Андрей Солдатов - The Red Web - The Struggle Between Russia's Digital Dictators and the New Online Revolutionaries

However, the telephone carriers could offer no evidence that a pirate tower was used, but there is another possibility: SORM—the black boxes, which can monitor both Internet and cellular communications—could identify the protesters and send the message. If security services had SORM, they could use it as a back door into the Ukrainian mobile networks, giving them the ability to carry out such an operation without being detected.

A fascinating clue then emerged. A Kiev city court had ordered Kyivstar to disclose to the police which cell phones in their network were turned on outside the courthouse during a protest that occurred on January 10. [3] Andrew E. Kramer, “Russia Defers Aid to Ukraine, and Unrest Persists,” New York Times , January 29, 2014, www.nytimes.com/2014/01/30/world/europe/ukraine-protests.html . The warrant, No. 759, which we obtained, was issued by a Kiev district court on January 13. Its goal was to identify people in the particular area of the protest. Further, the police specifically requested that a representative of Kyivstar be excluded from the proceedings to keep the operation secret. The judge agreed with the police request.

This warrant made clear that the Security Service of Ukraine (SBU) and other law enforcement agencies had the capability to eavesdrop on communications networks without the telecom operator’s knowledge. Thus, the security services could have used their surveillance systems against protesters. On February 3 the communications regulatory agency of Ukraine reported that it could not determine who had sent the text messages to protesters in January. Secrecy prevailed.

After March 1, the day Russia annexed Crimea, many Western experts told us at different cyber security gatherings that they expected a massive denial-of-service attack to be launched against Ukrainian websites. The fears were well founded: every Russian conflict with a neighboring country in the 2000s—including Georgia and Estonia—had been accompanied by such relatively crude onslaughts against the countries’ online resources. [4] In April 2007 Estonia provoked the Kremlin with its decision to move a Soviet war memorial out of the center of the capital. After a massive nationalistic campaign against Estonia in the Russian press, a series of DDOS attacks was launched on the websites of the Estonian government, parliament, banks, ministries, newspapers, and broadcasters. In June 2008 Lithuania came into Russia’s crosshairs when lawmakers voted to ban the public display of Nazi German and Soviet symbols. Some three hundred websites, including those of public institutions such as the National Ethics Body and the Securities and Exchange Commission as well as a string of private companies, had found themselves under cyber siege. Their websites’ content was replaced with images of the red flag of the Soviet Union alongside anti-Lithuanian slogans. In August 2008 the military conflict with Georgia in South Ossetia also included cyber attacks against Georgia’s Internet infrastructure, compromising several Georgian government websites and prompting the government to begin hosting its sites in the United States. Georgia’s Ministry of Foreign Affairs, in order to disseminate real-time information, was forced to move to a BlogSpot account. For a while the Ukraine conflict developed along the same lines. On March 3 the Ukrainian information agency UNIAN reported a powerful denial-of-service attack, causing the agency’s website to be temporarily taken offline. [5] “Na UNIAN vedetsya mashtabnaya DDoS-ataka” [UNIAN Is Under Massive DDOS Attack], UNIAN, March 3, 2014, www.unian.net/politics/892159-na-unian-vedetsya-masshtabnaya-nepreryivnaya-ddos-ataka.html . The Internet infrastructure of the country seemed weak, almost begging cyber hackers to try their hand. Ukrainians clearly understood this vulnerability. That same day Konstantin Korsun, an SBU cyber-security officer in 1996–2006 and now in the cyber security business, working as the head of the NGO Ukrainian Information Security Group and supporting Maidan, appealed for help. “Because of the military intervention of Russia against Ukraine I ask everybody who has the technical ability to counter the enemy in the information war, to contact me and be prepared for a fight,” he wrote on LinkedIn. “Will talk to the security forces to work together against the external enemy.”

Almost immediately he received a reply from Maxim Litvinov, head of the cyber crime department in the Interior Ministry of Ukraine: “You can count on me.” Litvinov said he had analysts, a laboratory, and loyal personnel, and he didn’t want to wait until the country was already under attack. [6] Pavel Sedakov and Dmitry Filonov, “Pervy Ukrainsky kiberfront: kto i zachem obiavil IT-mobilizatiu?” [The First Ukrainian Cyberfront: Who and Why Announced IT Mobilization?], Forbes Russia, March 4, 2014, www.forbes.ru/tekhnologii/internet-i-svyaz/251623-pervyi-ukrainskii-kiberfront-kto-i-zachem-obyavil-it-mobilizatsi .

But the large and much-feared cyber attack on Ukraine did not come as it had been anticipated; instead it came from another direction, a tidal wave of propaganda spread on social networks. [7] The tactics were not completely abandoned, though, and in two weeks, on March 15, DDOS attacks disrupted access to some NATO sites. They focused on the main NATO public site, www.nato.int , knocking it offline for long periods, and a pro-Russian Ukrainian hacktivist group, Cyber Berkut (clearly echoing the name of the riot police Berkut), claimed responsibility for the attacks. But they were not very serious, and John Bumgarner, a spokesman for the US Cyber Consequences Unit, which assesses the impact of cyber attacks, compared it with “kicking sand into one’s face.” Naked Security, “DDoS Attack Takes Out NATO Websites, Ukraine Connection Claimed,” Sophos, March 17, 2014, https://nakedsecurity.sophos.com/2014/03/17/ddos-attack-takes-out-nato-websites-ukraine-connection-claimed . Also see Mark Piggot, “Ukraine Crisis: Pro-Russian Hackers Attack Nato Websites,” International Business Times , March 16, 2014, www.ibtimes.co.uk/ukraine-crisis-pro-russian-hackers-attack-nato-websites-1440497 . The Kremlin launched a massive campaign to infiltrate social networks—first of all, VKontakte—and exploit the digital pathways for its own purposes. Russia possessed certain natural advantages on this information battleground. First, both Russia and Ukraine shared a common cultural and historical legacy in the Soviet Union, such as the experience of World War II and the shared Russian language, used widely in Ukraine. Second, the Russian-based social network VKontakte is the most popular social network in Ukraine, with more than 20 million users. Russian officials knew how to frame the messages they wanted to send and had all but taken control of VKontakte. They then decided to take their information combat to the enemy, fighting on Twitter, YouTube, and Facebook.

From the Kremlin an army was unleashed, a fighting force whose weapons were words. Legions of trolls, people who disrupt online discussions by deliberately posting inflammatory, extraneous, or off-topic messages, were deployed to provoke and intimidate people. The trolls are not usually volunteers but paid propagandists. In the 2000s they were used inside Russia against liberal and independent media and bloggers. Now this army, hundreds of people, was directed outside.

The trolls often appear in the comments section of traditional news media and social media. Katarina Aistova, a former hotel receptionist, then twenty-one years old, was one of them. In April 2014 she spotted something negative written about Putin on WorldNetDaily. “You are against Putin!” she exclaimed in response to another user. “Do you actually know what he does for his country and for people?? The fact is that Obama is losing ground as a leader.” A lot of the commentary was much more strident.