Who is Hacking Russians?

May 12, 2016
Image by Reuters

Who is Hacking the Russian Opposition and State Media Officials — and How?

In recent
weeks, public figures from both the Russian opposition as well as the Russia state and
pro-Kremlin media have been attacked by hackers who spilled their private
communications out to social media or paralyzed their sites. Dmitry Kisilyev,
the Kremlin’s chief propagandist and head of the state holding company Rossiya
Segodnya [Russia Today] who hosts the program Vesti [News], found
his private e-mail and Whatsapp messages on the pages of a blog
run by a
Russian hacking collective called Shaltay-Boltay (@b0ltai), the Russian expression for “Humpty

The hackers,
also known sometimes as Anonymous International, published a provocative selection of messages from Kisilyev and his
wife that revealed, among other things that he had bought an expensive
apartment worth $2.5 million and she had bought herself a dissertation. More – some 11
gigabytes’ worth – was promised to the highest bidders at a related auction
site  where the opening bid was set at 33 BitCoin (BTC) which was worth some
. Two days remain before the bid closes with the highest offer currently only at 38 BTC ($17,146). 

opposition activists, Georgy Alburov, a staff member of Navalny’s
Anti-Corruption Fund (FBK), and Oleg Kozlovsky, an opposition blogger, were also
and their messages on the popular messaging app Telegram were accessed.
They mounted vocal protests on social media, and Alburov called on the readers
of his Facebook and Twitter feeds to boycott the Russian phone company MTS. Alburov
blamed MTS for caving to the demand of the Federal Security Service (FSB) to
send a fake authorization code to access his Telegram messages. Even the state media covered his complaints, and MTS lost share value, possibly related to his boycott.

A third
victim of hacking was the pro-Kremlin ANNA News, which covers wars in Ukraine,
Syria and elsewhere; a Ukrainian hackers’ group uploaded a YouTube in which
they claimed to have demolished the ANNA site and all its files and even its
back-ups. ANNA was down for several days but is now working again.

Devastation for the Opposition 

Last month,
two other opposition leaders, Mikhail Kasyanov, chair of the Parnas party, and
Natalya Pelevina, a member of Parnas’ federal council, were both videotaped
having an affair and their web site and personal Whatsapp
messages hacked.
The state NTV ran a vicious expose of Kasyanov and his
colleagues, “Kasyan’s Day.” Their privacy in ruins, the Parnas members had to face their
colleagues, led by deputy Parnas chair Ilya Yasin, who demanded that Kasyanov step down from the party’s top spot on
the list for the elections or run in the primaries to see if voters would
continue to support him. He refused to do so, believing he should not cave to
the secret police in an engineered humiliation. Pelevina stepped down from the
federal council, but announced she would run in the elections.

continued his campaign but the scandal triggered the break-up of the opposition’s
carefully-constructed Democratic Coalition
; by that time Navalny demanded that Kasyanov face the primaries, as did other members. Navalny’s
group then left the coalition and are now in talks with Yabloko, a
non-parliamentary party subsidized like all recognized parties by the government.
Navalny is unfased by his own hacks – they have grown routine for him.

All of these
exposes occurred at the same time and involved the same apps – is it possible
that the same forces are behind them? It seems unlikely, given that not only
the mode of hacking appears to be different, the range is wide, from a figure
like Kiselyev trusted by the Kremlin with their main messaging tasks and a
critic like Kasyanov who was vilified on state TV to ANNA, which publishes
videos that go further even than Russian state TV in promoting the “Novorossiya”
movement of pro-Russian separatists in Ukraine and Assad’s forces in Syria.

Hackers’ Agenda 

It’s also hard to
know the true agenda of the most infamous hackers, Shaltay-Boltay, because in
the past their hacks have seemed to be less about criticizing President
Vladimir Putin or the oppression of the Russian government system than they
appear to be about possibly one faction in the Kremlin fighting against
another. Perhaps such factions used hired hackers or perhaps there are forces
within or around the FSB and its technical experts interested in curbing not
just the anti-Kremlin opposition but extremism in the Kremlin itself which
ultimately hurts Russia’s image, as Kiselyev does with his notorious
provocations such as the threat to “reduce America to nuclear ash” or “burn the
hearts of gays.”

In the past,
when Boltay leaked the correspondence of Timur Prokopenko, the head of information policy for the Kremlin after he left his job, and other officials, the point of the disclosure seemed to be that — shock – such officials give
orders to a supine state press about how to cover the opposition
 and even try to pressure the independent press. The main scandal of the hack was evidence that the Kremlin supported Marine Le Pen’s far-right Front National in France, more of an embarrassment for a Western country than the Kremlin. Blogger Oleg Kashin commented that Boltay seemed to blame journalists who caved to censorship more than the censors themselves.

raised the question
of whether the Boltay hackers were related to the
Kremlin’s “grey cardinal” Vladislav Surkov because a target of one hack was Vyacheslav Volodin, Surkov’s rival who replaced him in a position at the Kremlin. Boltay denies that they are related to government officials, however and claim they
don’t share Surkov’s views – even if the sharing of his methods continue to
raise eyebrows.

leaked about Kiselyev so far seems so shocking – with so much corruption in
Russia, even even more disclosed by the Panama Papers recently regarding Putin’s
closest associates, Kiselyev’s fancy apartment seems almost like a footnote; so many
officials plagiarize or buy their dissertations that an entire industry has
sprung up in Russia exposing it, and Kiselyev’s wife is in a throng of

The auction
could be a sign that the hackers really are unrelated to the government and
need funds to survive – or be a red herring.

