The Russian invasion of Ukraine on February 24 set off a global onslaught in cyberspace that is overwhelmingly targeting Russian government infrastructure, private companies, and individual Russian citizens. While the Ukrainian Ministry of Digital Transformation has termed this onslaught to be the “world’s first cyber war,” a more appropriate term is “cyber chaos.” Amidst this ongoing chaos in cyberspace, one tactical element has been most prominently leveraged by pro-Ukraine and anti-Russia hacking groups: data dumps.
Data dumps and data leaks are generally used synonymously, but there can be stark differences between them. Leaks are usually defined as sensitive data that is unknowingly exposed, while dumps are large amounts of data transferred from one system or location to another. The aspect where they differ the most is information density. Leaks are typically information-rich because of the sensitivity of the data they include, while dumps are normally information-poor but large in size. Essentially this is comparable to a letter containing specific information and a truckload of household garbage.
The second aspect in which they can differ is the choice of dissemination. Data dumps are usually dumped into the public domain with few specifics about their origins, purpose, content, and to who they are addressed to. Data leaks, by contrast, typically contain context identifying the data’s origin, who found it, who it was reported to, and what it includes. Essentially, with leaks, there is relatively little heavy lifting and time investment needed to determine the informational content and value.
Data dumps and information leaks can both be utilized in the context of so-called hack and leak operations, which have been employed by intelligence agencies, hacktivists, and cybercriminals alike. In the context of the war in Ukraine, observers can broadly discern between three types of hack & leak operations: (1) hacking and dumping data—with data dumps ranging from a single document to terabytes (TB) of files; (2) hacking and dumping information – which is usually done by posting databases, personal identification information, usernames and passwords lists, credit card details, or internal chat protocols; and (3) hacking, dumping, and deleting data and information – which is a very difficult operation to assess from the outside, given that only the victim can verify whether anything was deleted from their systems. There is also a smaller fourth type of hack and leak operation emerging amidst the Ukraine war, namely, hacking, encrypting, deleting, and dumping data. This is even more difficult for an outsider to verify if the victim is unwilling to talk.
Hack & leak operations against Russian entities have emerged as one of the most misunderstood activities during the war in Ukraine. The sheer amount and frequency of data dumps and information leaks have culminated in a never-ending data flood that has overwhelmed journalists and analysts alike. Few are willing to spend their time wading through this ocean of data in the hopes of stumbling upon something interesting and meaningful. But not all data dumps are created equal. In fact, their quality, impact, and usefulness can differ depending on the source, size, type, structure, availability, and other factors that facilitate the data dump ecosystem.
In the current data flood environment, there are a handful of elemental questions that can help separate the wheat from the chaff. The most basic is determining where the data dump was hosted and how long it was accessible. The following three examples show how hackers have dumped Russian data during the war in Ukraine using specific hosting measures.
Within the new Anonymous community, the smallest popular group—measured by their activity and data dump sizes00is probably V0g3lSec. Their Twitter account identifies them as a Dutch hacking group from the Netherlands. Like many new Anonymous groups, V0g3lSec started hacking Russian-based entities shortly after the invasion began. Between March 2 and April 24, V0g3lSec posted ten data dumps. The largest one was 729 MB and consisted of 262 items allegedly exfiltrated from the Russian space agency Roscosmos. The dump was uploaded to the file-sharing host gofile.io but has since been taken down. V0g3lSec’s smallest information leak appears to have consisted of five tables that contained “usernames, names, emails & passwords (hashed) of different people” allegedly exfiltrated from the Russian Federal Center for Integrated Arctic Studies. This information leak was also uploaded on gofile and has also since been taken down. Finally, on May 22, 2022, V0g3lSec surprisingly disbanded, tweeting: “V0g3lSec [Disbanded]. Feb 27/2022 - May 22/2022. We hated ourselves due to western & russian propaganda.”
