\"><span><\/p>\n<div class=\"dib items-center\" data-qa=\"author-byline\"><span class><\/p>\n<p><span data-qa=\"author-name\" rel=\"author\" class=\"wpds-c-kBnelm wpds-c-kBnelm-cIdiJW-isLink-false\">Hannes Munzinger<\/span><\/p>\n<p><span class=\"wpds-c-kpjDGe wpds-c-kpjDGe-ijEKCyf-css\"> and<!-- -->&nbsp;<\/span><\/span><\/div>\n<div class=\"dib items-center\" data-qa=\"author-byline\"><span class><\/p>\n<p><span data-qa=\"author-name\" rel=\"author\" class=\"wpds-c-kBnelm wpds-c-kBnelm-cIdiJW-isLink-false\">Hakan Tanriverdi<\/span><\/p>\n<p><span class=\"wpds-c-kpjDGe wpds-c-kpjDGe-ijEKCyf-css\"><\/span><\/span><\/div>\n<p><\/span><\/div>\n<p><span data-testid=\"display-date\" class=\"wpds-c-iKQyrV\">March 30, 2023 at 11:00 a.m. EDT<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"grid-center grid-tablet-full-bleed\">\n<div data-testid=\"lede-art\" data-qa=\"lede-art\" class>\n<figure class=\"overflow-hidden relative hide-for-print center center mb-sm mb-md-ns ml-auto-ns mr-auto-ns\">\n<div class=\"w-100 mw-100 h-auto\" width=\"600\" height=\"399\"><img alt class=\"w-100 mw-100 h-auto\" width=\"600\" height=\"399\" srcset=\"https:\/\/www.washingtonpost.com\/wp-apps\/imrs.php?src=https:\/\/arc-anglerfish-washpost-prod-washpost.s3.amazonaws.com\/public\/A2NXKY4SYRBXFCOW7UITGOWJ64.jpg&amp;w=440 400w, https:\/\/www.washingtonpost.com\/wp-apps\/imrs.php?src=https:\/\/arc-anglerfish-washpost-prod-washpost.s3.amazonaws.com\/public\/A2NXKY4SYRBXFCOW7UITGOWJ64.jpg&amp;w=540 540w, https:\/\/www.washingtonpost.com\/wp-apps\/imrs.php?src=https:\/\/arc-anglerfish-washpost-prod-washpost.s3.amazonaws.com\/public\/A2NXKY4SYRBXFCOW7UITGOWJ64.jpg&amp;w=691 691w, https:\/\/www.washingtonpost.com\/wp-apps\/imrs.php?src=https:\/\/arc-anglerfish-washpost-prod-washpost.s3.amazonaws.com\/public\/A2NXKY4SYRBXFCOW7UITGOWJ64.jpg&amp;w=767 767w, https:\/\/www.washingtonpost.com\/wp-apps\/imrs.php?src=https:\/\/arc-anglerfish-washpost-prod-washpost.s3.amazonaws.com\/public\/A2NXKY4SYRBXFCOW7UITGOWJ64.jpg&amp;w=916 916w, https:\/\/www.washingtonpost.com\/wp-apps\/imrs.php?src=https:\/\/arc-anglerfish-washpost-prod-washpost.s3.amazonaws.com\/public\/A2NXKY4SYRBXFCOW7UITGOWJ64.jpg&amp;w=1200 1200w, https:\/\/www.washingtonpost.com\/wp-apps\/imrs.php?src=https:\/\/arc-anglerfish-washpost-prod-washpost.s3.amazonaws.com\/public\/A2NXKY4SYRBXFCOW7UITGOWJ64.jpg&amp;w=1440&amp;impolicy=high_res 1440w\" sizes=\"(max-width: 440px) 440px,(max-width: 768px) 691px,(max-width: 1023px) 916px,(max-width: 1199px) 1200px,(min-width: 1200px) 1440px,440px\" decoding=\"async\"><\/div><figcaption class=\"ml-gutter mr-gutter mr-auto-ns ml-auto-ns font--subhead font-xxxs mt-xs left gray-dark\">The leak of documents from a Moscow-based defense contractor is unusual for Russia\u2019s secretive military industrial complex. (Washington Post illustration, NTC Vulkan; iStock)<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"wpds-c-kIYCkz\">\n<div class=\"wpds-c-grBDNq hide-for-print mb-sm undefined\">\n<div class=\"PJLV PJLV-iAjpuP-css flex items-center\" config=\"[object Object]\" data-qa=\"article-actions\">\n<div class=\"wpds-c-fLphcs\">\n<div class=\"wpds-c-jmLDag wpds-c-jmLDag-bywHgD-variant-primary wpds-c-jmLDag-biynoz-density-compact wpds-c-jmLDag-hZSyid-isOutline-true wpds-c-jmLDag-ejCoEP-icon-left wpds-c-jmLDag-futxca-cv wpds-c-jmLDag-ijEyopC-css\">\n<div class=\"wpds-c-gALKdJ wpds-c-gALKdJ-cvuveS-variant-desktop\"><span class=\"wpds-c-qPQO wpds-c-qPQO-kpjDGe-variant-desktop\">Listen<\/span><\/p>\n<p>16 min<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"wpds-c-fLphcs\">\n<div class=\"wpds-c-jmLDag wpds-c-jmLDag-bywHgD-variant-primary wpds-c-jmLDag-biynoz-density-compact wpds-c-jmLDag-hZSyid-isOutline-true wpds-c-jmLDag-ejCoEP-icon-left wpds-c-jmLDag-futxca-cv wpds-c-jmLDag-iknmtxO-css\"><button aria-label=\"Comment\" class=\"PJLV PJLV-iPnDcc-css\"><svg viewBox=\"0 0 16 16\" fill=\"currentColor\" aria-hidden=\"true\" focusable=\"false\" role=\"img\" class=\"wpds-c-kKAfCG wpds-c-efqEZa focus-highlight flex items-center justify-center brad-lg pointer transition-400 ease-in-out transition-colors\" aria-label=\"Comment on this story\"><title>Comment on this story<\/title><path d=\"M14 14V2H2v9.47h8.18L12.43 13ZM3 10.52V3h10v9.23l-2.5-1.66Z\" \/><\/svg><\/button><\/p>\n<p>Comment<\/p>\n<\/div>\n<\/div>\n<div class=\"wpds-c-fLphcs\">\n<div class=\"wpds-c-jmLDag wpds-c-jmLDag-bywHgD-variant-primary wpds-c-jmLDag-biynoz-density-compact wpds-c-jmLDag-hZSyid-isOutline-true wpds-c-jmLDag-ejCoEP-icon-left wpds-c-jmLDag-futxca-cv wpds-c-jmLDag-iknmtxO-css\">\n<p>Gift<!-- --> <span class=\"PJLV PJLV-ikqOWxF-css\">Article<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"teaser-content grid-center\" readability=\"37\">\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"36\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy drop-cap\" dir=\"null\">Russian intelligence agencies worked with a Moscow-based defense contractor to strengthen their ability to launch cyberattacks, sow disinformation and surveil sections of the internet, according to thousands of pages of confidential corporate documents.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"38\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">The documents detail a suite of computer programs and databases that would allow Russia\u2019s intelligence agencies and hacking groups to better find vulnerabilities, coordinate attacks and control online activity. The documents suggest the firm was supporting operations including both social media disinformation and training to remotely disrupt real-world targets, such as sea, air and rail control systems.