“Cyberwar as a form of interstate confrontation has entered an active phase.”
Stuxnet, Duqu, Flame, Industroyer, Informzashchita, Lurk,
EternalBlue, Blackenergy, etc etc
Allegations that Russian hackers stole emails from top Democrats in the United States, in an effort to influence the results of America’s presidential election, are now more than a year old. Last November, Meduza published a detailed look at the operations of Russia’s cyber-soldiers. But a country’s cybersecurity is only as good as its cyber-defense, which is why Meduza’s special correspondent Daniil Turovsky returned to the subject, interviewing dozens of cybersecurity experts and studying different documents and reports, in order to learn what cyberthreats most concern the Russian government, and what Moscow is doing to protect the country.
Kirill (whose name has been changed at his request) first got interested in hacking websites when he was 13, in the early 2000s. Back then, his computer was too weak to play the latest games, so he needed to find something else to do. One of his classmates, meanwhile, had started creating websites. During lessons, his friend would pass him a notebook with design sketches, and Kirill would write out the HTML code by hand. “These limitations forced us to be inventive, and it wasn’t long before I got interested in hacking,” the programmer recalls today.
Together, Kirill and his friend started hacking their fellow classmates’ websites. Eventually, the friend lost interest in hacking, but Kirill’s fascination only grew. He later registered an account on “Anti-Chat,” an online forum where people discuss computer vulnerabilities, hacks, and cybersecurity news. The forum has several different levels, and you gain access to new levels by demonstrating your programming knowledge. Rising in Anti-Chat’s hierarchy, Kirill got to know several other young hackers. Within a few years, many of these individuals would become the best cybersecurity specialists in Russia, while others would begin earning money illegally as hackers. Some of these people would even land in American prisons.
A life of crime never appealed to Kirill. “I was too lazy to do anything truly illegal with money. It would have been too hard to make myself as paranoid as you have to be. It would have been constant stress. You have to be so careful all the time,” he says. “But I still wanted to hack.”
So Kirill looked for spots in other hacker communities, and he found a steady job in 2010, in an era when Russian IT security firms were hiring large numbers of “pentesters” (penetration testers) to attack clients’ computer systems in order to test their security. Eventually, Kirill was hired by a major company that earned most of its money from contracts with Russia’s intelligence agencies. On instructions from his superiors, Kirill has hacked banks, financial institutions, payment systems, and industrial enterprises. He managed all this without much difficulty: it was often enough just to send out phishing emails.
In the spring of 2012, Kirill was presented with another task: hack one of Russia’s major news agencies. The client ordered the test, fearing that intruders might try to break in ahead of Vladimir Putin’s inauguration, in order to “post nasty stuff about Mr. Putin on the site.” Kirill says he easily hacked the website, which had no real protection from hackers. “It was a lot of code written in the early 2000s,” he says. As usual, he wrote up a report and sent it off to his managers.
A year later, purely out of personal interest, Kirill says he decided to see what security measures that news agency adopted after his study. Reviewing the website again, he learned that every loophole and vulnerability identified in his report was still in place, completely unchanged.
America vs. Russia
In the past two years, hackers working for Russia’s Defense Ministry and intelligence agencies have been accused of attacking the Democratic Party in the United States, the World Anti-Doping Agency, and government websites in Estonia, Lithuania, and Turkey, as well as power plants and other critical infrastructure in Ukraine.
Based on recent legislation and remarks by state officials, Russia is indeed bracing itself for a cyberwar, and it’s making both offensive and defensive preparations. Until recently, the government said almost nothing about the need to protect state websites and the nation’s critical infrastructure: Russia’s nuclear power plants, military factories, supply systems, and other facilities that, if attacked successfully, could cause ecological or financial catastrophe, as well as major loss of life.
Today, attitudes have changed drastically, most likely thanks to the constant news stories about hackers infiltrating different critical facilities (for example, nuclear power plants in the U.S.), the evolution of cyber-espionage, and the growth of cyber-threats poses by terrorist organizations. “I think an agreement banning the use of cyber-weapons will be signed soon,” a source involved in the defense of Russia’s critical infrastructure told Meduza. “But only after there’s some real major catastrophe.”
Another source working in critical infrastructure IT security told Meduza that there are often rather incompetent people employed at Russia’s strategically significant facilities. “We’re explaining to these people that they’ve got a problem, but they don’t acknowledge that something could go wrong. They say, ‘Oh, it’s just a virus trying to steal some money.’ But it popped up in closed system! They might be lucky that the virus was designed for some other function, but what would have happened if it was made for something else entirely?”
In fact, cyber-weapons are used regularly against Russia, though Meduza’s sources say only a narrow group of experts typically learns about these attacks, as the cybersecurity community tries to keep such information from the general public.
