Russia is known for its army of hackers, but since the start of its invasion of Ukraine, dozens of Russian organizations — including government agencies, oil and gas companies, and financial institutions — have been hacked, with terabytes of stolen data leaked onto the internet.
Distributed Denial of Secrets, the transparency collective that’s best known for its 2020 release of 270 gigabytes of U.S. law enforcement data (in the midst of racial justice protests following the murder of George Floyd), has become the de facto home of the hacked datasets from Russia. The datasets are submitted to DDoSecrets mostly by anonymous hackers, and those datasets are then made available to the public on the collective’s website and distributed using BitTorrent. (I am an adviser to DDoSecrets).
“The flood of Russian data has meant a lot of sleepless nights, and it’s truly overwhelming,” Emma Best, co-founder of DDoSecrets, told The Intercept via an encrypted messaging app. “In its first 10 years, WikiLeaks claimed to publish 10 million documents. In the less than two months since the invasion began, we’ve published over 6 million Russian documents — and it absolutely feels like it.”
After receiving a dataset, DDoSecrets organizes and compresses the data; it then starts distributing the data using BitTorrent for public consumption, publicizes it, and helps journalists at a wide range of newsrooms access and report on it. DDoSecrets has published about 30 hacked datasets from Russia since its invasion of Ukraine began in late February.
The vast majority of sources who provided the hacked Russian data appear to be anonymous individuals, many self-identifying as part of the Anonymous hacktivist movement. Some sources provide email addresses or other contact information as part of the dumped data, and some, like Network Battalion 65, have their own social media presence.
JSC Bank PSCB, you are now controlled by Network Battalion 65. We're very thankful that you store so many credentials in Chrome. Well done.— NB65 (@xxNB65) April 18, 2022
It's obvious that incident response has started. Good luck getting your data back without us.
Tell your government to GTFO of #Ukraine pic.twitter.com/1HYikMU99N
Still, with so many datasets submitted by anonymous hackers, it’s impossible to be certain about their motives or if they’re even truly hacktivists. For instance, in 2016 hackers compromised the network of the Democratic National Committee and leaked stolen emails to WikiLeaks in an attempt to hurt Hillary Clinton’s presidential campaign. Guccifer 2.0, the hacker persona responsible, claimed to be a lone actor but was later revealed to be an invention of the GRU, Russia’s military intelligence agency.
For this reason, the recent Russian datasets published by DDoSecrets include a disclaimer: “This dataset was released in the buildup to, in the midst of, or in the aftermath of a cyberwar or hybrid war. Therefore, there is an increased chance of malware, ulterior motives and altered or implanted data, or false flags/fake personas. As a result, we encourage readers, researchers and journalists to take additional care with the data.”
On February 26, two days after Russia’s invasion started, DDoSecrets published 200 gigabytes of emails from the Belarus weapons manufacturer Tetraedr, submitted by the hacktivist persona Anonymous Liberland and the Pwn-Bär Hack Team. Belarus is a close ally to Russia in its war against Ukraine. A message published with the dataset announced “#OpCyberBullyPutin.”
The contents of this leak do appear to be legitimate.— Mikael Thalen (@MikaelThalen) February 26, 2022
Emails from the inboxes of employees at the Belarusian weapons manufacturer Tetraedr.
Have seen missile testing footage, PDF schematics for weapons systems, and detailed brochures for armored vehicles. https://t.co/wGTa9ilFyE
On February 25, the notorious Russian ransomware gang known as Conti publicly expressed its support for Russia’s war, and two days later, on February 27, an anonymous Ukrainian security researcher who had hacked Conti’s internal infrastructure leaked two years of Conti chat logs, along with training documentation, hacking tools, and source code from the criminal hackers. “I cannot shoot anything, but I can fight with a keyboard and mouse,” the anonymous researcher told CNN on March 30 before he safely slipped out of Ukraine.
