{ "id": "b59d872c-f258-4fbd-8a74-3b6136458550", "created_at": "2026-04-06T00:13:22.667417Z", "updated_at": "2026-04-10T03:37:09.23224Z", "deleted_at": null, "sha1_hash": "0a5f14e5f39b12b6f1d61e5891074874dc869a3b", "title": "Contracts Identify Cyber Operations Projects from Russian Company NTC Vulkan | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1667215, "plain_text": "Contracts Identify Cyber Operations Projects from Russian\r\nCompany NTC Vulkan | Mandiant\r\nBy Mandiant\r\nPublished: 2023-03-30 · Archived: 2026-04-05 18:20:26 UTC\r\nWritten by: Alden Wahlstrom, Gabby Roncone, Keith Lunden, Daniel Kapellmann Zafra\r\nAs a part of Mandiant’s research on Russian cyber and information operations (IO) capabilities, Mandiant worked\r\nwith a collective of media outlets, including Papertrail Media, Der Spiegel, Le Monde, and Washington Post, to\r\nanalyze several documents belonging to a Russian IT contractor named NTC Vulkan (Russian: НТЦ Вулкан). The\r\ndocuments detail project requirements contracted with the Russian Ministry of Defense, including in at least one\r\ninstance for GRU Unit 74455, also known as Sandworm Team. These projects include tools, training programs,\r\nand a red team platform for exercising various types of offensive cyber operations, including cyber espionage, IO,\r\nand operational technology (OT) attacks.\r\nThe documents, which are dated between 2016 and 2020, offer a brief snapshot of previous Russian investments\r\nand considerations in scaling cyber operations and capability development. However, Mandiant lacks evidence to\r\nprove that the capabilities we discuss have been implemented or are feasible.\r\nA note on source authenticity: Mandiant cannot conclusively confirm the authenticity of these documents based on\r\nlimitations in our current visibility. However, we strongly suspect they are legitimate based on consistencies\r\nobserved across the documents we reviewed, limited instances where we were able to validate details externally,\r\nand an apparent alignment between the capabilities detailed for development in these programs and those that we\r\nhave previously observed used at high levels by Russian intelligence services.\r\nNTC Vulkan Documents Detail Requirements to Develop Cyber and IO\r\nCapabilities\r\nNTC Vulkan is a Russian IT contractor based in Moscow, which publicly advertises working on contracts with\r\nlarge companies and government agencies within Russia. The company’s website cites compliance with Russian\r\ngovernment standards but does not publicly state working with Russian state contractors, such as research\r\ninstitutes or Russian intelligence services. Based on our analysis of the leaked documentation, NTC Vulkan has\r\nheld contracts with Russian intelligence services on projects to enable cyber and IO operations, potentially in\r\ntandem with cyber operations against OT targets.\r\nThe documents detail three projects: Scan, Amesit, and Krystal-2B.\r\nhttps://www.mandiant.com/resources/blog/cyber-operations-russian-vulkan\r\nPage 1 of 8\n\nTool Description\r\nContract\r\nDates\r\nScan\r\nA comprehensive framework likely used to enable cyber operations. Scan\r\nconsists of a variety of methods for large-scale data collection and contains\r\ncomprehensive documentation on how to structure databases to store and handle\r\nsuch information. Based on the signatories, Scan documentation was contracted\r\n(at least in part) by GRU Unit 7445, or Sandworm Team.\r\n~2018-\r\n2019\r\nAmesit\r\n(Alt:\r\nAmezit)\r\nA framework used to control the online information environment and manipulate\r\npublic opinion, enhance psychological operations, and store and organize data for\r\nupstream communication of efforts. Information confrontation and psychological\r\noperations in Amesit are designed to support IO and OT-related operations.\r\n2016-\r\n2018\r\nKrystal-2B\r\nA training platform for exercising coordinated IO/OT attacks against\r\ntransportation and utility industries using Amesit. The exercise’s program\r\nhighlights particular scenarios against OT environments and Russian\r\ninfrastructure. Krystal-2B may be a red teaming or defensively focused exercise,\r\nbut demonstrates interest in coordinating IO/OT attacks.\r\n2018-\r\n2020\r\nTable 1: Summary of main projects identified in NTC Vulkan documents\r\nCyber Capabilities for Information Confrontation\r\nThe cyber operation tools and capabilities detailed in the leaked NTC Vulkan documents are presented as separate\r\nand distinct projects. Mandiant did not identify any evidence indicating how or when the tools could be used.\r\nHowever, based on our analysis of the capabilities, we consider it feasible that the projects represent only some\r\npieces of a variety of capabilities pursued by Russian-sponsored actors to conduct different types of cyber\r\noperations.\r\nScan appears to be a comprehensive framework used to gather different types of information such as network\r\ndetails, configurations, and vulnerabilities, among other types of data, to enable cyber operations. Amesit and\r\nKrystal-2B focus on developing capability to control the information environment, in part by simulating IT/OT\r\nattacks. The documents included pictures of a prototype platform that would enable operators to interact with\r\ndifferent cyber operation tools. This combination of capabilities is in line with what Russian intelligence services\r\ndeem a key part of their information confrontation strategy.