Nevertheless, law enforcement agencies and security companies do occasionally report cyberattacks against the Russian government. For instance, in 2013, Russia was attacked with a cyber-weapon called “Sputnik.” (To learn more about this incident, you can read a report by the research association “Echelon,” which certifies foreign software for Russia’s Defense Ministry.) “Sputnik” was designed to carry out cyber-espionage by collecting information about the activities of military agencies, institutes, and diplomatic organizations by exploiting “zero day” vulnerabilities in the Microsoft Office Windows programs Word, Excel, and Outlook. It was impossible to track where the stolen information was being sent, as the destination was hidden behind a chain of proxy servers. Echelon’s researchers, who discovered that the stolen data could be of interest to Russia’s geopolitical enemies, wrote in their conclusion: “Cyberwar as a form of interstate confrontation has entered an active phase.”
In July 2016, Russia’s Federal Security Service (FSB) announced that it had discovered several Trojan horses in the IT infrastructure of Russia’s state, scientific, and defense institutions (in total, about two dozen enterprises). The agency indicated that the attack was planned carefully and carried out by trained professionals. A different exploit was designed for each enterprise, and the victims were infected with phishing. After infection, “Sputnik” loaded the modules needed to allow for keystroke logging, the remote control of a computer’s Webcam and microphone, and the interception of network traffic. After the FSB’s announcement, a parliamentary committee on national security concluded that such cyber-espionage “is primarily beneficial to the Americans.”
Right now, in order to protect their online communications, Russian state officials use a closed government network called RSNet. Every employee has their own secure work email account that can only be accessed from a special IP address using a designated computer, but far from everyone complies with the government’s restrictions. Ironically, this is truest at the higher echelons of power. “It’s not like an FSB grunt is going to come up to [Deputy Prime Minister Arkady] Dvorkovich and say, ‘Alright, buddy. Power it down!’” the head of the hacktivist group “Anonymous International” told Meduza. That group hacked Russian politicians’ private correspondence usually by gaining access to their accounts on public email services and instant messengers.
Gradually, the government is also starting to think more seriously about protecting telephone conversations. In 2017, for example, one of the research institutes working for Russia’s intelligence community designed a “cryptophone,” which allows users to make encrypted telephone calls.
On June 23, 2017, The Washington Post reported that Barack Obama, when he was still president, ordered the U.S. National Security Agency to develop cyber-weapons against Russia as a response to Moscow’s supposed interference in the U.S. presidential race. The special operation reportedly entailed the placement of “implants” in Russia’s electronic infrastructure that could be triggered when needed to disable Russia’s systems. The newspaper called the implants “the digital equivalent of bombs.”
America has in fact been using this technology for years: Michael Hayden, the former director of the NSA and CIA, has said that the U.S. installed “implants” in tens of thousands of computers throughout the world “that can be used when necessary.”
A hacker bomb squad
For years, cybersecurity specialists have warned that hackers might find a way to inflict real physical damage on nations’ critical infrastructure. And it happened in 2009, when hackers attacked Iran with Stuxnet, a cyber-weapon designed specifically to interfere with the Islamic Republic’s nuclear program. According to New York Times reporter David Sanger, Stuxnet was created to be a peaceful solution to a potential problem: the United States feared that Israel would launch air strikes against Iran and its nuclear facilities.
Sanger’s sources said Stuxnet was created by several intelligence agencies working together: the CIA, the NSA and U.S. Cyber Command, the British Government Communications Headquarters, and a special radio electronic reconnaissance division of the Israeli Mossad. In order to carry out their plans, the agencies first attacked five Iranian companies with ties to the nuclear plant. Afterwards, Stuxnet found its way onto the staff’s flash drives, and employees then apparently unknowingly infected the plant’s protected network, which was not even connected to the Internet. Engineered specifically for a nuclear power facility’s command system, Stuxnet infiltrated Iran’s uranium enrichment plant in Natanz and destroyed more than a quarter of its centrifuges, introducing software with added malicious code that altered the equipment’s operations.
The centrifuges were powered by an electric motor rotating at a speed of 1,000 revolutions a second. Stuxnet accelerated the centrifuges to 1,400 rotations a second, and then sharply reduce the speed, resulting in their collapse. While this was happening, the factory’s engineers, sitting in the room next door, looked at their computer screens and saw nothing wrong. To them, the enrichment process appeared to be working as intended. It would be some time before they realized the reason for all the accidents at the plant. Later, some staff would be fired on suspicions that they violated the facility’s operating procedures.
After this attack, Stuxnet continued spreading to other countries: in 2010, it infected roughly 100,000 computers around the world, even penetrating the network at one of Russia’s nuclear power plants. Like in Iran, Russia’s nuclear power plants aren’t connected to the Internet, and the contamination of just one station could indicate serious security problems with the whole network.
