Hackers claim to target Russian institutions in barrage of cyberattacks and leaks

Much of the data released by the hackers is impossible to verify. PHOTO: REUTERS

NEW YORK (NYTIMES) - Hackers claim to have broken into dozens of Russian institutions over the past two months, including the Kremlin's internet censor and one of its primary intelligence services, leaking e-mails and internal documents to the public in an apparent hack-and-leak campaign that is remarkable in its scope.

The hacking operation comes as the Ukrainian government appears to have begun a parallel effort to punish Russia by publishing the names of purported Russian soldiers who operated in Bucha, Ukraine, the site of a massacre of civilians, and agents of the FSB, a major Russian intelligence agency, along with identifying information like dates of birth and passport numbers. It is unclear how the Ukrainian government obtained those names or whether they were part of the hacks.

Much of the data released by the hackers and the Ukrainian government is by its nature impossible to verify. As an intelligence agency, the FSB would never confirm a list of its officers. Even the groups distributing the data have warned that the files swiped from Russian institutions could contain malware, manipulated or faked information, and other tripwires.

Some of the data may also be recycled from previous leaks and presented as new, researchers have said, in an attempt to artificially increase the hackers' credibility. Or some of it could be manufactured - something that has happened before in the ongoing cyber conflict between Russia and Ukraine, which dates back more than a decade.

But the hacking effort appears to be part of a campaign by those opposing the Kremlin to help in the war effort by making it difficult for Russian spies to operate abroad and by planting a seed of fear in the minds of soldiers that they could be held to account for human rights abuses.

Mr Dmitri Alperovitch, a founder of the Silverado Policy Accelerator, a Washington think-tank, and the former chief technology officer at cyber-security firm CrowdStrike, said there was reason to maintain a healthy scepticism about the reliability of some of the leaks.

But he added that the hacking campaign "once again may prove that in the age of pervasive cyberintrusions and the generation of vast amounts of digital exhaust by nearly every person in a connected society, no one is able to hide and avoid identification for egregious war crimes for long."

The leaks also demonstrate Ukraine's willingness to join forces with amateur hackers in its cyberwar against Russia. In early March, Ukrainian officials rallied volunteers for hacking projects, and the Ukrainian government has been publishing information about its opponents on official websites. A channel on the messaging platform Telegram that lists targets for the volunteers to hack has grown to more than 288,000 members.

US intelligence officials say they believe that hackers operating in Russia and Eastern Europe have now been split into at least two camps. Some, like Conti, a major ransomware group that was itself hacked in late February, have pledged fealty to President Vladimir Putin of Russia. Others, mostly from Eastern Europe, have been offended by the Russian invasion, and particularly the killings of civilians, and have sided with the government of President Volodymyr Zelensky of Ukraine.

Experts have warned that the involvement of amateur hackers in the conflict in Ukraine could lead to confusion and incite more state-backed hacking, as governments seek to defend themselves and strike back against their attackers.

"Some cybercrime groups have recently publicly pledged support for the Russian government," the Cybersecurity and Infrastructure Security Agency warned in an advisory on Wednesday. "These Russian-aligned cybercrime groups have threatened to conduct cyber operations in retaliation for perceived cyber offensives against the Russian government or the Russian people."

Distributed Denial of Secrets, or DDoSecrets, a nonprofit organization publishing many of the leaked materials, was founded in 2018 and has published material from US law enforcement agencies, shell companies and right-wing groups. But since the beginning of the war in Ukraine, the group has been flooded with data from Russian government agencies and companies. It hosts more than 40 data sets related to Russian entities.

On March 1, Ukrainian news outlet Ukrainska Pravda published names and personal information that it said belonged to 120,000 Russian troops fighting in Ukraine. The information came from the Center for Defense Strategies, a Ukrainian security think tank, the news outlet reported. In late March, Ukraine's military intelligence service leaked the names and personal data of 620 people it said were officers with Russia's FSB.

And in early April, the military intelligence service published the personal information of Russian soldiers it said were responsible for war crimes in Bucha, a suburb where investigators say Russian troops waged a campaign of terror against civilians.

"All war criminals will be brought to justice for crimes committed against the civilian population of Ukraine," the military intelligence service said in a statement on its website that accompanied the Bucha data dump. Russia has denied responsibility for the Bucha killings.

Russian state-backed hackers have also carried out a number of cyber attacks in Ukraine since the war began, targeting government agencies, communications infrastructure and utility companies. They have largely relied on destructive malware to erase data and disrupt the operations of critical infrastructure companies, but they have occasionally used hack-and-leak tactics.

In late February, a group calling itself Free Civilian began to leak personal information that purportedly belonged to millions of Ukrainian civilians. Although the group posed as a collective of "hacktivists," or people using their cyberskills to further their political ends, it actually operated as a front for Russian state-backed hackers, according to researchers at CrowdStrike. The hack-and-leak operation was intended to sow distrust in Ukraine's government and its ability to secure citizens' data, the researchers said.

Hackers affiliated with Russia and Belarus have also targeted news media companies and Ukrainian military officials in an effort to spread disinformation about a surrender by Ukraine's military.

But much of Russia's hacking efforts have focused on damaging critical infrastructure. Last week, Ukrainian officials said they had interrupted a Russian cyberattack on Ukraine's power grid that could have knocked out power to two million people. The GRU, Russia's military intelligence unit, was responsible for the attack, Ukraine's security and intelligence service said.

United States officials have repeatedly warned US companies that Russia could carry out similar attacks against them and have urged them to harden their cyber defenses. The governments of Australia, Britain, Canada and New Zealand have issued similar warnings.

In early April, the Justice Department and the FBI announced that they had acted in secret to preempt a Russian cyber attack by removing malware from computer networks around the world. The move was part of an effort by the Biden administration to put pressure on Russia and discourage it from launching cyber attacks in the US. Last month, the Justice Department charged four Russian officials with carrying out a series of cyberattacks against critical infrastructure in the US.

But so far, the Russian activity directed at the West has been relatively modest, as Mr Chris Inglis, the national cyber director for the Biden administration, acknowledged Wednesday at an event hosted by the Council on Foreign Relations.

"It's the question of the moment - why, given that we had expectations that the Russian playbook, having relied so heavily on disinformation, cyber, married with all other instruments of power, why haven't we seen a very significant play of cyber, at least against Nato and the United States in this instance?" he asked.

He speculated that the Russians thought they were headed to quick victory in February, and when the war effort ran into obstacles, "they were distracted", he said. "They were busy."

Join ST's Telegram channel and get the latest breaking news delivered to you.