<\/p>\n<\/div>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"39\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">An anonymous person provided the documents from the contractor, NTC Vulkan, to a German reporter after expressing outrage about Russia\u2019s attack on Ukraine. The leak, an unusual occurrence for Russia\u2019s secretive military industrial complex, demonstrates another unintended consequence of President Vladimir Putin\u2019s decision to take his country to war.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"35\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">Officials from five Western intelligence agencies and several independent cybersecurity companies said they believe the documents are authentic, after reviewing excerpts at the request of The Washington Post and several partner news organizations.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"36\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">These officials and experts could not find definitive evidence that the systems have been deployed by Russia or been used in specific cyberattacks, but the documents describe testing and payments for work done by Vulkan for the Russian security services and several associated research institutes. The company has both government and civilian clients.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"0\">\n<p><span class=\"wpds-c-PJLV wpds-c-PJLV-jQCwLd-variant-interstitial wpds-c-PJLV-iPJLV-css font--article-body font-copy hide-for-print ma-0 pb-md db overrideStyles\"><a data-qa=\"interstitial-link\" href=\"https:\/\/www.washingtonpost.com\/national-security\/2023\/03\/30\/takeaways-vulkan-files-investigation\/?itid=lk_interstitial_manual_7\">7 takeaways from the Vulkan Files investigation<\/a><\/span><\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"38\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">The trove offers a rare window into the secret corporate dealings of Russia\u2019s military and spy agencies, including work for the notorious government hacking group Sandworm. U.S. officials have accused Sandworm of twice causing power blackouts in Ukraine, disrupting the Opening Ceremonies of the 2018 Winter Olympics and launching NotPetya, the most economically destructive malware in history.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"40\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">One of the leaked documents mentions the numerical designation for Sandworm\u2019s military intelligence unit, 74455, suggesting that Vulkan was preparing software for use by the elite hacking squad. The unsigned, 11-page document, dated 2019, showed a Sandworm official approving the data transfer protocol for one of the platforms.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"35.376344086022\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">\u201cThe company is doing bad things, and the Russian government is cowardly and wrong,\u201d said the person who provided the documents to the German reporter, shortly after the invasion of Ukraine. The reporter then shared them with a consortium of news organizations, which includes The Washington Post and <a href=\"http:\/\/www.spiegel.de\/vulkanfiles\" target=\"_blank\" rel=\"noopener\">is led by Paper Trail Media and Der Spiegel<\/a>, both based in Germany.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"37\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">The anonymous person, who spoke to the reporter through an encrypted chat app, declined to identify themself before ending contact, declaring the need to vanish \u201clike a ghost\u201d for security reasons.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"35\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">\u201cI am angry about the invasion of Ukraine and the terrible things that are happening there,\u201d the person said. \u201cI hope you can use this information to show what is happening behind closed doors.\u201d<\/p>\n<\/div>\n<div class=\"article-body grid-full-bleed\" data-qa=\"article-body\">\n<div class=\"cb dn db-ns\" data-qa=\"article-body-ad\">\n<div aria-hidden=\"true\" class=\"hide-for-print relative flex justify-center content-box items-center b bh mb-md mt-none pt-lg pb-lg\">\n<div data-testid=\"placeholder-box\" class=\"w-100 h-100 absolute flex flex-column justify-center border-box bg-offwhite\">\n<div class=\"flex flex-column justify-center font-sans-serif center font-xxs light gray-dark lh-md\">\n<p>Advertisement<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"35\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">Vulkan did not respond to requests for comment. An employee of the company who answered the phone at its head office confirmed that an email with queries had been received and said it would be answered by company officials, \u201cif it is of interest to them.\u201d<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"32\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">No responses came. Kremlin officials also did not reply to requests for comment.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"40\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">The cache of more than 5,000 pages of documents, dated between 2016 and 2021, includes manuals, technical specification sheets and other details for software that Vulkan designed for the Russian military and intelligence establishment. It also includes internal company emails, financial records and contracts that show both the ambition of Russia\u2019s cyber operations and the breadth of the work Moscow has been outsourcing.