Since Stuxnet, newer, similar types of cyber-weapons have emerged. In 2016, experts from ESET reported the emergence of a new program called Industroyer, which was designed to interfere in the critical processes of energy companies’ control systems. Using this malware, hackers could actually take control of substations’ circuit-breakers. “Industroyer’s ability to influence the operations of industrial equipment makes it the most dangerous threat since Stuxnet,” analyst for ESET concluded, suggesting that the malware could be the cause of a power supply failure in Kiev in December 2016, when the electricity suddenly failed in four districts across the city.
For the past three years, hackers have repeatedly attacked Ukraine, where they’ve managed to shut off the power in entire regions. Hackers have also penetrated transportation systems, military targets, and financial organizations, paralyzing their work. “You can’t really find a space in Ukraine where there hasn’t been an attack,” says Kenneth Geers, a NATO ambassador who focuses on cybersecurity.
“Because of its participation in Middle East military operations, Russia has become seriously frustrating to terrorists,” Ilya Sachkov said at a security conference on June 30, 2017. Sachkov works for an information security company called Group-IB. “Unfortunately, this year we’ll already be facing a successful attack on critical infrastructure.”
In the year after the leader of ISIS proclaimed the creation of a “caliphate” in Syria and Iraq, the group’s propaganda efforts changed considerably: instead of social-media posts and videos showing new recruits calling for more volunteers, ISIS started soliciting for help with the construction of a new state, inviting doctors, teachers, journalists, and programmers. It was roughly around this time that the ISIS Hacking Division (or “Cyber-Caliphate”) first appeared, organized by a hacker named “TriCk,” who moved to ISIS-controlled territory from Birmingham, England.
By that time, TriCk could already boast an impressive résumé. He carried out his first hack at the age of 11 as revenge against an online gaming opponent. At the age of 15, he formed the hacktivist group Team Poison to fight for the rights of Palestinians and the people of Kashmir. Under TriCk’s leadership, the group attacked pro-Israeli and American media outlets and social-media accounts, sometimes graffiting their own slogans (and warnings) on the webpages of ideological adversaries.
Team Poison attacked the websites of NATO and the British Defense Ministry, and Mark Zuckerberg’s Facebook account. In 2012, after hacking the emails of one of former Prime Minister Tony Blair’s aides, British police finally found and arrested TriCk. The hacker turned out to be a young man named Junaid Hussain, the son of Pakistani immigrants. After spending six months in prison, Hussain left England for Raqqa, the ISIS capital, where he took the name Abu Hussain al-Britani and became the organization’s chief hacker.
In his new role, Hussain continued doing what he’d always done best: hacking American websites and social-media accounts. In January 2015, for example, Hussain posted a tweet from the U.S. Central Command’s account reading, “AMERICAN SOLDIERS, WE ARE COMING, WATCH YOUR BACK. ISIS.” The hacker also revealed the identities and home addresses of American soldiers in the United States, calling on ISIS supporters to find them and kill them. In the summer of 2015, Hussain outed two local activists fighting ISIS propaganda online. They were later apprehended and executed. In early August 2015, Junaid Hussain, now 21 years old, was number three on the Pentagon’s hit list, ranked just below ISIS leader Abu Bakr al-Baghdadi and the ISIS executioner known as “Jihadi John.”
A few days later, an FBI informant contacted Hussain using a secure messenger called Surespot. (Hussain had published his contact information on Twitter, inviting comments from those who shared his political views.) During their conversation, the informant sent Hussain a hyperlink to a webpage that, once visited, infected his mobile phone with a virus that allowed him to be tracked. After an American drone bombed and killed Hussain, the informant revealed himself to be a hacker by the name of “5hm00p.” He later wrote that he was coerced by the FBI into betraying Hussain: “F**king guilty. And I’m sorry. I played their game and I shouldn’t have.” He says he helped the U.S. government after the FBI threatened the livelihood of his family. “What the f**k have I done,” he tweeted remorsefully in November 2015, writing, “Do you know how I feel now when I sleep at night? […] Regardless that he was a terrorist and an animal I sure as f**k felt betrayed.”
Despite Hussain’s death, cybersecurity experts monitoring Darknet forums have documented terrorist groups’ growing interest in hacker attacks — especially attacks on critical infrastructure. A source investigating these hacker communication platforms confirmed this information to Meduza. A report by Group-IB also corroborates terrorists’ pursuit of malware capable of causing physical damage, claiming that Internet users with Syrian IP addresses have tried to recruit cybersecurity experts and expressed interest in cyber-warfare. Most of these Internet users’ messages on underground forums appear to be written using Google Translate. Terrorists have also shown an interest in learning ways to penetrate the computer systems of enterprises in the defense industry, in order to steal secret design data. A report by The New York Times Magazine found that different extremist groups have spent years searching for red mercury, a fictional chemical composition supposedly invented by Soviet scientists to create weapons of mass destruction.
According to Meduza’s source, “if ISIS operatives find out where to buy zero-day vulnerabilities, then we’re in store for some very unpleasant events.”
