The recent Russian parliamentary and presidential elections were notable for the wide use of cyber attacks on the websites of the liberal media, as well as opposition hackers accessing officials’ intranet email exchanges. But was this a question of large-scale collusion between the Kremlin and professional hackers, or an altogether more amateur effort by political activists? In the latest article in their ‘Project ID’ series, Irina Borogan and Andrei Soldatov investigate the destructive forces targeting the Russian internet.
4th December 2011, the date of the Russian parliamentary election, was a difficult day for the system administrators of many liberal internet sites. DDoS (distributed denial of service) attacks shut down access to the websites of the radio station ‘Ekho Moskvy’ [‘Echo of Moscow’], the ‘New Times’ and ‘Bolshoi Gorod’ [‘The Big City’] magazines, the election monitoring organisation ‘Golos’ and the business news and blogging site Slon.Ru. Our own site, ‘Agentura.Ru’, was also one of the sites attacked.
‘The attack began at about 7.30 on Sunday morning’, Vadim Petrov, Slon.Ru’s technical manager, told us, ‘but it was about nine o’clock before we reacted to it. At first we tried to solve the problem ourselves, by getting our hosting provider to cut off foreign internet addresses trying to access the site. This fixed the problem for a short time, but then the volume of traffic increased and there was a change in the behaviour of the bots, and the server went down again. We spent about an hour matching our site with the ‘Qrator’ protection system, and then we switched to their servers.’
‘Hackers who had grown up in post-Soviet Russia had earned a reputation of being among the most active and dangerous cybercriminals in the world.’
After Slon.Ru, ‘Bolshoi Gorod’, the ‘Dozhd’ TV channel, ‘Ekho Moskvy’, and ‘Golos’ all switched to Qrator’s servers. According to the report by Highloadlab, owners of the service, the active attack phase continued into the evening of 4th December. Slon.Ru alone was bombarded by 200,000 to 250,000 bots, mostly from India and Pakistan. In other words, someone used a botnet, a network of ‘zombie’ computers, to send a high volume of fake requests to the targeted sites with the aim of producing a server overload, which would then cause the site to crash.
By the next day, the active phase of most of the attacks was over, although in certain cases (that of ‘Ekho Moskvy’, for example) it switched to a ‘state of anticipation’: about 100 bots attempted to send ‘difficult’ requests to the server, to catch the moment when the site would start to fail and possibly emerge from its protected state.
It took two months for things to return to normal. ‘The DDoS attack finally stopped about the end of January,’ Vadim Petrov explained. ‘Incoming traffic fell gradually from 200 megabits to 20-25 by the end of the attack. Our normal volume of traffic is 1-5 megabits.’
It looked as though everyone’s worst fears had been confirmed, that the Kremlin would be able to use the hacker community to organise attacks on independent media sites and the opposition, not to mention the web resources of countries considered unfriendly by Moscow. These fears seemed to have been well-founded. Hackers who had grown up in post-Soviet Russia had earned a reputation of being among the most active and dangerous cybercriminals in the world. At the same time Russian technical universities, the main suppliers of computer programmers, hackers included, had become a base for ‘patriotic’ minded young people. Many budding Russian IT specialists were angry with the changes of the 1990s, which brought with them, among other things, cutbacks in the defence industry – the main employer of the Soviet technical intelligentsia.
It is also worth remembering that in the Cold War years Soviet intelligences agencies were on a more or less equal footing with the two most powerful centres of electronic intelligence gathering in the world, the USA’s National Security Agency (NSA) and the UK’s Government Communications Headquarters (GCHQ).
Analysts warned that this combination of factors looked pretty worrying, and cited the example of China. In the words of the eminent cyber security expert Mikko Hypponen, ‘Hackers in the post-Soviet space are pretty patriotically minded, and this is even more true of Chinese patriotic hackers, who are happy to attack the West if they think it will help their country.’
Early cyber crime
In February 2002 students from Tomsk University conducted a cyber attack on the ‘Kavkaz-tsentr’ site, which supported the Chechen rebels, and the local FSB refused to prosecute them, calling the attack ‘an expression of a civil position that is worthy of respect’.
In 2007 foreign government sites were subjected to attacks for the first time. Estonia had angered the Kremlin by removing the so-called Monument to the Liberators of Tallinn, which featured a bronze soldier in Red Army uniform, from the centre of the city. And on 27th April Russian hackers carried out a series of attacks on Estonian governmental, parliamentary, ministerial, newspaper and TV and radio sites.
'In March 2009 Konstantin Goloskokov, a ‘commissar’ in the pro-Kremlin youth movement ‘Nashi’ admitted responsibility for the attack in an interview with the Financial Times. ‘I would not call it a cyber attack;’ he said, ‘it was cyber defence. We taught the Estonian regime a lesson.’