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"33\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">This includes programs to create fake social media pages and software that can identify and stockpile lists of vulnerabilities in computer systems across the globe for possible future targeting.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"36\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">Several mock-ups of a user interface for a project known as Amezit appear to depict examples of possible hacking targets, including the Foreign Ministry in Switzerland and a nuclear power plant in that nation. Another document shows a map of the United States with circles that appear to represent clusters of internet servers.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"38\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">One illustration for a Vulkan platform called Skan makes reference to a U.S. location, labeled \u201cFairfield,\u201d as a place to find network vulnerabilities for use in an attack. Another document describes a \u201cuser scenario\u201d in which hacking teams would identify insecure routers in North Korea, presumably for potential use in a cyberattack.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"41\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">The documents do not, however, include verified target lists, malicious software code or evidence linking the projects to known cyberattacks. Still, they offer insights into the aims of a Russian state that \u2014 like other major powers, including the United States \u2014 is eager to grow and systematize its ability to conduct cyberattacks with greater speed, scale and efficiency.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"35.985037406484\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">\u201cThese documents suggest that Russia sees attacks on civilian critical infrastructure and social media manipulation as one and the same mission, which is essentially an attack on the enemy\u2019s will to fight,\u201d said John Hultquist, the vice president for intelligence analysis at <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/cyber-operations-russian-vulkan\" target=\"_blank\" rel=\"noopener\">the cybersecurity firm Mandiant<\/a>, which reviewed selections of the document at the request of The Post and its partners.<\/p>\n<\/div>\n<div class=\"article-body grid-full-bleed\" data-qa=\"article-body\">\n<div class=\"cb dn db-ns\" data-qa=\"article-body-ad\">\n<div aria-hidden=\"true\" class=\"hide-for-print relative flex justify-center content-box items-center b bh mb-md mt-none pt-lg pb-lg\">\n<div data-testid=\"placeholder-box\" class=\"w-100 h-100 absolute flex flex-column justify-center border-box bg-offwhite\">\n<div class=\"flex flex-column justify-center font-sans-serif center font-xxs light gray-dark lh-md\">\n<p>Advertisement<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\">\n<h3 data-qa=\"article-header\" class=\" pb-sm pt-md\" id=\"DYW3EWSAA5EYXAMDKYOHHSYM7A\">\n<p>\u2018A critical pillar\u2019<\/p>\n<\/h3>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"39\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">The role of contractors in Russian cyberwarfare is \u201cvery significant,\u201d especially for the Russian military intelligence agency commonly called the GRU, said a Western intelligence analyst, speaking on the condition of anonymity to share sensitive findings. \u201cThey are a critical pillar of GRU offensive cyber research and development. They provide expertise that the GRU may lack on a given issue. The spy services can do cyber operations without them, but likely not as well.\u201d<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"40\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">Three former Vulkan employees, who spoke on the condition of anonymity out of fear of retribution, confirmed some details about the company. Financial records for Vulkan, which were separately obtained by the news organizations, match references in the documents in several instances, detailing millions of dollars worth of transactions between known Russian military or intelligence entities and the company.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"37\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">The intelligence and cybersecurity experts said details in the documents also match information collected about Russia\u2019s hacking programs \u2014 including in a smaller previous leak \u2014 and appear to describe new tools for enabling offensive cyber operations. Vulkan, they said, is one of dozens of private firms known to provide tailored cyber capabilities to the Russian security services.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"41\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">The experts cautioned that it was not clear which of the programs had been completed and deployed, as opposed to being merely developed and ordered up by the Russian military, including by units linked to the GRU. The documents do, however, refer to state-mandated testing, changes desired by the clients and finished projects, strongly suggesting that at least trial versions of some of the programs were activated.