“Mankind has been fighting terrorism since the 19th century,” IT security specialist Ilya Sachkov told Meduza. “The science of protecting cyberspace emerged more or less about 20 years ago, but we’ve never had to confront Internet terrorism seriously before. There have only been pinpoint attacks, like in Ukraine.”
Stuxnet’s success against the Iranian nuclear program didn’t go unnoticed in Russia. In January 2013, Vladimir Putin ordered the Federal Security Service (FSB) to create a state system for detecting, warning, and eliminating the effects of computer attacks. Known as “GosSOPKA,” its purpose would be to “shield” all government information resources under the hood of a single system with a constantly monitored perimeter. This shield would extend to all resources and critical infrastructure, so they all shared information about cyberattacks with a central office, which would determine how an attack was mounted and distribute security recommendations to the rest of the system.
The FSB spent two years developing the plans for GosSOPKA. In 2015, the agency published an excerpt from its blueprint, stating that the system would be divided into response centers in different regions and government departments, with a National Coordination Center for Computer Incidents (Gov-CERT) created within the FSB to manage the defense of Russia’s critical infrastructure. In November 2016, Alexey Novikov, the FSB officer put in charge of Gov-CERT, reported that the system had extended to 10 state agencies, and response centers were already in place at Rostec and Russia’s Central Bank.
Novikov says Russia’s intelligence community is now developing a network between state agencies to share information about hacking incidents. The system, according to Novikov, will have a special mode that allows cyberattack victims to submit messages to Gov-CERT with requests for assistance. These messages will take top priority, and the FSB’s coordination center will see them and begin working on solutions immediately: for example, by asking Internet providers to filter out malicious traffic, or by trying to disable the operations of botnets. Novikov said that the FSB successfully disabled several botnet control centers during the 2014 Winter Olympics in Sochi.
The FSB is also instructing state officials to be more careful with their use of email. “One of the state corporations received several [suspicious] emails, and IT security staff forwarded them to us for study,” Novikov said this February at the Ural Information Security Forum. “We conducted a quick analysis and discovered a well-known advanced persistent threat (APT) family. We were also able to trace the emails’ origin. It turned out that these emails had reached another 10 enterprises, but we were able to thwart the attack.”
In the near future, Russia will finally adopt new legislation on the cybersecurity of the country’s critical infrastructure, requiring all components in this network to share data with GosSOPKA. Last December, Prime Minister Dmitry Medvedev submitted the draft law to parliament. The bill not only calls for the creation of a special registry of computer systems serving Russia’s critical infrastructure, but also proposes a new criminal statute prohibiting cyberattacks on the nation’s critical infrastructure. The maximum punishment for these crimes would be 10 years in prison, and it would apply to both hackers and state officials who collude in such attacks or information leaks.
According to the FSB, which is overseeing the bill, terrorists and foreign intelligence agencies will be able to threaten Russia’s stability, if the legislation isn’t adopted soon. Russia has become “directly dependent on the security of its information-telecommunications network and information systems,” the FSB warns. “In a worst-case scenario, a computer attack could completely paralyze the state’s critical infrastructure, causing social, financial, and (or) ecological disaster,” the FSB writes in the legislation’s explanatory note. As examples of potential attacks, the agency cites Stuxnet and “the paralysis of several major financial institutions in South Korea in March 2013.”
FSB Deputy Director Dmitry Shalkov is in charge of shepherding the legislation through parliament and managing the protection of Russia’s critical infrastructure. In January 2017, he announced that Russian information resources had been attacked 70 million times in the preceding year (Vladimir Putin once cited the same figure, referring to attacks in 2015). “Russia’s infrastructure is constantly exposed to hacker attacks. In November 2016, there was a massive attack on the financial sector, targeting Sberbank, Alfa-Bank, the Bank of Moscow, and other institutions. Specialists from the FSB’s information security branch neutralized the threat, but the number of attacks on Russia’s national resources is steadily growing,” Shalkov said, presenting the legislation in the State Duma.
Lawmakers adopted the bill’s first reading on January 27, 2017, but a vote on the second draft has been postponed repeatedly. On June 23, FSB Director Alexander Bortnikov asked the Duma to speed things up, and two weeks later, on July 7, the legislation’s second reading passed, along with amendments to Russia’s law on state secrets, adding measures to ensure the cybersecurity of critical infrastructure. The bill’s third and final reading passed on July 12. If the Federation Council is able to vote on the bill before its summer holidays, it could enter force by January 1, 2018. Duma deputy Sergey proposed delaying the law’s implementation until 2019, but he was voted down due to the “pressing need to strengthen the state’s information security.”
In late May 2017, Group-IB and Rostec’s National Information Center launched a joint venture to protect the state from hackers. Group-IB would design protection systems, and Rostec’s center would certify these systems and communicate with state agencies. Vasily Brovko, the director of Rostec’s special projects division, attended the announcement ceremony for this joint project. (In 2015, according to Meduza’s sources, Brovko also participated in a test DDoS attack against the Ukrainian Defense Ministry’s website and the news site Slon.ru.)
