SAN FRANCISCO — An investigation published early Monday on the eve of the US election details how Russia built one of the largest and most aggressive "cyberarmies" in the world.
As Russia’s cyberoperations have risen in global prominence (and notoriety), the independent Russian news site Meduza has detailed how Russia built its current cyberabilities. While US officials recently took the unprecedented step of accusing Russia of trying to influence the upcoming vote in the US by hacking and leaking emails in an effort to damage the campaign of Democratic presidential nominee Hillary Clinton, cybersecurity experts claim that Russia has been meddling in the affairs of European states for years. The report reveals a system in which Russia’s top political leadership is tasked with recruiting hackers and blackmailing criminals to do their bidding, all the while testing the limits of their cyberabilities on eastern European states before, ultimately, turning their attention to the US this year. BuzzFeed News was given an early look at the report, authored by journalist Daniil Turovsky, and is publishing some of its findings here. Meduza found that:
- Russia’s Ministry of Defense focused some of its earliest efforts on recruiting both from academic institutions and from hackers who may have arisen from the criminal underground.
- The teams were organized into groups known as “research squadrons,” many of which lay within various Russian ministries and military units.
- Some of Russia’s earliest cyberattacks were on nearby Baltic states, dating back to a dispute with Estonia in 2007 over the placement of a memorial statue.
- Public records show that at least one Russian institution purchased surveillance tools from the private Italian company Hacking Team, which sells products that allow governments to spy on their own citizens.
- Over time, the Russian government developed its own offensive cyberweapons, and also bought tools from cybersecurity companies that could be used for surveillance and espionage.
While the Russian government’s involvement in cyberoperations goes back decades, the Russian military’s involvement started with the appointment of Sergei Shoigu as defense minister on Nov. 6, 2012, according to the research laid out by the independent journalists who work at Meduza, a site based out of Latvia that employs some of Russia’s top reporters, who fled other outlets as they were taken over by Kremlin-friendly voices.
Shortly after taking office, Shoigu started making public statements about the need for a Russian cyberunit that could mirror those of the Cyber Command in the US, Meduza reports. But first, Shoigu needed to recruit. Half a year after taking office, in March 2013, he announced that he was leading a headhunt for young programmers.
"A headhunt in the positive meaning of the word; this need is preconditioned by the scope of software required by the Army in the next five years," Shoigu explained at a meeting with the heads of various engineering colleges and information security departments, Meduza reports.
Cyberwarfare quickly became a central block in Russia's increasingly aggressive foreign policy, with senior Russian politicians at the heart of recruiting and structuring the cyberunits. In 2013, Dmitry Rogozin, then a deputy prime minister, took control of supervising the recruitment for the new cyberunits, saying the move “stems from the necessity to ensure information security of the national infrastructure." In addition to defense, he said the units would also “fight cyberthreats” and undergo linguistic training to make them fluent in English.
Around the start of 2014, the defense ministry created the Center of Special Studies, and began hiring personnel through headhunting sites and the webpages of engineering universities, according to Meduza. They called for expertise in the analysis of exploits (software used for cyberattacks) and reverse-engineering skills (analysis of the mechanisms behind the features of a software product with the aim of replicating them). The employees were granted a high security clearance and a salary of up to 120,000 rubles (about $1,900), according to the Meduza report.
"It would be fairly naive to presume that Russia had not addressed the issue of its presence in cyberspace prior to 2014," Alexander Gostev, a leading anti-malware expert at Kaspersky Lab, a Moscow-based cybersecurity company, told Meduza. "Most likely, they need additional input from outside to perform such work, and this is why the format of a 'research squadron' was chosen."
As it recruited, the defense ministry also created “research squadrons” embedded within military units across Russia, and increasingly looked toward hiring hackers, Meduza reports. Dmitri Alperovich, a researcher at Crowdstrike, a US-based cybersecurity company, said that there was a history of forcing hackers to work for the government to avoid imprisonment.
"Soon after a bright individual emerges in the Russian digital underground, a criminal case is filed against him, after which he simply disappears," he said. What happened to the hackers once they had finished their contracts with the government, or how their code could be repurposed by other governments or criminal groups, was unclear, Alperovich said.
