Hacktivists Are Sharing Russian State Secrets With the World

Hacktivists Are Sharing Russian State Secrets With the World

The war in Ukraine has put Russia in the crosshairs of hacktivists and relentlessly exposed failures by its government and companies to secure confidential and proprietary data.

The war in Ukraine has spurred a dramatic rise in hacktivism, or hacking by private individuals for a socially or politically motivated purpose, as groups mobilize to support their side in the conflict. Hacktivists have targeted Russian networks—in some cases coordinated by Ukrainian government officials through Telegram and other social media networks—and in other cases, they have acted without outside direction. Hackers have launched wiper attacks against Russian companies, which seek to overwrite critical data and thus render computers unusable, as well as distributed denial of service (DDoS) attacks, which aim to flood a network or website with so much traffic that it cannot function properly. Even ransomware gangs have gotten in on the action, with one group, NB65, using stolen Russian ransomware source code to encrypt data on Russian networks and demand payment for a decryption key. Ukraine has leveraged a groundswell of international support to create formidable offensive cyber capabilities virtually overnight.

Perhaps the most consequential hacks that Ukraine has encouraged are the leaks of huge amounts of data from Russian companies and government agencies. The data gathered and stolen by the Ukrainian government and friendly hacktivists will play a role in providing evidence of Russian war crimes and help identify those who perpetrated them. The leaks will also provide insights into the history and decisions of Russian government agencies and companies, subjects that were previously hidden from outside view.

Private groups have played a large role in stealing and leaking data. Anonymous, a loose cabal of hackers that has cropped up to support major social movements in the past, “declared cyberwar” against the Russian Federation in the aftermath of the invasion of Ukraine, and affiliated groups have begun an enormous hack and leak campaign. Anonymous and other pro-Ukraine groups have stolen and released at least six terabytes of data on the site DDoSecrets from sources such as Roskomnadzor, the Russian government agency responsible for censoring mass media, the Russian Ministry of Culture, and several of Russia’s largest oil and gas companies. For comparison, the documents and videos leaked by Chelsea Manning to WikiLeaks in 2010 were less than five gigabytes. The amount of information coming out of Russia, and the breadth of sources it comes from, is unprecedented and will likely take years to properly sort through and understand. There are no indications that the pace of the hacking is slowing. As the conflict drags on, the amount of data leaked will only increase.

Ukrainian authorities have taken part in the data dumps as well. Ukraine’s main spy agency published a list of 622 individuals it claimed were agents of the Russian Federal Security Service (FSB), although the data set may have been constructed from previously available open-source data. The government also released the personal information of over 1,600 Russian soldiers it claimed served in the Ukrainian town of Bucha, the site of civilian massacres. The government’s efforts have largely been focused on exposing the names and personal information of Russian soldiers and operatives. These leaks will have immediate effects and could be valuable for open-source intelligence organizations, which have played a prominent role in documenting Russia’s invasion of Ukraine. However, their effectiveness will likely be limited to exposing Russian agents in European countries and identifying Russian troops.

Other major hack and leak campaigns may provide some insight into what impact the Ukraine-Russia operations might have. The January 6 Capitol attack and its aftermath represent a recent example of how data leaks can play a role in shaping public opinion and aiding investigators after a crisis. One week after January 6, an Austrian hacker posted data he had scraped from the social network site Parler, a venue for many far-right activists. The leak included geolocation data for several people who attended the rally and showed that some had posted from within the Capitol building itself. Epik, a web services provider for many far-right websites, was hit by a similar hack and leak campaign in September 2021 when Anonymous made over 180 gigabytes of data on Epik’s customers public, including email addresses, names, and phone numbers. The leaks unmasked the owners of numerous racist sites, led companies to fire some of the individuals who were exposed, and provided a major boost to extremism researchers, who used the data to map networks of extremist activity. While we have yet to hear of similar ramifications regarding the data leaked from Russia, the aftermath of the January 6 Capitol attack demonstrates how leaked information can prove invaluable to investigators.

There are notable differences between the data leaks in the wake of January 6 and the current campaign targeting Russia. Social pressures in the United States increased the impact of the far-right data leaks, as individuals could expect to be punished for participating in the Capitol attack or for hosting a racist website. A similar dynamic does not exist under the current Russian regime. The 1,600 soldiers who served in Bucha will not face consequences unless they leave Russia or are captured by Ukrainian forces.

Instead of thinking only of the role leaks play in prosecuting individuals, we should also consider another important purpose of the data. The West has long had an opaque understanding of Putin’s government and its decision-making processes. That will change, however, as researchers sift through the enormous amount of government data included in the leaks. Researchers and government officials now have access to a buffet of data, including internal emails, memoranda, and schematics from all corners of the Russian economy. The 817 gigabytes of data stolen from Roskomnadzor, the main censor in Russia, and another 446 gigabytes taken from the Russian Ministry of Culture, will be especially valuable tools in the years to come. The Roskomnadzor data could have ramifications for some Western technology companies, many of which have wrangled with the agency for years over operating conditions and censorship in Russia.

Moscow’s invasion of Ukraine has put Russia in the crosshairs of hacktivists and relentlessly exposed failures by its government and companies to secure confidential and proprietary data. The amount of data flowing out of Russia is unprecedented, and the number of leaks only appears to be accelerating, with seven leaks taking place in March and over twenty in April. It will take years for the impact of this hack and leak campaign to become clear, but the stories and information gleaned from the stolen information will reverberate long after the war in Ukraine has ended.

Kyle Fendorf is the research associate for the Digital and Cyberspace Policy program at the Council on Foreign Relations.

Image: Reuters.