The larger
issues not only for Russians but those in the West is whether Telegram and
Whatsapp have been compromised given their wide popularity in Russia, especially for circumventing the censor. Both purport to provide a chat service encrypted
“end-to-end” so that not even the company’s technicians can break into your communications.
The recent debacle with the FBI seeking a court order to force Apple to open up
a terrorists’ phone seemed indicative of a new era of invincible encryption
where governments, whether benign ones chasing terrorists with a warrant, or
malign ones trying to thwart and expose critics, won’t be able to get at their
private chat.

Mobile Phone Operations Cooperation with Intelligence 

But as both
Alburov and Kozlovsky indicated, and Pavel Durov, founder of Telegram, explained, the hack was achieved not by breaking encryption but by obtaining
unauthorized access to the device itself through a forced demand for an access
code – the notification of which never reached the activists because the SMS system
itself was turned off for a time. This would require cooperation with the
Russian cell phone company MTS which is why Alburov is so mad and calling for a
mass exodus from this company.

Durov said flatly that the Russian secret police
were involved in this hack, and that Alburov should have used two-factor authentication
(2FA) and “secret chats,” a feature of Telegram with encryption in the cloud.
These are not the default options, as critics have pointed out, but require user
education; Durov has responded by doing an email blast to his users urging them
to turn on 2FA and a feature called “secret chats” but also noted that he himself doesn’t use
Russian-manufactured sim cards – because of the additional problem of the FSB
obtaining duplicate sim cards to use to hack targets.

Zdolnikov, a technical specialist for FBK who works at Newscaster, reviewed the issue and concurred
with Kozlovsky that the hack was achieved by first suspending SMS notices then
generating a code to access the same account from another device.

could tell his phone had been hacked after the SMS were turned back on because
he got an automatic message from the company “We detected a login into your
account from a new device…If this wasn’t you, you can go to settings — privacy
and security — sessions and terminate that session.”

investigator journalist Roman Anin said last year that his email was
hacked through the FSB’s duplication of his sim card — which the intelligence
officers could only obtain by compliant cell phone operators willing to provide
one. In Anin’s case, unknown persons called the company pretending to be his
friend and asked to help Amin restore his supposedly lost sim card; they cited
Anin’s passport information to obtain it, then hacked into his Google account
through SMS. Anin believes they also used the circumvention software program Tor to hide their tracks; a notice
from Google showing the break-in has an IP address in Germany and then a second
one from Switzerland that was in fact blocked as suspicious.

MTS denied at
the time that they had helped enabled Amin’s hack because they said a courier would
have had to demand not only passport information but a power of attorney from
the subscriber to obtain another sim card and promised to investigate the situation.

Russian Intelligence Monitoring of Communications 

on the recent opposition hacks in a post titled “Durov ‘Forgot’ About Wiretapping of Communications (SORM) and Alburov About Who’s to Blame for ‘Hack'” of His Telegram , the site Roem.ru noted that Andrei Soldatov,
author of the Red Web, said that FSB agents didn’t need to pressure mobile
operators; they need only obtain a warrant but they are not required to show it
to the operator and indeed such surveillance is considered a state secret.

FSB remotely monitors conversations and the operator is not informed. For that
reason, explains Roem.ru, selecting MTS as a target of ire alone among
operators isn’t logical; all Russian communications companies are required to
cooperate with the FSB and SORM, the government’s filtration system. Roem.ru
also blamed Alburov for not using passwords on the chat itself.

But a reader
with the nick-name “saahov” rightly asks the question — if the FSB has SORM and
that’s enough, why all the fussing with fake SMS codes and the cooperation of
MTS for this? Likely the answer is this: Telegram, even though it was founded
by a Russian developer, is located overseas and is not a Russian company and
hasn’t agreed to cooperate with the FSB.

Russia Demands Cooperation with ISPs 

significantly raised the ante last year by demanding that all Internet service
providers with Russian subscribers maintain servers on Russian soil, ostensibly
to protect customer data. The threat is that otherwise, services like Twitter
or Facebook will be banned and blocked. In fact, the measure is widely seen as even
further encroachment on people’s privacy and freedom of expression.

It is not
clear how this situation will unfold as there have been a number of skirmishes
already between Twitter and Roskomnadzor, the state censor. It’s also uncertain
how the Russian government will deal with chat apps; an effort that got started
to ban Telegram because it was used by the Paris terrorists did not get off the
ground in the Russian parliament. Perhaps the FSB appreciates how popular these
apps are and are happy to let companies gather all the customer communications
for them and hack them at will. Maybe their preferred method will be simply to pressure mobile phone companies to cooperate as seems to be indicated in Alburov’s case.

As for
efforts to circumvent website blocks with Tor and other anonymizers – or to use
them to commit hacks undetected as they were in the past weeks’ breaches –
periodically officials call for banning Tor. The prosecutor’s office of
Murmansk demanded May 4 that 13 anonymizer sites be closed, Gazeta.ru
Given how easy it is to make new sites, this is probably a losing

Virtually every day, Russian news carries a story about somebody who was hacked; on May 4 was Anton Inyutsyn, Russia’s deputy minister of
energy was the latest victim, Interfax reported.
All of his email from 2008 to date was taken.

So that suggests that these recent high-profile hacks are just a slice of life, not necessarily related or coordinated, but an
increasing feature of life in Putin’s Russia. If they are not willing to master more complex software routines, the opposition as well as corrupt
officials may soon have to return to what was known in the Soviet era as the “Russian-Russian
dictionary” method of undetected communication – meeting in person to point to words in an old hard-copy dictionary or rubbing a piece of soap or lard on a table to write
words on a table, then quickly washing them off.