\r\nhttps://www.mandiant.com/resources/blog/cyber-operations-russian-vulkan\r\nPage 2 of 8\n\nFigure 3: The documents detailing Amesit’s functionality outline a specific information operations cycle that the\r\nsystem should support\r\nReconnaissance, Preparation, and Enablement of the Attack Lifecycle\r\nCapabilities documented in the contracted NTC Vulkan project Scan could help automate parts of the\r\nreconnaissance and preparation of operations. Scan is a framework comprising multiple components including a\r\nlarge-scale database, methods to gather data from various sources, and a platform to process and action such data\r\ncollections.\r\nThe documentation about Scan is incredibly comprehensive, detailing data transfer between components, open-source and foreign-made software and hardware. Additionally, the capabilities described for this tool’s design take\r\ninto consideration the need for coordination across groups and operators in different locations. Comprehensive\r\ncapability gathering and processing data—such as the one described in Scan—could enable the operators to\r\nsystematize and automate cyber operations to conduct activity across a range of domains from cyber espionage to\r\nOT targeted attacks.\r\nhttps://www.mandiant.com/resources/blog/cyber-operations-russian-vulkan\r\nPage 3 of 8\n\nFigure 2: High-level hardware and software specifications associated to the Scan project\r\nThe Scan framework documentation seems to present requirements and initial designs for a database fed by\r\nmultiple data sources and built for both automated and manual input to enable cyber operations. The\r\ndocumentation provides examples of data collection requirements including, for example, automatic\r\nscanning for vulnerabilities, gathering details about network infrastructure, and collecting other relevant\r\ninformation about targets.\r\nScan requirements also include enabling operators to collect data manually and via automation. Another\r\nrequested capability is a “Processing” component, which is manually operated to serve data requests at\r\nneed.\r\nScan requirements also include outlining possible attack paths for operators, visualizing network mappings\r\nand target geography. Such capabilities are supposed to be supported by tooling with visualization\r\ncomponents and processes for deconfliction across regional units using the framework.\r\nManaging and Executing Information Operations\r\nCapabilities outlined in NTC Vulkan Amesit documentation could support a full information operations life cycle:\r\nmonitoring the media landscape, creating content to promote a specific narrative, establishing and leveraging\r\nmeans to disseminate that content, and assessing the effectiveness of an operation (Figure 3). The use-case\r\ndetailed in the documents suggests a systematic approach to IO wherein operators can leverage a suite of options\r\nto tailor and adapt their operations.\r\nhttps://www.mandiant.com/resources/blog/cyber-operations-russian-vulkan\r\nPage 4 of 8\n\nFigure 3: The documents detailing Amesit’s functionality outline a specific information operations cycle that the\r\nsystem should support\r\nRequirements detailed for components of Amesit state that various online forums are “actively used to\r\nform and manipulate public opinion” and that an actor interested in manipulating public opinion must be\r\nable to identify and leverage the “most effective information channels” to target audiences susceptible to\r\nthe desired positions.\r\nMonitoring and collection capabilities include those that appear intended to enable operators to track the\r\npromotion of a given narrative or issue across various segments of the online discussion, including on news\r\nportals, social media, blogs, and forums.\r\nContent creation requirements would allow operators to create or modify so-called “special materials” for\r\ndissemination in operations. This includes text, image, video, and audio content in various formats.\r\nMeans to disseminate content across multiple vectors are specified, including via social media and blogs,\r\nSMS text messaging, and email.\r\nAn individual operator should be able to manage at least 100 social media profiles from their\r\nworkstation, according to the requirements.\r\nThe requirements also discuss how to reduce the risk of identification and potential attribution. This includes the\r\nability to clean and replace metadata attached to the files of content created for dissemination, and means of\r\ncreating inauthentic profiles on social media and forums for content promotion.\r\nFunctions detailed in the requirements also account for the ability to localize the targeting of an operation within a\r\ngiven geographic area. While it is unclear what targets the tools would be used upon, some of the social media\r\nplatforms and information resources listed as targets for data collection and content dissemination include those\r\nmore specific to Russia and the surrounding region. It also includes those with broader global usership, suggesting\r\nthat Amnesit tooling could be used both for regional or broader targeting.\r\nTargeting Operational Technology Systems\r\nThe documents from NTC Vulkan also include contents related to OT systems in two projects: Krystal-2B and\r\nAmesit. Krystal-2B is a training platform that simulates OT attacks against different types of OT environments in\r\ncoordination with some IO components by leveraging Amesit “for the purpose of disruption.” The Krystal-2B\r\ndocumentation highlights scenarios against Russian military infrastructure, rail systems, airports, sea ports, and\r\nhttps://www.mandiant.com/resources/blog/cyber-operations-russian-vulkan\r\nPage 5 of 8\n\nenergy and water utilities, but does not detail specific methodologies on the malicious activities executed within\r\nthese exercises. Krystal-2B appears designed to support both offensive exercises against OT environments (Figure\r\n4) and defensive exercises to examine vulnerabilities in Russian military infrastructure.