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"37\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">\u201cYou don\u2019t find network diagrams and design documents like this very often. It really is very intricate stuff. This wasn\u2019t meant to be ever seen publicly,\u201d said one of the Western intelligence officials, speaking on the condition of anonymity to share candid assessments of sensitive findings. \u201cBut it makes sense to pay attention. Because you better understand what the GRU is trying to do.\u201d<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"39\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">The Threat Analysis Group at Google, the tech company\u2019s premier cyberthreat hunter, found evidence in 2012 that Vulkan was being used by the SVR, Russia\u2019s foreign intelligence service. The researchers observed a suspicious test phishing email being sent from a Gmail account to a Vulkan email account that had been set up by the same person, evidently a company employee.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"36\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">\u201c[T]he use of test messages is common practice to test phishing emails prior to their use,\u201d Google said in a statement. After that test email, the Google analysts saw the same Gmail address being used to send malware known to be employed by SVR against other targets.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"36\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">That was \u201cnot the smartest move\u201d on the Vulkan employee\u2019s part, said one Google analyst, speaking on the condition of anonymity to describe sensitive findings. \u201cIt was definitely a slip-up.\u201d<\/p>\n<\/div>\n<div class=\"article-body grid-body grid-center\" data-qa=\"article-body\" readability=\"49\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">References to the company also can be found in VirusTotal, a Google-owned service with a database of malicious software that is a resource for security researchers.<\/p>\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">A file labeled \u201cSecret Party NTC Vulkan\u201d is a holiday invitation disguised in a piece of malware that normally takes control of a user\u2019s computer. The invitation \u2014 apparently harmless \u2014 automatically downloads an illustration of a large bear alongside a champagne bottle and two glasses.<\/p>\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">The image is labeled \u201cAPT Magma Bear,\u201d a reference to Western cybersecurity officials\u2019 labeling of Russian hacking groups with ursine code names. APT refers to \u201cAdvanced Persistent Threat,\u201d a cybersecurity term for the most serious hacking groups, which are typically run by nation states such as Russia.<\/p>\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">The invitation reads \u201cAPT Magma Bear wishing you and your family a wonderful holiday season and a healthy and peaceful New Year!\u201d as Soviet military music plays in the background.<\/p>\n<\/div>\n<div class=\"article-body grid-full-bleed\" data-qa=\"article-body\">\n<div class=\"cb dn db-ns\" data-qa=\"article-body-ad\">\n<div aria-hidden=\"true\" class=\"hide-for-print relative flex justify-center content-box items-center b bh mb-md mt-none pt-lg pb-lg\">\n<div data-testid=\"placeholder-box\" class=\"w-100 h-100 absolute flex flex-column justify-center border-box bg-offwhite\">\n<div class=\"flex flex-column justify-center font-sans-serif center font-xxs light gray-dark lh-md\">\n<p>Advertisement<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"31\">\n<h3 data-qa=\"article-header\" class=\" pb-sm pt-md\" id=\"GHMSTPQDU5COHI74WXTOLBOO2E\" readability=\"-3\">\n<p>Ties to Western corporations<\/p>\n<\/h3>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"34\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">Vulkan was founded in 2010 and has about 135 employees, according to Russian business information websites. The company website says its main headquarters is in northeast Moscow.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"34\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">A promotional video on the company website portrays Vulkan as a scrappy tech start-up that \u201csolves corporate problems\u201d and has a \u201ccomfortable work environment.\u201d It ends by declaring that Vulkan\u2019s goal is to \u201cmake the world a better place.\u201d<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"32\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">The promotional video does not mention military or intelligence contracting work.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"36\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">\u201cThe work was fun. We used the latest technologies,\u201d said one former employee in an interview, speaking on the condition of anonymity for fear of retribution. \u201cThe people were really clever. And the money was good.\u201d<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"37\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">Some former Vulkan employees later worked for major Western companies, including Amazon and Siemens. Both companies issued statements that did not dispute that former Vulkan employees worked for them, but they said that internal corporate controls protected against unauthorized access to sensitive data.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"37\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">The documents also show that Vulkan intended to use an array of U.S. hardware in setting up systems for Russian security services. The design documents repeatedly refer to American products, including Intel processors and Cisco routers, that should be used to configure the \u201chardware-software\u201d systems for Russian military and intelligence units.