The Kremlin’s cyber contractors. What motives? What risks?

The Kremlin’s cyber army has become a formidable threat around the globe, with cyberattacks targeting not only states but also private companies. The cyberspace is still pretty much a free-for-all, with no mechanisms to hold states accountable for malicious attacks. However, the Kremlin’s contractors – private companies and individual hackers – will be the ones paying the price when a Russian cyberattack is unraveled. Here is what we know about the Kremlin’s cyber contractors, what drives them, and how they are uncovered.

How the Kremlin recruits the hackers 

By spreading its ideology of “spiritual-moral values” combined with “patriotism” Moscow gains volunteers who wish to enforce these values both online and offline.

Recent footage of the Russian channel “Rain TV” (Dozhd) about cyber-vigilantes shows the depth of incorporation of the message of the Kremlin in the society, that “moral values is a matter of national security”.

These “volunteering cyber-militants” cooperate with the Russian state institutions to point to “extremists” on the web. There is even draft law ( of the ruling party “Yedinaya Rossiya” about the legitimization of their status and the “hacking actions” they undertake.

This measure is actually a further step to control the information space inside the country and to timely reveal the protest mood of the population.

Internationally, one of the motivation elements of the hacking groups working with the Kremlin is national pride, like in the case of “Fancy Bear” (known as APT28) who hacked the World Anti-Doping Agency and revealed US and UK athletes’ (so far legal) drug use. It was done with the purpose of revenge for banning Russian athletes from the Olympic and Paralympic Games for drug use.

Using patriotism is not the only method of the Kremlin to gain support from the activists, including cyber-activists. Another way to build the government’s “cyber-strength” is to encourage those having particular skills and talents. By placing ads on social media sites government-backed recruiters offer jobs to college students and professional coders.

One of the most efficient approaches is to find those hackers who “have problems with the law” and blackmail them. Thus, back in 2013 Russian deputy minister of defense, Gen. Oleg Ostapenko, said that they were forming units called science squadrons and that they might include hackers with criminal histories. The same year a cyber-criminal Alexey Belan was arrested in Greece on the request of the USA but he avoided extradition and fled to Russia. There he was trapped: he was forced to work for the FSB in order to avoid further criminal charges. On the order of Russian intelligence and together with another “hacker for hire” who was from Canada he conducted cyber-attacks against Yahoo.

Not only criminals are blackmailed but also those who act in good faith. The 2015-story of Mr. Vyarya– the coder who was put in the situation where he had to reject to work for the Russian government, proves how mean the methods of Russians can be.

Mr. Vyarya who helped to secure the websites of opposition leaders and media channels was “forced” to witness a DDOS attack done with the help of the Bulgarian software which Russian military contracting company Rostec planned to buy. Following this cyberattack against Ukraine’s Defence Ministry he was proposed to “run” and to improve this software. After he declined the job offer, he was forced to flee the country.

One more type of recruiting is to give tasks to the programmers without telling them what the purpose is, like in the case of a Ukrainian coder ( who had been paid to write customized malware without knowing its purpose, only later learning it was used in Russian hacking against Ukraine and other Western states.

Attribution of cyber-operations: how do we know it was the state?

Governments and private companies are increasingly likely to discover and attribute cyber operations. For a good assessment of a cyber-attack, it has to be considered who benefits the attack and whether it could be a false flag operation. To properly attribute the attack, one has to consider the intelligence and the technical components of the operation.

Credible attribution implies that society trusts the attributors. In many cases, the attributors are the intelligence services that do not tend to declassify their sources. Besides the “international cooperation is needed to discover every element in the chain of cyber attack”. Example of such cooperation is the Five Eyes intelligence grouping, made up of the UK, the USA, Canada, Australia, and New Zealand, that attributed devastating NotPetya attack to Russia and WannaCry to China.

In 2018 the intelligence services of the US, the UK, and the Netherlands attributed cyber-attack against World Anti-Doping Agency and the Organisation for the Prohibition of Chemical Weapons to Russia’s GRU-backed hacker group Fancy Bear (APT28), the group that became bolder after hacking France’s TV5 in 2015. Dutch intelligence was able to track the Russian hacking group “Cozy Bear”. This group is blamed for the attack against the Democratic National Committee. In these cases, concerned states were able to attribute and to share the findings with their societies, and it made the attribution credible. The evidence may not always be presented. But it does not mean that it does not exist.