All in all, nine out of V0g3lSec's ten dumps and leaks were hosted on gofile, with the last utilizing the text storage site ghostbin.com. Think about ghostbin like a public .txt file with an expiration date ranging from ten minutes to indefinitely. The way V0g3lSec hosted its files illustrates a few things about the group. First, their dumps were not meant to be available for a long period of time. Access was measured in hours and days rather than weeks, months, or years. This might have been a conscious decision to facilitate targeted dump dissemination within a certain community or, more likely, the result of a lack of financial resources, time, internal coordination, and concerns about operational security.
Second, the decision to host their dumps on one particular file hosting site, speaks to a deliberate preference. For example, the Ukrainian data leak repository revenge.monster—which was stood up after the Russian invasion—explicitly noted that “if you want to support us and Ukraine, and you have some free time, then look for a database that is not on our website, upload it to gofile and upload it here, we will be very grateful!” To be clear, there is no known link between V0g3lSec and revenge[.]monster and as of this writing, none of V0g3lSec’s dumps are hosted on the site.
Different repositories, hacking groups, and individuals make deliberate choices where to host their dumps based on certain preferences and motives. This can be particularly pronounced in large groups where a specific data dump is exclusively held by one individual rather than every member of the group. Thus, when that member leaves the group, their data dump is unavailable to be reuploaded and might be gone forever. Overall, hacking groups are rarely bound by coherent structures but are often alliances of convenience, which can be reflected in their hosting preferences.
A counter-example to V0g3lSec’s hosting preferences would be a group like the Network Battalion 65 (NB65). NB65 is different from the new Anonymous space in terms of activity, drama, creativeness, outreach, size, and popularity. As of this writing, NB65 has roughly 210,000 followers on Twitter while V0g3lSec has a mere 5,400. On February 27, NB65 published its first data dump using the anonfiles.com file hosting service. The dump was 120 megabytes (MB) large and consisted of approximately 40,000 files allegedly obtained from the Nuclear Safety Institute of the Russian Academy of Sciences. A few hours after NB65 announced the dump, two non-NB65 members created mirror links, making the dump available on a New Zealand-based file host Mega and a Czech-based file sharing platform Uloz.to. As of this writing, both mirror links still work, but the dump on Anonfiles is gone. Several other dumps and leaks followed with NB65 using a variety of hosting options including Mega, pastebin, an onion site on the TOR network, and on one occasion even the U.S.-based volunteer privacy collective Riseup.net.
Starting in late March 2022, NB65 and other major new Anonymous groups began to form a relationship with Distributed Denial of Secrets (DDoSecrets). Officially, DDoSecrets is a journalistic non-profit organization whose “aim is to avoid political, corporate or personal leanings, to act as a beacon of available information. As a transparency collective, we don't support any cause, idea or message beyond ensuring that information is available to those who need it most—the people.” Unofficially, they have become the most prominent data dump host and aggregator platform for Anonymous groups targeting Russian companies and government agencies. DDoSecrets’ hosting service is particularly attractive because the dumps are located on several servers around the world and are being shared via the Torrent network. This means that the dumps can be very large in size, are always seeded, and are available to download for years. As of May 10, six NB65 data dumps with a combined size of approximately 2.4 terabytes (TB) are hosted by DDoSecrets. Uploading that much data on a file-sharing site like Mega or gofile would be extremely frustrating—particularly if the host deletes the dump every few days.
In contrast to V0g3lSec and NB65, groups active in the Russian and Ukrainian-speaking ecosystem are primarily sharing data dumps and information leaks via Telegram. Telegram has a maximum file upload size of 2 gigabytes (GB), and groups utilize it in combination with torrents and file sharing sites. For example, tevenge.monster has a Telegram channel but prefers to utilize it in combination with gofile uploads. It is important to note that many data dump and information leak aggregator channels on Telegram are essentially cybercriminal markets. Some dumps are shared for free while others can be partially viewed and purchased in full. For these groups, the hacktivist activities amidst the Ukraine war are mere background noise for a much larger ecosystem trading in stolen data and information. On Telegram, the dividing lines between hacktivism and cybercrime are almost non-existent.