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"40\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">There are other connections to U.S. companies. Some of those companies, including IBM, Boeing and Dell at one time worked with Vulkan, according to its website, which describes commercial software development work with no obvious ties to intelligence and hacking operations. Representatives of IBM, Boeing and Dell did not dispute that those entities previously worked with Vulkan but said they do not now have any business relationships with the company.<\/p>\n<\/div>\n<div class=\"article-body grid-full-bleed\" data-qa=\"article-body\">\n<div class=\"cb dn db-ns\" data-qa=\"article-body-ad\">\n<div aria-hidden=\"true\" class=\"hide-for-print relative flex justify-center content-box items-center b bh mb-md mt-none pt-lg pb-lg\">\n<div data-testid=\"placeholder-box\" class=\"w-100 h-100 absolute flex flex-column justify-center border-box bg-offwhite\">\n<div class=\"flex flex-column justify-center font-sans-serif center font-xxs light gray-dark lh-md\">\n<p>Advertisement<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\">\n<h3 data-qa=\"article-header\" class=\" pb-sm pt-md\" id=\"27O6N7KZHNAGVEOCYPTUXOMWWI\">\n<p>Automated disinformation<\/p>\n<\/h3>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"26\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\"><a href=\"http:\/\/sz.de\/vulkanfiles\" target=\"_blank\" rel=\"noopener\">The trove of documents initially was shared with a reporter for the German newspaper S\u00fcddeutsche Zeitung<\/a>. The consortium examining the documents has 11 members \u2014 including The Post, the Guardian, Le Monde, Der Spiegel, iStories, Paper Trail Media and S\u00fcddeutsche Zeitung \u2014 from eight countries.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"33\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">Among the thousands of pages of leaked Vulkan documents are projects designed to automate and enable operations across Russian hacking units.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"38\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">Amezit, for example, details tactics for automating the creation of massive numbers of fake social media accounts for disinformation campaigns. One document in the leaked cache describes how to use banks of mobile phone SIM cards to defeat verification checks for new accounts on Facebook, Twitter and other social networks.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"37\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">Reporters for Le Monde, Der Spiegel and Paper Trail Media, working from Twitter accounts listed in the documents, found evidence that these tools probably had been used for numerous disinformation campaigns in several countries.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"35\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">One effort included tweets in 2016 \u2014 when Russian disinformation operatives were working to boost Republican presidential candidate Donald Trump and undermine Democrat Hillary Clinton \u2014 linking to a website claiming that Clinton had made \u201ca desperate attempt\u201d to \u201cregain her lead\u201d by seeking foreign support in Italy.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"37\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">The reporters also found evidence of the software being used to create fake social media accounts, inside and outside of Russia, to push narratives in line with official state propaganda, including denials that Russian attacks in Syria killed civilians.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"36\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">Amezit has other features designed to allow Russian officials to monitor, filter and surveil sections of the internet in regions they control, the documents show. They suggest that the program contains tools that shape what internet users would see on social media.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"34\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">The project is repeatedly described in the documents as a complex of systems for \u201cinformation restriction of the local area\u201d and the creation of an \u201cautonomous segment of the data transmission network.\u201d<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"37\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">A 2017 draft manual for one of the Amezit systems offers instructions on the \u201cpreparation, placement and promotion of special materials\u201d \u2014 most likely propaganda distributed using fake social media accounts, telephone calls, emails and text messages.<\/p>\n<\/div>\n<div class=\"article-body grid-full-bleed\" data-qa=\"article-body\">\n<div class=\"cb dn db-ns\" data-qa=\"article-body-ad\">\n<div aria-hidden=\"true\" class=\"hide-for-print relative flex justify-center content-box items-center b bh mb-md mt-none pt-lg pb-lg\">\n<div data-testid=\"placeholder-box\" class=\"w-100 h-100 absolute flex flex-column justify-center border-box bg-offwhite\">\n<div class=\"flex flex-column justify-center font-sans-serif center font-xxs light gray-dark lh-md\">\n<p>Advertisement<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"31\">\n<h3 data-qa=\"article-header\" class=\" pb-sm pt-md\" id=\"RFOP3RSGSVHRFJ7LCHQKOIILKQ\" readability=\"-3\">\n<p>Mapping critical infrastructure<\/p>\n<\/h3>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"35\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">One of the mock-ups in a 2016 design document allows a user to hover a cursor over an object on a map and display IP addresses, domain names and operating systems as well as other information about \u201cphysical objects.