The Estonian Minister of Foreign Affairs Urmas Paet accused the Kremlin of being behind the attacks, Russia denied any involvement in the affair, and as a result Estonia requested and received NATO help with countermeasures to this new form of aggression. Estonia was unable to present any proof of the Russian authorities’ complicity, however in March 2009 Konstantin Goloskokov, a ‘commissar’ in the pro-Kremlin youth movement ‘Nashi’ admitted responsibility for the attack in an interview with the Financial Times. ‘I would not call it a cyber attack;’ he said, ‘it was cyber defence. We taught the Estonian regime a lesson.’
After Estonia came Lithuania. In 2008 this former Soviet republic antagonised the Kremlin when its parliament voted to ban the public display of both Nazi and Soviet symbols. This triggered an immediate massive cyber attack: on 30th June the Lithuanian telecommunications service reported an attack by hackers on 300 websites, where they had pasted Soviet red flags and anti-Lithuanian slogans.
In August 2008, the war between Georgia and South Ossetia triggered a cyber attack on Georgia’s internet infrastructure. At the same time a number of groups appeared, among them ‘Civil Anti-terror’ (www.anticenter.org) and ‘Internet Underground Community vs. Terrorism’ (www.peace4peace.com), whose aim was to mobilise web users against sites that supported the Chechen rebels, and who suggested using DoS attacks to do this. In 2007 we noticed the National Anti-Terrorist Committee, whose chair is the head of the FSB, taking an interest in the patriotic hackers of ‘Civil Anti-terror’ and trying to contact them, seeing them as potential allies.
‘While most of his gang busied themselves with trolling on liberal sites, posting inflammatory messages to disrupt discussions, Hell was hacking into opposition leaders’ email accounts – most famously, those of Aleksey Navalny and his wife.’
The same year saw the emergence of a figure known as ‘Hacker Hell’ as the main scourge of liberals on the Russian Internet. A group of supporters attached themselves to him on the ‘Live Journal’ blog site, calling themselves sometimes ‘the Hell Brigade’, sometimes ‘the Hell Party’, and then settling on ‘the FSB Brigade for the Strangulation of Democracy’ (http://fsb-brigada.livejournal.com/ ). While most of his gang busied themselves with trolling on liberal sites, posting inflammatory messages to disrupt discussions, Hell was hacking into opposition leaders’ email accounts – most famously, those of Aleksey Navalny and his wife in October 2011. Among his other victims were the blogger Andrey Malgin, an exposer of corrupt officials, and ex-MP Viktor Alksnis, who led the campaign against the illegal sell-off of public land in the trendy residential Moscow district of Rublyovka. And in January 2012, when opposition hackers accessed the email account of the Nashi press officer Kristina Potupchik, it turned out that the Kremlin’s youth movement was planning a DDoS attack on the Kommersant newspaper’s website.
Who are the hackers?
The question has always been: is this campaign the work of ‘real’, expert hackers, or of activists mobilised by the Kremlin?
Vladimir Pribylovsky, who runs the opposition website http://www.anticompromat.org/ and is also president of the ‘Panorama’ Information and Research Centre think tank, was himself a few years ago a victim of Hacker Hell, who hacked not only into Pribylovsky’s ‘Live Journal’, but also into his daughter’s Facebook page. We met Pribylovsky in a Moscow café, where the former dissident, translator of Animal Farm and leader of a party with the exotic name of ‘Subtropical Russia’, told us that he has no illusions about Hell’s hacking qualifications. ‘No, they aren’t real hackers. Hell can’t create programmes; he is engaged in social engineering, asking questions for mugs like me to answer. For example, you get a fake dialogue box, ostensibly from Google, telling you that you urgently need to change your password. So you type in your password and then they use it to get into your account – classic phishing. My password (for email, Live Journal, everything) used to be the number of my internal ID document. Then after the first time I got hacked, I changed it to the number of my international passport. A year later he worked it out and got me again. And there are still people who use ‘12345’ as their password.’
