Андрей Солдатов - The Red Web - The Struggle Between Russia's Digital Dictators and the New Online Revolutionaries

The next day CrowdStrike published the report along with technical details of the hacking attack. [17] Dmitri Alperovitch, “Bears in the Midst: Intrusion into the Democratic National Committee,” CrowdStrike Blog , June 15, 2016, www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee . The author of the report was Dmitri Alperovitch, cofounder and chief technology officer of CrowdStrike. Alperovitch, a blonde, solidly built thirty-six-year-old cyber expert, left Russia in 1994 and had never since set foot back in his native land. (“My Moscow is long gone,” he told Andrei.) In the 2000s Alperovitch became a prominent American cyber expert, having made his reputation investigating Chinese hackers’ operations in the United States. [18] In 2010 Alperovitch led the investigation into Operation Aurora, the Chinese penetration into Google and a dozen other companies, and in 2012 he investigated the Night Dragon Chinese espionage operation of the Western multinational oil and gas companies. See Dmitri Alperovitz, MIT Technology Review, www.technologyreview.com/lists/innovators-under-35/2013/entrepreneur/dmitri-alperovitch . In his report on the DNC hacking Alperovitch made a bold claim about the hackers’ identity and their sponsors: the activity of Fancy Bear “may indicate affiliation with Glavnoye Razvedivatelnoye Upravlenie (Main Intelligence Department) or GRU, Russia’s premier military intelligence service.” He was not so certain about the second team, Cozy Bear, but most experts, including Alperovitch, were inclined to think Cozy Bear was the work of the FSB.

This posed a serious problem for the US government. The Kremlin had been outsourcing its hacking activities, making attribution difficult—which was no accident. The Kremlin had used outsourced groups elsewhere to create plausible deniability and lower the costs and risks of controversial overseas operations. For example, for years Moscow denied its military presence in the east of Ukraine, insisting it was some local guerrillas.

The Kremlin’s tactics were opposite of China’s, where the regime directly oversees cyber attacks and it is possible to identify the chain of command. In Russia all kinds of informal actors—from patriotic hackers, to Kremlin-funded youth movement activists, to employees of cybersecurity companies forced into cooperation by government officials—have been involved in operations targeting the Kremlin’s enemies both within the country and in former Soviet states. [19] An excellent example of this kind of government-private cooperation could be found in Daniil Turovsky, “Gruzit po polnoy programme: Zachem goskorporatsii ponadobilas Sistema dlya organizatsii DDoS-atak” [To download: for what the state corporation needs a system of DDoS-attacks], Meduza , September 3, 2015, https://meduza.io/feature/2015/09/03/gruzit-po-polnoy-programme .

This heterogeneous group had developed an impressively efficient set of tactics. In general there were three common features. The first was the use of rank-and-file hacktivists not directly connected to the state in order to help the Kremlin maintain plausible deniability. The second was guidance and protection from criminal prosecution, provided by the president’s administration alongside the secret services. Finally, hacked information was published as kompromat (i.e., compromising materials) online as a way of smearing an opponent.

The Russian government used this approach regularly against their opposition and activists. For instance, in the summer of 2012 hackers penetrated a Gmail account belonging to Alexei Navalny, one of the leaders of the Moscow protests, and then a blogger who went by the nickname Hacker Hell published Navalny’s emails. Hacker Hell was not part of any government organization, and the Kremlin insisted it had nothing to do with hacking. (When the Kremlin disowned Hacker Hell, however, it did not help him. In 2015 a German court identified Sergei Maksimov, a Russian national who had been a German resident since 1997, as Hacker Hell and found him guilty of hacking Navalny’s account. The German court gave him seventeen months’ probation. [20] 20Alexey Navalny, “Russian ‘Hacker Hell’ Sentenced to 400 Hours Community Service in Germany,” Meduza , August 6, 2015, https://meduza.io/en/news/2015/08/06/russian-hacker-hell-sentenced-to-400-hours-community-service-in-germany . See also Aleksander Gorbachev, “Meet the Hacker who Terrorized the Russian Blogosphere,” Newsweek , July 9, 2015, http://www.newsweek.com/2015/07/17/gospel-according-hell-351544.html . )

In March 2014 Ukraine found itself in the crosshairs. The hacktivist group CyberBerkut—which consisted of supporters of the country’s former president Viktor Yanukovych, who had fled to Russia the previous month—claimed to have hacked the email accounts of Ukrainian NGOs. A trove of emails was published on the website of CyberBerkut. These emails purported to prove that the targeted NGOs were not only in touch with the US Embassy but also received funding from American foundations. CyberBerkut’s goal was obvious: portray the Ukrainian NGO activists as thoroughly corrupt, American puppets engaged in betraying their country. [21] “Kiberberkut vskryl perepisky evromaidanovtsev s amerikanskimi sponsorami” [CyberBerkut broke into the correspondence of Euromaidan activists with the American sponsors], NTV, March 25, 2014, www.ntv.ru/novosti/869656 . See also “09.04.2014 Strike Back!,” We Will Not Forget, https://cyber-berkut.org/en/olden/index5.php . In January 2015 the same group of hackers attacked German government websites, including Chancellor Angela Merkel’s page, demanding that Berlin end support for the Ukrainian government. [22] Michelle Martin and Erik Kirschbaum, “Pro-Russian Group Claims Cyber Attack on German Government Qebsites,” Reuters , January 7, 2015, www.reuters.com/article/us-germany-cyberattack-idUSKBN0KG15320150107 .

In April 2015 hackers also worked their way into the French television network TV5Monde. Pretending to be ISIS, the hackers breached the system and overrode the broadcast programming of the company’s eleven channels for over three hours. The French government’s cyber agency ANSSI (Agence nationale de la sécurité des systèmes d’information )attributed the attack to Russian hackers, a group known later as Fancy Bear. [23] Gordon Corera, “How France’s TV5 Was Almost Destroyed by ‘Russian Hackers,’” BBC, October 10, 2016, www.bbc.co.uk/news/technology-37590375 .

In 2016 it was the United States’ turn to come under attack. Putin’s spokesperson’s first reaction to the DNC hacking—in which Peskov emphasized the fact that no Russian government , and no Russian government bodies were involved—seemed to suggest that the Kremlin was recycling tactics that had worked against Russian dissidents, Ukrainian activists, and French television. There was even an obscure hacker to blame: the day Alperovitch published his report, a hacker who styled himself as Guccifer 2.0 announced on his blog that he had hacked the DNC. As proof, Guccifer provided eleven documents from the DNC. [24] “Guccifer 2.0 DNC’s Servers Hacked by a Lone Hacker,” Guccifer 2.0, June 15, 2016, https://guccifer2.wordpress.com/2016/06/15/dnc . See also Ellen Nakashima, “‘Guccifer 2.0’ Claims Credit for DNC Hack,” Washington Post , June 15, 2016, www.washingtonpost.com/world/national-security/guccifer-20-claims-credit-for-dnc-hack/2016/06/15/abdcdf48–3366–11e6–8ff7–7b6c1998b7a0_story.html?utm_term=.c9440a5d9839 .

The Kremlin’s denial tactics had worked relatively well in the past mostly because the governments of countries that had been attacked were hesitant or unable to pursue the accusation as far as the Kremlin. But in the spring of 2016 this changed. In May our contacts in Western cyber circles told us that the cyber expert community had just reached a new consensus: currently available technical evidence was advanced enough both to trace and attribute cyber attacks.