\u201d<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"38\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">One such physical object \u2014 highlighted in fluorescent green \u2014 is the Ministry of Foreign Affairs in Bern, Switzerland, which shows a hypothetical email address and the \u201cattack goal\u201d to \u201cobtain root user privileges.\u201d The other object highlighted on the map is the Muhleberg Nuclear Power Plant, west of Bern. It stopped producing power in 2019.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"37\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">Dmitri Alperovitch, who co-founded the cyberthreat intelligence firm CrowdStrike, said that the documents indicate that Amezit is intended to enable discovery and mapping of critical facilities such as railways and power plants, but only when the attacker has physical access to a facility.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"38\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">\u201cWith physical access, you can plug this tool into a network and it will map out vulnerable machines,\u201d said Alperovitch, now the chairman of Silverado Policy Accelerator, a think tank in Washington.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"36\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">Emails suggest that the Amezit systems were at least tested by Russian intelligence agencies by 2020. A company email dated May 16, 2019, describes feedback from the customer and desires for changes in the program. A spreadsheet marks which parts of the project have been finished.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"36\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">A document in the trove also suggests that Vulkan was contracted in 2018 to create a training program called Crystal-2 to provide simultaneous operation by up to 30 trainees. The document mentions testing \u201cthe Amezit system to disable [incapacitate] control systems for rail, air and sea transport\u201d but does not make clear whether the training program conceived in the documents went forward.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"35\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">Trainees also would be \u201ctesting methods for obtaining unauthorized access to local computer and technological networks of infrastructure and facilities to support life in population centers and industrial areas,\u201d potentially using capabilities the document ascribes to Amezit.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"34\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">Later in the document, the text reads: \u201cThe level of secrecy of processed and stored information in the product is \u2018Top Secret.\u2019\u201d<\/p>\n<\/div>\n<div class=\"article-body grid-full-bleed\" data-qa=\"article-body\">\n<div class=\"cb dn db-ns\" data-qa=\"article-body-ad\">\n<div aria-hidden=\"true\" class=\"hide-for-print relative flex justify-center content-box items-center b bh mb-md mt-none pt-lg pb-lg\">\n<div data-testid=\"placeholder-box\" class=\"w-100 h-100 absolute flex flex-column justify-center border-box bg-offwhite\">\n<div class=\"flex flex-column justify-center font-sans-serif center font-xxs light gray-dark lh-md\">\n<p>Advertisement<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"31\">\n<h3 data-qa=\"article-header\" class=\" pb-sm pt-md\" id=\"Q7STQWYBPVEHVME2TS6PTDFTOM\" readability=\"-3\">\n<p>Repository of vulnerabilities<\/p>\n<\/h3>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"36\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">Skan, the other main project described in the documents, allowed Russia\u2019s attackers continuously to analyze the internet for vulnerable systems and compile them in a database for possible future attacks.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"35\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">Joe Slowik, the threat intelligence manager at the cybersecurity company Huntress, said Skan probably was designed to work in tandem with other software.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"34\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">\u201cThis is the background system that would allow for it all \u2014 organizing and potentially tasking and targeting of capabilities in a way that can be centrally managed,\u201d he said.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"37\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">Slowik said Sandworm, the Russian military hacking group blamed for numerous disruptive attacks, was likely to want to keep a large repository of vulnerabilities. A document from 2019 says Skan could be used to display \u201ca list of all possible attack scenarios\u201d and highlight all the nodes on the network that could be involved in the attacks.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"36\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">The system also appears to enable coordination among Russian hacking units, allowing \u201cthe ability to exchange data between prospective geographically dispersed special units,\u201d according to the leaked documents.