“We want to protect the state, but this kind of work is a long and painstaking process full of certificates and accreditations,” Group-IB General Director Ilya Sachkov told Meduza. “Rostec will handle this, and it will integrate our products into large infrastructure projects. If you look at the data released by Wikileaks and Hacking Team, you can see that many of the vulnerabilities and methods they used to deliver their executable code originated with classic organized criminal groups — methods that only later made their way to the intelligence agencies. We know how to apply this knowledge to the defense of critical infrastructure.”
Sachkov says the joint venture with Rostec “effectively creates a Russian analogue to Palantir,” a multibillion-dollar American firm that’s known as one of Silicon Valley’s most secretive companies. In 2011, Palantir’s algorithms allegedly helped U.S. officials track down al-Qaeda leader Osama bin Laden. Without offering many details, Sachkov says Group-IB will specialize in big data analysis on national security issues. “The system can find interconnections, determine individuals’ real identities, and predict certain events, such as information leaks, by monitoring Internet domain registrations and new hyperlinks,” Sachkov says. “We’ll be able to learn about crimes in the making.”
In June, Russia’s largest Internet provider, Rostelecom, and Qrator Labs, a company that designs protection against DDoS attacks, also announced a new joint cybersecurity project.
The FSB’s captive hackers
Throughout Moscow, there are a handful of state research institutes where dozens of software specialists are developing and testing new cyber-defense systems. Meduza’s sources say this work is being carried out at the research centers “Kvant” and “Voskhod,” the “Atlas” Science and Practice Center, and at an FSB engineering lab. Russia’s Defense Ministry also monitors vulnerabilities in cyber-defense technology. According to an instructor at Tambov’s Joint Training Center for Electronic Warfare, “our guys’ main task is to study [cyberattack] methods and develop reliable defenses.”
In part, these institutes are charged with certifying foreign software before it’s transferred to any state agency. In one report, experts at “Echelon” noted that eavesdropping software was discovered in some programs in 2013. The report’s authors argued that the government could reduce this danger by reviewing the software’s source code at the certification stage.
A government cybersecurity expert told Meduza that such exercises make no sense. “The idea is that these evil Americans will stop sending us bugged equipment. The equipment is supposedly checked and resold [by state companies]. But this only drives up prices, and for no reason, because it’s impossible to test the imports really,” the source says. “And they resell the software without the packaged support, without the latest updates. Now we’ve got these computers behind locked doors, but they’re full of holes.”
“There are some very informed people working at these research institutes. We know as much from the story with ‘Kvant’ [which tried to buy “Remote Control System” malware for the FSB, in order to intercept certain communications]. Many of these institutes have acquired very expensive software officially for ‘penetration testing,’ but really it’s for launching hacks,” another source told Meduza. “There’s a graphical interface with a bunch of different exploits. These things are often bought for the FSB and can cost thousands of dollars a year, but the research institutes don’t seem to use them. Needed in order to understand what kinds of attacks could be next, they’re held for the intelligence agencies.”
The same source claims that many Russian programmers on the job market are invited to work at research institutes with connections to “the agency.” He says he responded and came in for an interview at one of these facilities, where it was hinted that zero-day vulnerabilities had been discovered in one of the most widely used computer programs.
Anton (whose name has been changed at his request) works mainly on computer virus analysis, periodically communicating with FSB agents. He says that the Center for Information Security (TsIB) has few technical staff, so it often has to consult outside experts. “There is a common procedure for attracting illegal hackers and creating conditions that allow them to work, in order to get needed information through them,” Anton told Meduza. He says that hackers often hide from police in safe houses. The programmer also says he knows of a few cases when the Interior Ministry’s cybercrimes unit detained people and FSB agents later arrived and took the suspects away, telling police, “This isn’t your jurisdiction.”
Some hackers accept full-time jobs in Russia’s law enforcement agencies. In 2004, a hacker called “Forb” claimed that he made his living off stolen credit cards and cyberattacks on U.S. government websites. In 2012, Forb was unmasked as Dmitry Dokuchayev, a hacker recruited by Russia’s intelligence community, where he now served as a senior operative in the TsIB. American officials believe TsIB paid Dokuchayev and other hackers to attack Yahoo in 2014, which led to the theft of personal data from 500 million accounts. Today, Dokuchayev and former TsIB director Sergey Mikhailov are locked up in jail on treason charges.
