At the tail-end of March, Mandiant released a report detailing a number of leaked contracts from Vulkan, an IT contracting firm in Moscow. The contracts outline project requirements for engagements between Vulkan and the Russian Ministry of Defense and GRU Unit 74455 (aka Sandworm).
Three projects of note found in the Vulkan files are Scan, Amezit, and Krystal-2B.
- Scan is a framework for large-scale data collection that could facilitate efficient cyber operations across a range of domains from espionage to destructive attacks on critical infrastructure.
- Amezit is a framework for optimizing information operations (IO) and the storage/communication of data to support operational technology (OT) operations.
- Krystal-2B is a training platform for exercising IO and OT operations and can be used to coordinate these attacks.
Details on these projects demonstrate Sandworm and the Russian government’s interest and intent for conducting attacks on the OT of critical infrastructure, particularly on railways, energy utilities, pipeline systems, and the transportation sector.
The Vulkan files reiterate many experts’ claims that Sandworm is the biggest threat actor around today as attacks on critical infrastructure and, specifically, OT have the ability to poison our water systems, derail trains, and cause explosions at chemical or nuclear plants. Organizations falling under the critical infrastructure umbrella should remain diligent in tracking Sandworm and protecting their OT networks.