\r\nFigure 4: Sample excerpt of Krystal-2B program highlighting training for OT-oriented cyber attacks\r\nThe Krystal-2B project relies on tooling from another project named Amesit. The OT portion of the project is\r\nreferenced in a set of testing requirements for Amesit, which describes the implementation of simulated OT test\r\nbed environments for rail and pipeline control systems. The Amesit documentation indicates these models would\r\nbe supported by either graphical or physical models of these systems to visualize the effects of cyber attacks,\r\nclearly establishing these industries as Russia’s targets of interest for OT-oriented attacks.\r\nThe only attack-related requirement for the OT test beds is that they provide “simulation of ARP-spoofing attacks,\r\nleading to violations of simulated technological processes.” These violations include either common IT-oriented\r\nimpacts on the network infrastructure or complex changes in the parameters of the OT via “specialized software.”\r\nIt is unclear whether such software refers to Amesit tooling, legitimate programmable logic controller (PLC)\r\nhttps://www.mandiant.com/resources/blog/cyber-operations-russian-vulkan\r\nPage 6 of 8\n\nengineering software, or some other existing capabilities. While we have not linked this activity to existing\r\ntoolsets, frameworks like INCONTROLLER are designed to support these types of parameter changes.\r\nThe document also specifies specific parameters of the control systems that the attacker should be able to affect\r\nand physical impacts the attacker should be able to generate. These specifications provide potential insight into the\r\nprocess-level design of these attack scenarios.\r\nFor rail systems, this includes manipulating the speed of trains, creating unauthorized track transfers,\r\ncausing car traffic barriers to fail, and causing combined heat and power (CHP) units to fail, with the\r\nexplicit objective of causing train collisions and accidents.\r\nFor pipeline systems, this includes closing valves, shutting down pumps, overfilling tanks, spilling\r\nmaterials, and causing pump cavitation and overheating.\r\nAlthough there is little information in both documents on how the attacks would occur in a real setting, the\r\ncapabilities we observed are consistent to those Mandiant has observed in previous attacks and tooling from\r\nRussian-sponsored actors. Another noteworthy observation is the incorporation of IO capabilities in the same\r\nprojects that describe OT targeting, which hints at the likelihood of deploying campaigns that leverage both\r\nresources to support complex information warfare operations.\r\nTakeaways\r\nThe contracted projects from NTC Vulkan provide insight into the investment of Russian intelligence services into\r\ndeveloping capabilities to deploy more efficient operations within the beginning of the attack lifecycle, a piece of\r\noperations often hidden from our view. A framework like the one suggested in the Scan project illustrates how the\r\nGRU may be trying to enable fast-paced operations with high coordination among regional units. A once-segmented GRU cyber operation may become streamlined and more efficient using a framework like Scan.\r\nThese projects also show interest in holistic operations to conduct information control and/or confrontation and\r\namplify the psychological effects of cyber operations. For example, Amesit and Krystal-2B demonstrate a high\r\nvalue placed on the psychological impact of offensive cyber attacks, specifically OT operations, by highlighting\r\nthe role of information operations in determining the impact of an ICS incident. The combination of different\r\ntactics in cyber operations is familiar to Russian cyber operations: an early example is the multifaceted\r\nBLACKENERGY operation in 2015 leading to disruption of energy infrastructure in Ukraine. We have also seen\r\nthe combination of IO and disruptive cyberattacks throughout the Ukraine war.\r\nThe documentation from Krystal-2B and Amesit also displays interest in critical infrastructure targets, particularly\r\nenergy utilities and oil and gas, but also water utilities and transportation systems, including rail, sea, and air. As\r\nwe continue to observe the intensification of threat activity from Russian-sponsored actors in parallel to the\r\ninvasion in Ukraine, defenders should remain aware about the capabilities and priorities reflected in these\r\ndocuments to be prepared for protecting critical infrastructure and services.\r\nPosted in\r\nThreat Intelligence\r\nhttps://www.mandiant.com/resources/blog/cyber-operations-russian-vulkan\r\nPage 7 of 8\n\nSource: https://www.mandiant.com/resources/blog/cyber-operations-russian-vulkan\r\nhttps://www.mandiant.com/resources/blog/cyber-operations-russian-vulkan\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.mandiant.com/resources/blog/cyber-operations-russian-vulkan" ], "report_names": [ "cyber-operations-russian-vulkan" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434402, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0a5f14e5f39b12b6f1d61e5891074874dc869a3b.pdf", "text": "https://archive.orkl.eu/0a5f14e5f39b12b6f1d61e5891074874dc869a3b.txt", "img": "https://archive.orkl.eu/0a5f14e5f39b12b6f1d61e5891074874dc869a3b.jpg" } }