We also know about contacts between Russia’s intelligence agencies and hackers thanks to Ruslan Stoyanov, the former head of Kaspersky Lab’s investigations department. In this job, Stoyanov was almost constantly in touch with the FSB. In April 2017, Stoyanov said there is an “enormous temptation” for decision makers to utilize the work of Russian cyber-criminals for geopolitical influence. “The worst scenario would be to give cybercriminals immunity from retaliation for stealing money in foreign countries in exchange for intelligence. If this happens, a whole range of ‘patriot thieves’ will emerge. Semi-legal ‘patriot groups’ can far more openly funnel stolen assets into the creation of more sophisticated Trojans, and Russia would get highly advanced cyber-weaponry,” Stoyanov warned.
Sources told The New York Times that hacker Evgeniy Bogachev, “the most wanted cybercriminal in the world,” cooperates with Russia’s intelligence agencies. Sparing only Russia, Bogachev created a global network of infected computers, earning hundreds of millions of dollars by hacking everything from banks and Massachusetts police departments to a pest control service in North Carolina. U.S. officials told The New York Times that “the Russian authorities were looking over [Bogachev’s] shoulder, searching the same computers for files and emails,” as he was “draining bank accounts.” Russian officials were allegedly looking on infected American computers for classified information about the conflicts in Ukraine and Syria, often searching documents for the words “top secret” and “Department of Defense.”
“They say [Bogachev] lives like a king in Anapa and helps the FSB,” one cybersecurity expert told Meduza. “And why not? If I were an FSB agent, I’d be milking him, too, of course. He’s in Russia, and he’s got a ton of access. You can’t not use that, but you’ve got to remember that he’s a criminal.”
Russia’s “pretty little hacker girl”
There are several companies now designing protection tools for critical infrastructure: Positive Technologies, Kaspersky Lab, Group-IB, and others. “Informzashchita,” another of these groups, has been working for many years with the Russian government. During the Sochi Winter Olympics, for example, Informzashchita ensured the cybersecurity of transportation services. According to Forbes, the company inked 450 contracts with the government in just five years worth a total sum of 5 billion rubles ($85 million).
The founders of Informzashchita worked in the Russian military’s General Staff and in different military research institutes (including Kvant). In the late 1990s, they started providing their own defense systems to Russia’s Central Election Commission and Central Bank, and in the 2000s they released “Continent,” a network protection and data encryption tool that’s now used by many state agencies. Around this time, the company also created a department for penetration testing, where it would test a client’s systems before selling its products to that customer.
One of the people working at Informzashchita around this time was a young woman named Alisa Shevchenko. Years later, in December 2016, the U.S. Treasury would impose sanctions against Shevchenko’s company, “TsOR Security,” for supposedly interfering in America’s presidential election.
On Instagram, Shevchenko calls herself “another pretty little hacker girl.” An acquaintance described Shevchenko to Meduza as one of Russia’s most capable “pentesters,” saying she can crack almost any system in the world. (Meduza was unable to reach Shevchenko directly.) The source claims that Shevchenko works very hard and spends all her free time reading specialist literature. On her website, Shevchenko says she is currently “working mostly on vulnerabilities and exploits.” In the spring of 2014, while attending the annual “Positive Hack Days” computer security conference, Shevchenko won first place in a two-day Critical Infrastructure Attack contest, discovering several zero-day vulnerabilities in Indusoft Web Studio 7.1. She later said the protections in place were “trivial.”
Shevchenko launched her career as a computer-virus analyst at Kaspersky Labs. Afterwards, she started her own company, “Esage,” which specialized in the analysis of different organizations’ cyber-defenses. The company got its business from “DialogueScience,” a provider of IT security services, products, and solutions that has contracts with Russia’s Federal Protective Service and Defense Ministry. Later, Esage was renamed “Digital Arms and Defense” (or “Zor Security”), and it started running penetration tests using phishing emails and malicious websites (the same methods that were used to hack American politicians and international sports officials).
Roughly 10 people worked with Shevchenko, all of whom she found on hacker forums. Together, according to Forbes, the team developed different hacking tools. U.S. officials believe Shevchenko’s company provided its research and development to Russia’s military intelligence service. “Woke up to tons of media inquiry about some kind of ‘0f**k’ list that I have never heard of. No coding today it seems,” Shevchenko tweeted, hours after the U.S. Treasury imposed sanctions against her company. Her acquaintance told Meduza that she’s left Russia. The Zor Security website, meanwhile, now loads nothing but a blank page.
The 50-million-dollar bug
In the summer of 2015, Russia’s Central Bank created “Fincert,” a center for monitoring and responding to computer incidents in the credit and financial sphere. Through Fincert, banks could share information about cyberattacks, analyze them, and get recommendations from Russia’s intelligence agencies about how to defend themselves. In June 2016, Sberbank estimated that the Russian economy lost roughly 600 billion rubles (almost $10.2 billion) thanks to cybercrime, with 52 attacks on the country’s critical infrastructure in 2015 and 57 such attacks in just the first five months of 2016. Since then, the bank has operated a subsidiary company called “Bizon” that manages its information security.