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"37\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">\u201cSkan reminds me of old military movies where people stand around \u2026 and place their artillery and troops on the map,\u201d says Gabby Roncone, another cybersecurity expert at Mandiant. \u201cAnd then they want to understand where the enemy tanks are and where they need to strike first to break through the enemy lines.\u201d<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"32\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">There is evidence that at least some part of Skan was delivered to the Russian military.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"39\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">In an email dated May 27, 2020, Vulkan developer Oleg Nikitin described collecting a list of employees \u201cto visit the territory of our functional user\u201d to install and configure equipment for the Skan project, and upgrade and configure software and demonstrate functionality. The functional user is described as \u201cKhimki,\u201d a reference to the Moscow suburb where Sandworm is based.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"37\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">\u201cThe territory is closed, the regime is strict,\u201d Nikitin wrote, using Russian terms for a protected, secret government facility.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"32\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\">Nikitin did not reply to a request for comment.<\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"32\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\"><i>Maria Christoph from Paper Trail Media contributed to this report.<\/i><\/p>\n<\/div>\n<div class=\"article-body grid-center grid-body\" data-qa=\"article-body\" readability=\"37\">\n<p data-testid=\"drop-cap-letter\" data-el=\"text\" class=\"wpds-c-cYdRxM wpds-c-cYdRxM-iPJLV-css overrideStyles font-copy\" dir=\"null\"><i>Craig Timberg is The Post\u2019s senior editor for collaborative investigations and a former technology reporter. Ellen Nakashima is a Post national security reporter who has written about cybersecurity and intelligence issues. Hannes Munzinger and Hakan Tanriverdi are senior investigative reporters for Paper Trail Media, based in Munich. Munzinger received the document trove and had initial conversations with the source while working for his previous employer, S\u00fcddeutsche Zeitung.<\/i><\/p>\n<\/div>\n<div class=\"grid-center grid-body\">\n<div class=\"wpds-c-jjHkyS hide-for-print\" readability=\"9.6576728499157\">\n<div data-qa=\"content\" class=\"wpds-c-bBtBOR wpds-c-bBtBOR-iPJLV-css\" readability=\"15.116357504216\">\n<h3 data-qa=\"linkbox-headline\" class=\"wpds-c-jtAZFm\">About the Vulkan Files<\/h3>\n<p class=\"wpds-c-eynqHn\">This investigation was a collaboration among journalists from eight countries working at 11 news organizations, including The Washington Post. Leading the project were <a href=\"http:\/\/www.spiegel.de\/vulkanfiles\" target=\"_blank\" rel=\"noopener\">Paper Trail Media and Der Spiegel<\/a> in Germany. Also participating from that country were <a href=\"http:\/\/sz.de\/vulkanfiles\" target=\"_blank\" rel=\"noopener\">S\u00fcddeutsche Zeitung<\/a> and <a href=\"https:\/\/www.zdf.de\/nachrichten\/digitales\/vulkan-files-cyberangriff-hacker-ukraine-krieg-russland-100.html\" target=\"_blank\" rel=\"noopener\">ZDF<\/a>. Other partners include the Guardian in Britain, <a href=\"https:\/\/www.lemonde.fr\/pixels\/article\/2023\/03\/30\/dans-les-coulisses-de-vulkan-usine-d-armes-numeriques-des-services-russes_6167610_4408996.html\" target=\"_blank\" rel=\"noopener\">Le Monde<\/a> in France, Tamedia in Switzerland, the <a href=\"https:\/\/www.dr.dk\/nyheder\/viden\/teknologi\/laek-fra-russisk-it-virksomhed-giver-enestaaende-indblik-i-putins-digitale\" target=\"_blank\" rel=\"noopener\">Danish Broadcasting Corporation<\/a> in Denmark, Der Standard in Austria and iStories, a news site covering Russia that is based in Latvia.<\/p>\n<p class=\"wpds-c-eynqHn\">Editing by Ben Pauker. Copy editing by Gilbert Dunkley.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"flex mt-md grid-center grid-body\">\n<div class=\"mb-lg-mod ml-sm-ns\"><button class=\"inline-flex items-center justify-center lh-md overflow-hidden border-box min-w-btn transition-colors duration-200 ease-in-out font-sans-serif font-bold antialiased bg-white hover-bg-gray-lighter focus-bg-gray-lighter offblack b-solid bw bc-gray-light hover-bc-gray-light focus-bc-gray-darkest-alpha-50 gift-share hide-for-print brad-lg pl-md pr-md h-md pt-0 pb-0 pointer\" aria-haspopup=\"true\" id=\"gift-share-shortcut\" data-qa=\"gift-share-shortcut\"><\/p>\n<div class=\"flex justify-center h-100 items-center\">\n<div class=\"flex items-center mr-xs\"><svg class=\"content-box fill-current\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" aria-hidden=\"true\" focusable=\"false\" role=\"img\"><title>GiftOutline<\/title><path d=\"M11.18 4.88l.17-.06a2 2 0 001.3-1.53 1.91 1.91 0 00-.73-1.85 2.08 2.08 0 00-1.73-.39A2 2 0 008.8 2.11L8 3.68l-.8-1.57a2 2 0 00-1.39-1.06 2.1 2.1 0 00-1.73.39 1.91 1.91 0 00-.73 1.85 2 2 0 001.3 1.53l.17.06H1v4.5h1.17V15h11.66V9.38H15v-4.5zM9.84 2.6a.87.87 0 01.6-.45.68.68 0 01.2 0 .88.88 0 01.55.19.81.81 0 01.31.79.86.86 0 01-.56.66l-2.06.74zm-5.34.51a.84.84 0 01.31-.8.93.93 0 01.55-.18.68.68 0 01.2 0 .87.87 0 01.6.45l1 1.91-2.1-.72a.86.86 0 01-.56-.66zM2.17 6h5.25v2.25H2.17zm1.16 3.38h4.09v4.5H3.33zm5.25 4.5v-4.5h4.09v4.5zm5.25-5.63H8.58V6h5.25z\" fill-rule=\"nonzero\" \/><\/svg><\/div>\n<p>Gift