Not only public services monitor the attacks but private companies report on Russia’s cyber-interference too. Thus, the above-mentioned “Cozy Bear” was first identified by the Russian-born Dmitry Alperovitch, co-founder of the US-firm “CrowdStrike”. Dutch company “Fox-IT” identified the Russia-backed group “Turla” that used malware rootkit Snake to hack the German Bundestag end of 2018 and the Belgian Ministry of Foreign Affairs in 2014. The company “CrowdStrike” helped investigate cyberattacks Gameover ZeuS of the criminal with the nickname “lucky12345”. Gameover ZeuS aimed at stealing bank account data of the victims. After more than 10 years of tracking the guy, thanks to common efforts of public institutions and private firms the mastermind was identified. It was Evgeniy Bogachev, who was residing in the Russian resort city Anapa. The investigators established that the network of Bogachev was involved in collecting information on Ukraine right before the Russian invasion in the country. Connecting many dots helped assume that he worked for the Kremlin.

The American IT-company “FireEye” and the Finnish “F-Secure” each published papers revealing Russian government-backed cyber operations. The first one –  “APT28: A Window Into Russia’s Cyber Espionage Operations? (2014, complemented with new evidence in 2016) and the second –  “The Dukes: 7 Years of Russian Cyber-Espionage”(2015).

Ukrainian cyber-security experts Viktor Zhora and Nikolay Koval were able to identify the malware that was used to load onto a Ukrainian election commission server a graphic faking the results of the elections. This fake image was then used by the Russian TV channels to spread lies that the “ultra-rights won Ukrainian parliamentary elections” in 2014.

The EU takes the position that“attribution to a state or a non-state actor remains a sovereign political decision based on all-source intelligence and should be established in accordance with international law of state responsibility”.

Outsourced Kremlin’s cyber-operations: what risks?

There are plenty of risks for the Kremlin and any other state that plans cyber-attacks using the money of its taxpayers. Firstly, cyber operations embroil such countries in real-world scandals that undermine rather than advance their own policy goals as well as weakens international cooperation on the issues of global importance. Secondly, cross-border operations are hard to control, and the mistakes done by hackers can escalate quickly. And thirdly, cyber-criminals may “hit back” – they may reveal the names of those for whom they work or leak any other information.

Risks for the companies

IT firms who willingly accept the job offer originated in the Kremlin, compromise their overall commercial and reputational gains. Thus, in 2014 Italian company “Hacking Team” lost its export license because it sold iPhone hacking software to the “Advanced Monitoring”, Russian firm working with FSB. Also, misleading information about who is behind certain public information campaigns can lead to removal of the social media pages with millions of followers like in the case of Maffick Media.

Hacked emails of Russian company “Oday technologies” revealed that they have helped Russian secret services to conduct their activities in cyberspace. Such cooperation erodes trust in the company when revealed.

At the same, other Russian companies like Kaspersky Lab want to show that they “distance” themselves from the Kremlin after allegations of Kremlin spying.

Risks for IT specialists

Hacking for the state does not deprive these actions of criminal nature. When the attacks are discovered, the state for which the hacker works denies its involvement. Despite publicly campaigning for the recruitment of hackers, Moscow never admits that they work for the Russian government and abandons them when they get in trouble. The trouble can be of a different sort. Thus, hackers and their families undergo the risk of financial or legal consequences, and when they are “trapped” in Russia, they cannot travel to Europe for education, vacation or work.

In 2014 for the first time, a criminal case was open in the USA in regard to the Russia-backed high scale hacking operation. Two programmers Canadian of a Kazakh origin Karim Baratov and the above-mentioned Latvian Alexey Belan were paid by two Russian intelligence officers Dmitri Dokuchaev and Igor Sushchin for hacking six thousand and getting information about half a billion of Yahoo accounts. The key role in the attribution of this attack played the British intelligence MI-5. “Hacker for hire” Baratov was sentenced for five years in prison whereas Belan has been put on the “most wanted list” in the USA. Dmitri Dokuchaev was arrested in Moscow in suspicion of sharing information with foreign intelligence.

When cyber-attacks get attributed, which happens often nowadays, the individuals undergo high risks to get “trapped” between criminal charges and blackmailing, and the companies – to lose reputation and licenses. Cyber-operations taint those working for the Kremlin; they embroil Russia in scandals with other states undermining international cooperation regarding issues of real, global importance.

Picture of Euromaidanpress

All News ›