According to the first report about Fincert’s work (between October 2015 and March 2016), there were 21 targeted attacks on the infrastructure of Russian banks, resulting in 12 separate criminal cases. Most of these attacks were the work of a single hacker group, codenamed “Lurk” in honor of the eponymous virus developed by its members. The virus allowed the group to steal money from different commercial enterprises and banks.
Police and cybersecurity experts started looking for Lurk’s members beginning in 2011. By 2016, the group had stolen roughly 3 billion rubles ($50.7 million) from Russian banks — a new hacking record.
The Lurk virus differed from any malware Russian investigators confronted in the past. When the program was tested in a laboratory, it didn’t do anything (hence the name “Lurk”). Later, however, it turned out that the malware was designed as a modular system, meaning it gradually downloads additional blocks with various functions: from keystroke logging and password theft to the ability to stream video from the screen of an infected computer.
In order to spread the virus, the group hacked websites visited by bank employees: from news media websites (like RIA Novosti and Gazeta.ru) to accounting forums. The hackers exploited vulnerabilities in the websites’ advertising banners, using them to distribute their malware. On some sites, the hackers uploaded links to their virus only briefly. On the forum of an accounting magazine, for instance, one malicious hyperlink was live only for a couple of hours around lunchtime on weekdays, and even this was enough to find a few suitable victims.
Clicking on one of these infected ad banners, Internet users were redirected to an unsecure Web page that infected their computers and allowed Lurk to begin collecting their information. The hackers were mainly interested in remote banking software, changing invoice numbers in bank transfer orders and making unauthorized payments to the accounts of companies associated with the hacker group. According to Sergey Golovanov, an analyst at Kaspersky Lab, groups operating this way typically use fly-by-night companies that “don’t care what they’re transferring or cashing.” These companies cash the money, load it into bags, and leave it in hiding spots at public parks, where the hackers later collect it.
The group’s members carefully concealed their actions, encrypting all their daily communications and registering their domains under false names. “The hackers use triple VPN chains, ‘Tor,’ and secret chats, but the problem is that even a fined-tuned machine will fail,” Golovanov explains. “A VPN chain fails, or a secret chat turns out to be not so secret, and then instead of calling over Telegram somebody makes an ordinary phone call. It’s the human factor. And when you’ve accumulated a database with years of information, all you’ve got to do is look for these accidents. After that, law enforcement can turn to the Internet providers to learn who accessed what IP address at a certain time. And then you build the case.”
Footage from the capture of the Lurk hackers looks like an action movie. Officials from Russia’s Emergency Management Agency cut the locks on several homes and apartments in different parts of Yekaterinburg, and FSB agents stormed inside, tackling the hackers and wrestling them to the floor. The suspects’ homes were searched and they were thrown into police vans, driven to an air strip, and flown to Moscow.
In garages owned by the hackers, FSB agents found luxury cars — Audis, Cadillacs, and Mercedes — and watches encrusted with 272 diamonds. Agents also confiscated jewels worth an estimated 12 million rubles ($203,000) and several weapons. Altogether, police carried out about 80 separate raids in 15 different regions, detaining roughly 50 people.
The men arrested were mainly the group’s technical experts. Ruslan Stoyanov, who was involved in the investigation of Lurk’s crimes while working at Kaspersky Lab, says the group’s leaders recruited many of these people on ordinary employment-related search engines, advertising remote work. The job postings failed to mention that the work would be illegal, and Lurk offered salaries well above market levels, allowing staff to work from home. “Every morning, except on weekends, different people would sit down at their computers in places all across Russia and Ukraine and get to work,” Stoyanov said. “Programmers tweaked the latest version [of the virus], the testers checked it, and the person responsible for the botnet loaded everything to the command server, after which it automatically updated on the bot-computers.”
The hackers and their lawyers are currently studying the case materials, which include about 600 volumes. The trial is scheduled to begin in the fall. One lawyer for the hackers, hiding his name, has said that none of the suspects will accept a deal from prosecutors, though some are prepared to confess to part of the charges. “Our clients did work on the development of various parts of the Lurk virus, but many were simply unaware that it was a Trojan program,” the lawyer explained. “Someone was writing part of the algorithms that could have worked just as well in a [legitimate] search engine.”
Investigators from the estate
There is a special cybercrimes division in the Russian Interior Ministry known as “Department K.” It’s here that programmers cook up special analytical programs designed to unmask hacker groups like Lurk. Examining old IP addresses, server data, and information about hackers from similar cases, the programs identify connections that investigators can miss.
Police officers in Department K work out of the inconspicuous Kiryakov estate on Petrovka street in Moscow, opposite the Vysokopetrovsky Monastery and two minutes from a nightclub that caters to the LGBT community. Department K has occupied the estate (which in the past has belonged to antique collectors, Prince Mikhail Obolensky, a primary care physician, and even a dental school) since the late 1990s, when Russia’s Interior Ministry decided to create a special cybercrimes unit. “There were carders [credit card fraudsters] back then, and even then it was clear that one of our main tasks would be fighting the spread of child pornography,” the department’s deputy director, Alexander Vurasko, told Meduza.
