A consortium of media outlets have published a bombshell investigation about Russia’s cyber-capabilities, based on a rare leak of documents. The files come from NTC Vulkan, a cybersecurity firm in Moscow that doubles as a contractor to Russian military and intelligence agencies.
They reveal how, for years, a group of top Russian IT engineers have been hired to work with Russian military intelligence and a research facility of the FSB, Vladimir Putin’s domestic spy agency. This might seem an unusual mix, and would have been unimaginable before the end of the cold war.
But the documents, which I have reviewed, depict a new world of collaboration between the Russian military and its secret police. And they show how much more aggressive Putin’s siloviki, or security forces, have become since the collapse of the Soviet Union.
Historically, there was never much love between the Russian army and secret police – and for a good reason. The army had never forgotten Joseph Stalin’s murderous purges, and after the revolutionary dictator’s death the KGB (the FSB’s predecessor) retained powers to keep an eye on the military. Nobody likes having someone breathing down their neck.
Russia’s army and its secret police did not just hate each other; they viewed the world through different lenses. Putin’s era brought about new rules and a new mentality, as the Vulkan files make clear.
Take the Amezit project. Vulkan received a contract for the development of Amezit from the Rostov Scientific Institute, one of the very few Russian research facilities directly owned by the FSB. Amezit was developed as a tool that would give an operator the means to take control of all kinds of cyber-traffic in a region – from mobile networks to social media – and, if necessary, to isolate that region from the outside world and create an information blackout.
In a nutshell, Amezit’s goal is information control; not just suppressing independent information, but defining the narrative. A subsection of the project, PRR, was developed to allow the operator to spread disinformation on social media.
It sounds like textbook FSB, which is in charge of conducting surveillance in Russia, and has always considered the free flow of information to be a direct threat to the stability of the government.
But Amezit was not intended for FSB use – the Rostov institute was acting as a front for the Russian military. It was the military that commissioned the development of a system to help its personnel quickly take control over sections of cyberspace.
This might seem the kind of tool the Russian army would want to quickly commission for use in Ukraine. But the documents show that this kind of mindset was adopted by the military six years before Russia’s 2022 invasion.
The leaked files also suggest the Russian army long ago abandoned Soviet-era limitations on offensive weapons only being used in a time of war. The borders between war and peace in Russia are not just blurred, they are nonexistent.
And that makes the present-day army’s mindset much closer to that of the secret police. The military do not have second thoughts about using tools that would introduce censorship and information blackouts, coupled with the spreading of disinformation on Russian soil or anywhere else it may be deployed.
The Vulkan files also raise difficult questions about how much the software engineers who helped build these systems knew about their purpose.
Some of the engineers must surely have understood the significance of the tools they were creating. Their company was licensed by the FSB, with high security clearance. Relevant personnel were fully briefed about the need to protect secrecy, and to ensure they remembered what was at stake. There were even FSB officers in-house.
Some of Vulkan’s programmers were graduates of technical universities such as Bauman, which has a longstanding connection with the military. They were direct products of a peculiar Soviet system for creating engineers who were expected to behave as technical servants of the state’s military-industrial complex.
For decades, Soviet engineers were schooled intensively in technical skills, but the breadth of their education was narrow. They were taught to work on projects without questioning the bigger picture. Rarely, if ever, were they exposed to the humanities. In return for their loyalty, they were treated with respect and paid relatively good salaries.
That education model was never changed after the collapse of the Soviet Union. New generations of engineers emerged, specialising in computer programming. Many were driven not by ideology but anger, having come to blame the west for their loss of social status.
Putin and his military and security services exploited this resource. When government funding was once again poured into military projects, Russian IT engineers made for enthusiastic recruits, and eventually private companies such as Vulkan were launched to fortify military and security research.
But unlike during the cold war, the new generation of engineers are not blinkered specialists trained to work with outdated Soviet technologies. They are well versed in western technology (Amezit would not be possible on exclusively Russian software), well educated and globally connected.
The leak shows that Vulkan’s engineers made a point of frequenting IT conferences around the world. Some of them have left Russia and found jobs in international companies, such as Siemens and Amazon.
Siemens declined to comment on individual employees but said it took such questions “very seriously”. Amazon said it implemented “strict controls”, adding that protecting customer data was its “top priority”.
If they have not already, other engineers working for state-sanctioned companies such as Vulkan may still decide to leave Russia, fearing mobilisation into the army for the war against Ukraine.
All of which poses difficult questions. Are some ex-Vulkan employees a security risk? Is it safe or ethical to employ a Russian engineer with a background in information security, which in Moscow often means working for a company such as Vulkan?
Even if an engineer leaves Russia and takes their immediate family with them, they will still have friends and relatives back home, which could make them vulnerable. On the other hand: is it wise, or even fair, to return IT engineers to Russia because of their former employment, given what would await them? The Kremlin, after all, views these engineers as pawns whose duty it is to help the Russian war effort.