‘Hell can’t create programmes; he is engaged in social engineering, asking questions for mugs like me to answer. For example, you get a fake dialogue box, ostensibly from Google, telling you that you urgently need to change your password. So you type in your password and then they use it to get into your account – classic phishing.’ (Vladimir Pribylovsky)
Our contacts in the hacking community agree about Hell: ‘This is someone who knows how to work with archives and documents (that’s his day job); he can search out and analyse information. But technically he’s not a hacker, and all his hacks are based on guessing the answers to security questions on ‘old’ post boxes and social networks accounts.‘
We also have the impression that the relationship between the hackers and the security services are not working out very well for the latter, and this has been confirmed by what has happened to the ‘anti-terrorist’ sites. According to our sources, the idea of attacking rebel sites did not appeal to cyber criminals: ‘After the anti-terror sites started getting a lot of publicity, which was mostly the work of a well-known character who goes by the username ‘SEVERA’, rumours started going around the hacker-criminal community about him having links with the FSB, and this didn’t go down well, especially as he was a member of closed, ’secret’ credit card fraud forums like VN – VendorsName, which are not open to just anybody.’
‘SEVERA’s attempts to publicise his antiterrorist initiatives on closed forums have linked his name firmly with the security services and alienated other hackers, who have been put off from taking part in these initiatives.’
The St Petersburg hacker SEVERA (whose real name is thought to be Pyotr Levashov) is one of the best known kings of spam, whose activities have earned him a place of honour on the database of Spamhaus, an international organisation that fights spam and phishing. He owes his great popularity to the clever fake antivirus programmes he disseminated to scale up his botnet, and which he then used to spread spam. He’s been known in computer circles since the end of the 90s, and many hackers suspect that the extent of his operations and incredible luck in his relations with the authorities can be put down to collaboration with the FSB. SEVERA’s attempts to publicise his antiterrorist initiatives on closed forums have linked his name firmly with the security services and alienated other hackers, who have been put off from taking part in these initiatives. Both ‘Civil Anti-terror’ and ‘Internet Underground Community vs. Terrorism’ are inactive at present. The number of politically inspired DDoS attacks, however, continues to rise, although when the hacker community is involved with them it is in an unexpected fashion.
DDoS attacks as business
The St Petersburg hacker Andrei, username Sporaw, rose to fame in the early 2000s, when he gave comments on the hacking community in Russia for the BBC and the newspaper ‘Vedemosti’. Sporaw is very critical of the liberal opposition and western values: his website’s home page shows the state emblem of the USSR on a red background, with the caption ‘The country which does not exist’.
At the TED (http://www.ted.com/pages/about) Global conference in Edinburgh in June 2011, Mikko Hypponen referred to Sporaw as a Russian hacker whom he recognised by his signature in the body of his ‘exploit’ (a programme that takes advantage of software vulnerability). This signature contained the number of Sporaw’s car, a black Mercedes S600, which Hypponen had learned from a photo of the car on the hacker’s ‘Live Journal’ page. And at the end of January 2012 the well known blogger Anton Nossik accused Sporaw of hacking into Aleksey Navalny’s email account (for which ‘Hacker Hell’ later admitted responsibility) and of working for Kremlin spin doctors, on the grounds that Sporaw argued for the authenticity of the intercepted Navalny’s emails.
In correspondence with us, Sporaw denied categorically that he had been involved in hacking into Navalny’s emails, although he admitted that he was a close follower of online political debate. We went on to discuss his views on the 4th December DDoS attacks, and asked what resources he thought the attackers would have needed to carry them out:
‘There are two alternatives. One is people, loads of people. And most of them wouldn’t even need to be particularly technically competent - just a huge number of people with a few techies in amongst them. In general the attacks came from imageboard forums such as ‘4chan’, ‘2ch[annel]’ and the Russian analogue ‘2ch.so’. Their DDoS attacks were on the level of “download this script and send it every computer you can access – at home, at work.” And what you would then get was something primitive, like a site being subjected to constant bombardment by a ping flood (http://en.wikipedia.org/wiki/Ping). That’s what they did in Estonia and Georgia.
To understand how dumb these hackers are, you need only look at the tool they use – the DDoS - LOIC (Low Orbit Ion Cannon). That means that people have access to a ‘handy programme’ that allows them to create DoS (denial of service) attacks (specifically DoS – not DDoS (distributed denial of service) attacks. The DDoS is dependent on the enormous number of people involved.
‘You can find lots of techies on open source forums like ‘antichat’, ‘damagelab’, ‘xaker.ru’, ‘xakery.ru’. Anyone who wants to create a DDoS just has to go to these public sites to get help – ‘Nashi’ members, ‘Navalny’s Army’, anyone.’ (St Petersburg hacker ‘Sporaw’)
Attacks like this are coordinated through internet chat sites, forums and imageboards. The more people involved, the more ‘effective’ the attack. The downside is obvious: most of those people are not technically literate and launch the attack from their own internet address.’
‘So what is the second alternative? ‘, we asked Sporaw.