These officers rarely go to work dressed in police uniforms; they’re more likely to be wearing jeans, an untucked shirt, and maybe an Apple Watch. Visitors to the building are issued a handwritten pass at the entrance. In the hallway on the second floor, there’s a glass cabinet containing different gifts, including a porcelain Gzhel vase bestowed by the Foreign Intelligence Service. Next to it, there’s a small batch of baranka bread rings.
The police in Department K go after the most sophisticated cybercriminals in Russia, investigating hackers that work in well-hidden, well-organized groups. There are several dozen employees, and it’s not an easy job to get: applicants are required to have experience in police work, law, and information technology. Finding such candidates can be difficult. Some people are recruited from the Interior Ministry’s Moscow university or the Bauman University, but even these individuals inevitably need to be retrained.
The department’s officers gather in their units for quick meetings every morning, and the management holds a department-wide assembly every Friday. Many staff members start their day at 5 a.m., when the police like to mount raids and detain suspects.
Not everyone in the department is based at the Kiryakov estate, however. There are also special staff operating at another location, examining confiscated data drives and other equipment in a special sterilized “clean room.”
“In 1999, you could call yourself an all-around programmer,” Vurasko says. “Now everything is very narrowly specialized. There are situations when we can’t figure something out on our own, and it doesn’t make sense to maintain staff who decompile malware when we can just turn to those who make a living in this field, like Group-IB, Kaspersky Lab, or Positive Technologies. They can get publicity [for the work], but only we or the FSB can finally close these cases by bringing the criminals to justice.”
Vurasko says many Russian police officers still to this day don’t understand the very basics of computer security. They don’t know what an IP address is, or understand where to send requests for police intelligence. Department K often holds seminars for investigators and judges to teach them about the technical aspects of cybercrime cases.
In recent years, Department K has investigated several cases similar to the one against Lurk. This is long and grueling work, as the police always try to identify all members in a hacker group, in order to prosecute them as an organized criminal group. Otherwise, practice shows that the suspects will likely get off with suspended sentences.
“To communicate with each other, the hackers in these groups usually use jabber-servers and all the main instant messengers. The groups’ organizers discuss all vital matters on secure channels,” Vurasko explained, describing the case against Lurk.
Asked if that means the police weren’t able to access Lurk’s communications, Vurasko smiled and said, “Allow me not to answer that question.”
The Stoyanov case
On December 4, 2016, a few months after he’d helped investigators on the Lurk case as the head of Kaspersky Lab’s investigations department, Ruslan Stoyanov set out for the airport in Moscow to board a plane to China for a business trip. After picking up his ticket, he texted his wife, letting her know that he’d checked in for his flight. Stoyanov never reached his destination, however. The next day, the clients in China informed Kaspersky Lab that their man was a no-show.
Ruslan Stoyanov has spent many years working in cybersecurity. In the early 2000s, he served as a police major in Department K. Subsequently, he worked in the IT security office at RTComm.ru (a Rostelecom subsidiary that later provided communication services to the FSB’s Center for Information Security in 2016). Afterwards, he founded his own company to conduct independent cybersecurity investigations, and Kaspersky Lab acquired his firm in 2012. According to Evgeny Kaspersky, Stoyanov “worked very closely with the FSB’s Center for Information Security.”
A few days after Stoyanov’s disappearance, Kaspersky Lab revealed that he had been detained by FSB agents and was now being held at Lefortovo Prison — a detention center usually reserved for criminals deemed to pose a national security threat. In January 2017, the public learned that Stoyanov faces state treason charges alongside several TsIB managers, including Sergey Mikhailov, who supervised the agency’s entire cybercrimes division. There are no reliable public details about the case against Stoyanov and Mikhailov. According to an anonymous source reportedly involved in the investigation, the suspects are charged with “receiving money from a foreign organization.”
Kaspersky Lab’s office in Moscow is situated on the bank of the Khimki reservoir, not far from the “Vodny Stadion” subway station. The company acquired these three large new buildings in 2013 for $350 million. Behind the buildings, there are two soccer fields and a few small paths that lead to the waterfront, along which the company’s employees like to take walks and discuss work. In the summers, women’s volleyball tournaments are held nearby. During lunch hours, office workers in the area buy cups of coffee and sit in the stands.
On May 12, 2017, the day the “WannaCry” virus suddenly spread across the world, Kaspersky Lab’s building emptied quickly. Even staff members who normally don’t leave the office were out on assignment, meeting with clients battling the new ransomware. One Kaspersky Lab employee told Meduza that staff making these visits usually take with them “special suitcases” packed with all kinds of dongles, cables, and “clean” hard disks, as well as a handful of energy bars and a thermos of coffee.