Article<\/p>\n<\/div>\n<p><\/button><\/div>\n<\/div>\n<div class=\"grid-center grid-mobile-full-bleed\">\n<div class=\"hide-for-print ml-auto mr-auto mt-md pt-lg recirc\" data-qa=\"recirc\">\n<div class=\"flex-l justify-center hide-for-print\">\n<div class=\"pr-sm ml-sm ml-0-ns b-l br-l bc-gray-darkest more-from-post\">\n<div class=\"dn db-l pb-md pt-md\">\n<div data-qa=\"newsletter\" class=\"hide-for-print relative \">\n<div class=\"dib w-100\">\n<div>\n<p><svg aria-labelledby=\"react-aria-1-aria\" role=\"img\" viewBox=\"0 0 100 80\"><title id=\"react-aria-1-aria\">Loading&#8230;<\/title><rect role=\"presentation\" x=\"0\" y=\"0\" width=\"100%\" height=\"100%\" clip-path=\"url(#react-aria-1-diff)\" \/><defs><clipPath id=\"react-aria-1-diff\"><rect x=\"0\" y=\"0\" rx=\"0\" ry=\"0\" width=\"100\" height=\"80\" \/><\/clipPath><linearGradient id=\"react-aria-1-animated-diff\"><stop offset=\"0%\" stop-color=\"#e9e9e9\" stop-opacity=\"1\" \/><stop offset=\"50%\" stop-color=\"#e9e9e9\" stop-opacity=\"1\" \/><stop offset=\"100%\" stop-color=\"#e9e9e9\" stop-opacity=\"1\" \/><\/linearGradient><\/defs><\/svg><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"db dn-l bt bb ml-gutter mr-gutter pt-md pb-md\">\n<div data-qa=\"newsletter\" class=\"hide-for-print relative \">\n<div class=\"dib w-100\">\n<div>\n<p><svg aria-labelledby=\"react-aria-2-aria\" role=\"img\" viewBox=\"0 0 100 80\"><title id=\"react-aria-2-aria\">Loading&#8230;<\/title><rect role=\"presentation\" x=\"0\" y=\"0\" width=\"100%\" height=\"100%\" clip-path=\"url(#react-aria-2-diff)\" \/><defs><clipPath id=\"react-aria-2-diff\"><rect x=\"0\" y=\"0\" rx=\"0\" ry=\"0\" width=\"100\" height=\"80\" \/><\/clipPath><linearGradient id=\"react-aria-2-animated-diff\"><stop offset=\"0%\" stop-color=\"#e9e9e9\" stop-opacity=\"1\" \/><stop offset=\"50%\" stop-color=\"#e9e9e9\" stop-opacity=\"1\" \/><stop offset=\"100%\" stop-color=\"#e9e9e9\" stop-opacity=\"1\" \/><\/linearGradient><\/defs><\/svg><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/34481\/Secret-Trove-Offers-Rare-Look-Into-Russian-Cyberwar-Ambitions.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[277],"tags":[9889],"class_list":["post-51251","post","type-post","status-publish","format-standard","hentry","category-cybersecurity-blogs","tag-headlinehackergovernmentrussiacyberwar"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Secret Trove Offers Rare Look Into Russian Cyberwar Ambitions 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Secret Trove Offers Rare Look Into Russian Cyberwar Ambitions 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-03-30T19:54:07+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"432\" \/>\n\t<meta property=\"og:image:height\" content=\"435\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Secret Trove Offers Rare Look Into Russian Cyberwar Ambitions\",\"datePublished\":\"2023-03-30T19:54:07+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\\\/\"},\"wordCount\":2995,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"keywords\":[\"headline,hacker,government,russia,cyberwar\"],\"articleSection\":[\"CyberSecurity Blogs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\\\/\",\"name\":\"Secret Trove Offers Rare Look Into Russian Cyberwar Ambitions 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"datePublished\":\"2023-03-30T19:54:07+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,government,russia,cyberwar\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackergovernmentrussiacyberwar\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Secret Trove Offers Rare Look Into Russian Cyberwar Ambitions\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Secret Trove Offers Rare Look Into Russian Cyberwar Ambitions 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\/","og_locale":"en_US","og_type":"article","og_title":"Secret Trove Offers Rare Look Into Russian Cyberwar Ambitions 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-03-30T19:54:07+00:00","og_image":[{"width":432,"height":435,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Secret Trove Offers Rare Look Into Russian Cyberwar Ambitions","datePublished":"2023-03-30T19:54:07+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\/"},"wordCount":2995,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"keywords":["headline,hacker,government,russia,cyberwar"],"articleSection":["CyberSecurity Blogs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\/","url":"https:\/\/www.threatshub.org\/blog\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\/","name":"Secret Trove Offers Rare Look Into Russian Cyberwar Ambitions 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"datePublished":"2023-03-30T19:54:07+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/secret-trove-offers-rare-look-into-russian-cyberwar-ambitions\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,government,russia,cyberwar","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackergovernmentrussiacyberwar\/"},{"@type":"ListItem","position":3,"name":"Secret Trove Offers Rare Look Into Russian Cyberwar Ambitions"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/51251","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=51251"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/51251\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=51251"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=51251"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=51251"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}