‘The other alternative is a DDoS using botnets, of which there are two types. Botnets of the first type are very simple and usually very small, consisting of 1000-5000 active systems; the second are professional botnets whose bots are measured in tens and hundreds of thousands, the so-called ‘million-bots’. The first type are usually the work of ‘schoolkids’ – barely competent people who create botnets using other peoples’ technical knowledge. You can find lots of techies on open source forums like ‘antichat’, ‘damagelab’, ‘xaker.ru’, ‘xakery.ru’. Anyone who wants to create a DDoS just has to go to these public sites to get help – ‘Nashi’ members, ‘Navalny’s Army’, anyone. The second type of botnet, on the other hand, is not usually set up specifically for a DDoS, but a DDoS can be a spinoff.’
How many people does Sporaw think might be involved in this?
‘In simple botnets, usually just one person, the botnet’s owner – if you don’t count the help from the forums, where you can find, for example, an author of stolen or bought malware; a service to disable anti-viruses; a setting up service; an exploit service; traffic exchanges etc.. Botnets of the second type usually involve a team of two to five people – an owner or owners responsible for revenue generation, infrastructure organisation and strategic management; coders, database and web part developers, testers, support and admin people (often outsourced).‘
‘You can in fact just buy them. You go on the internet and type “I want to buy a botnet.” And there they are, for sale – complete or in part; you can also rent one if you prefer.’ (IT expert Stanislav Shevchenko)
Stanislav Shevchenko, who for 11 years was deputy head of KasperskyLab’s innovation department (he left the company in autumn 2011), agrees with most of Sporaw’s analysis. He believes that botnets are not created to order for political purposes, they are made for long term, repeated use, where DDoS attacks are just one option.
‘You can in fact just buy them. You go on the internet and type “I want to buy a botnet.” And there they are, for sale – complete or in part; you can also rent one if you prefer.’
So how many botnets does Shevchenko believe there are on the net – millions?
‘We are talking here about serious botnets, that are powerful enough to affect serious websites. To take down online newspaper ‘Gazeta.Ru’, for example, you would need a botnet of hundreds of thousands of computers. But there are certainly not millions of botnets of this size. Perhaps a few dozen.’
At the peak of political hacking in 2011-2012, two types of cyber attack predominated - DDoS attacks and email hacking, and these were used by both pro-Kremlin cyber activists and the opposition. In response to hackers’ attacks on the emails of Navalny and of Grigory Melkonyanetz, one of the heads of ‘Golos’, opposition hackers broke into the email account of Kristina Potupchik, the press officer of ‘Nashi’. After the DDoS attacks on liberal media sites on the day of the parliamentary elections, the Central Election Committee sites ‘webvybory2012.ru’ and ‘cikrf.ru’ were attacked on the day of the presidential election.
The ‘Anonymous’ movement has admitted responsibility for hacking the email of Kremlin youth movement functionaries in January 2012. Interestingly enough, the tactics used by this group’s Russian branch are very different from those used in other countries. In the West, ‘Anonymous’ attacks sites belonging to the CIA and the UK’s Home Office, but in Russia they didn’t try to hack into government or other official sites, but merely individuals’ email accounts. We asked Russian ‘Anonymous’ activists to explain this difference in tactics.
‘We have completely different aims - the problems we face in Russia are not the same as those in the West. It’s horses for courses. At that particular moment there was a general feeling among people like us that we needed to get hold of genuine internal correspondence between officials connected with government websites. There was no other particular reason for choosing those targets.’
We suggested that there seemed to be very few actual expert hackers involved in the political cyberspace battle in Russia, on either the Kremlin or the opposition sides, and that it appeared to be more like a battle between opposing political activists. Did they agree?
‘You’re right, there are not that many expert hackers. The Kremlin doesn’t need them because it has other means of extracting information (you remember when the head of ‘Golos’ had his notebook seized)? There’s no one the government needs hackers to attack – they don’t have any specific use for them. And we also don’t have any particular need for serious hacking at present or in the near future. Why do we need access to government sites and documents, when the most serious crimes are being committed by government officials in a pseudo-private capacity?
That’s one half of the answer. The other is that there is a wide variation in the skills our members bring to the movement. One person is only able to press a key on ‘putinvzrivaetdoma.org’ to start a DDoS attack, another can hack into someone’s emails by working out their password, a third is able to hack into a site. Naturally, there are a lot more people at the first level than the third and the actions of the people at the first level could indeed be described as a battle of activists.’
So despite the increasing number of cyber attacks on the Russian political internet, the people behind them are usually activists, rather than professional hackers. For Russian cyber criminals hacking remains first and foremost a business: they will take political orders, but only on a commercial basis, and even then they prefer to work not for the security services, but for Kremlin youth organisations, since this work brings them huge profits without any risk of losing their anonymity.