The defense ministry ran ads on VKontakte, Russia’s version of Facebook, which certainly spoke to a sense of adventure and danger. In one, a man reloads a machine gun and places it on a table beside his laptop, then begins writing lines of code. To the accompaniment of old-fashioned hard-rock music, a caption emerges in the picture: "Research Squadron of the Russian Federation." The video was posted to VKontakte in July 2015. Meanwhile, Army Today, a news site focused on Russia’s defense ministry, compared the work of research squadrons to James Bond movies: "In one of the recent movies, a digital genius Q hands a small briefcase to the agent, saying: 'I can do more damage on my laptop sitting in my pajamas before my first cup of Earl Grey than you can do in a year in the field.' That is the kind of specialists they aspire to train in Russian cyberforces."
The report also looks at the role of the Kvant Research Institute, which Meduza shows has purchased tools that have been used by governments to spy on citizens. Meduza uses public records to show that between 2012 and 2014, Hacking Team, an Italian surveillance and cybersecurity company known for software that can remotely hack into and take over cell phones and computers, was paid 451,000 euros ($499,708) on behalf of Kvant Research Institute.
In 2008, the institute, a leading research center, fell under the leadership of Georgy Babakin, a former agent in the FSB, the main successor agency to the KGB, Meduza reports. Under him, Kvant began working under the umbrella of the FSB, it reports.
Citing Hacking Team emails leaked on WikiLeaks, Meduza’s report outlines how on April 2, 2011, Babakin got an email from Marco Bettini, a Hacking Team employee. Hacking Team gained global notoriety when it was discovered to be selling software to countries around the world that allowed governments to hack into the cell phones and computers of whomever they wished to spy on. Bettini pitched Babakin one of those programs, known as the Remote Control System, promising that it could track all activities on an infected device, take screenshots, access the web camera and the microphone, intercept correspondence in messenger and email clients, and keep record of what keys were pressed by the owner of the computer or the smartphone.
Citing the emails, Meduza reports that Bettini appears to have visited Moscow. In an internal company email, Bettini wrote that the FSB “gave us a warm welcome and asked a lot of questions about the program's features. Their questions implied that, in spite of having an experience of authorized hacking, they don't have the means of infecting mobile devices and Mac computers.”
Russia's conflicts with other countries have, since 2007, coincided with cyberattacks on those nations, wrote Meduza.
One of the earliest known cases occurred in Estonia in the spring of 2007, during what turned into a huge row over the Estonian government’s desire to relocate a memorial to Soviet soldiers who died in WWII from the center of the city. Hackers attacked the websites of the country's president, its prime minister, state institutions, and banks with a DDoS attack that brought the pages down for several weeks. They posted apologies that they wanted read by Estonia’s prime minister, and promises to move the memorial back to its original location. Konstantin Goloskokov, a member of the Kremlin youth group Nashi, took credit for organizing the attacks. (He refused to respond to Meduza's requests for comment).
The attacks on Estonia lay the groundwork for the type of online assaults that Russian hackers would launch during the war with Georgia the following year, and by December 2015 Russian cyberattacks were taking down a power grid, which led to a short-term blackout in the Ivano-Frankivsk region of Ukraine.
Which brings us to 2016 in the United States, where a Russian group known as Fancy Bear has been accused of attempting to interfere in the US election by hacking into the email accounts of the Democratic National Convention (DNC), and Democratic presidential candidate Hillary Clinton’s top aides. Many of those emails were made public, via WikiLeaks and other websites, in what US officials have described as a clear attempt to influence the US elections.
Ilya Sachkov, a cybersecurity expert with Group-IB, a company focused on Russian cybercrime, told Meduza that a global "cyberwar is being waged."
"Normally, when [hacker] groups realize they have been tracked, they change the structure of [their attacks] completely. Fancy Bear have performed a number of high-resonance hacks, but it doesn't take a genius to see the connection between these attacks, as they've been following the same algorithm," says Sachkov. "They are either idiots or have no fear."
"Does that mean they are confident of their impunity?"
Read the Meduza report (in Russian) here.
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Got a confidential tip? Submit it here.