In early March, DDoSecrets published 817 gigabytes of hacked data from Roskomnadzor, the Russian federal agency responsible for monitoring, controlling, and censoring Russian mass media. This data specifically came from the regional branch of the agency in the Republic of Bashkortostan. The Intercept made this dataset searchable and shared access with independent Russian journalists from Meduza who reported that Roskomnadzor had been monitoring the internet for “antimilitarism” since at least 2020. In early March, Roskomnadzor began censoring access to Meduza from inside Russia “due to systematic spread of fakes about the special operation in Ukraine,” a spokesperson for the agency told the Russian news site RIA Novosti.
The hacks continued. In mid-March, DDoSecrets published 79 gigabytes of emails from the Omega Co., the research and development wing of the world’s largest oil pipeline company, Transneft, which is state-controlled in Russia. In the second half of March, hacktivism against Russia began to heat up. DDoSecrets published an additional five datasets:
On the last day of March, the transparency collective also published 51.9 gigabytes of emails from the Marathon Group, an investment firm owned by sanctioned Russian oligarch Alexander Vinokurov.
On the first day of April, DDoSecrets published 15 gigabytes of emails from the charity wing of the Russian Orthodox Church. Because the emails might include sensitive and private information from individuals, DDoSecrets isn’t distributing this data to the public. Instead, journalists and researchers can contact DDoSecrets to request a copy of it.
On April 3, DDoSecrets published 483 gigabytes of emails and documents from Mosekspertiza, a state-owned corporation that provides expert services to the business community in Russia. On April 4, DDoSecrets published 786 gigabytes of documents and emails from the All-Russia State Television and Radio Broadcasting Co., referred to with the English acronym VGTRK. VGTRK is Russia’s state-owned broadcaster; it operates dozens of television and radio stations across Russia, including regional, national, and international stations in several languages. Former employees of VGTRK told the digital publication Colta.ru that the Kremlin frequently dictated how the news should be covered. Network Battalion 65 is the source for both the VGTRK and Mosekspertiza hacks.
The All-Russian State Television and Radio Broadcasting Company (VGTRK), propaganda branch of the Russian Federation can fuck themselves. @Telecomix is going to have some fun parsing through this. #datalove @YourAnonNews @ITarmyUA Glory to Ukraine! Full dump will be ready soon. pic.twitter.com/3foAOAYBDv— NB65 (@xxNB65) March 25, 2022
Russia’s legal sector also got hacked. On April 8, DDoSecrets published 65 gigabytes of emails from the law firm Capital Legal Services. The persona wh1t3sh4d0w submitted the data to the transparency collective.
In the following days, DDoSecrets published three more datasets:
By April 11, DDoSecrets had published another three datasets:
In mid-April, DDoSecrets published several datasets from the oil and gas industries:
On April 16, DDoSecrets published two more datasets:
Just during the last week, DDoSecrets published these datasets:
Earlier today, DDoSecrets published 342 gigabytes of emails from Enerpred, the largest producer of hydraulic tools in Russia that works in the energy, petrochemical, coal, gas and construction industries.
Despite the massive scale of these Russian data leaks, very few journalists have reported on them so far. Since the war began, Russia has severely clamped down on its domestic media, introducing penalties of years in prison for journalists who use the wrong words when describing the war in Ukraine — like calling it a “war” instead of a “special military operation.” Russia has also ramped up its censorship efforts, blocking Twitter and Facebook and censoring access to international news sites, leaving the Russian public largely in the dark when it comes to views that aren’t sanctioned by the state.
One of the barriers for non-Russian news organizations is language: The hacked data is principally in Russian. Additionally, hacked datasets always come with considerable technical challenges. The Intercept, which was founded in part to report on the archive of National Security Agency documents leaked by Edward Snowden, has been using our technical resources to build out tools to make these Russian datasets searchable and then sharing access to these tools with other journalists. Russian-speaking journalists from Meduza — which is forced to operate in Latvia to avoid the Kremlin’s reach — have already published a story based on one of the datasets indexed by The Intercept.
It's going to take YEARS for journalists, researchers and the general public to go through all the Russian data that's being leaked in response to the invasion of Ukraine— Emma Best ????? (@NatSecGeek) March 25, 2022