Russia Is Losing a War Against Hackers Stealing Huge Amounts of Data

Russia is known for its army of hackers, but since the start of its invasion of Ukraine, dozens of Russian organizations — including government agencies, oil and gas companies, and financial institutions — have been hacked, with terabytes of stolen data leaked onto the internet.

Distributed Denial of Secrets, the transparency collective that’s best known for its 2020 release of 270 gigabytes of U.S. law enforcement data (in the midst of racial justice protests following the murder of George Floyd), has become the de facto home of the hacked datasets from Russia. The datasets are submitted to DDoSecrets mostly by anonymous hackers, and those datasets are then made available to the public on the collective’s website and distributed using BitTorrent. (I am an adviser to DDoSecrets).

“The flood of Russian data has meant a lot of sleepless nights, and it’s truly overwhelming,” Emma Best, co-founder of DDoSecrets, told The Intercept via an encrypted messaging app. “In its first 10 years, WikiLeaks claimed to publish 10 million documents. In the less than two months since the invasion began, we’ve published over 6 million Russian documents — and it absolutely feels like it.”

After receiving a dataset, DDoSecrets organizes and compresses the data; it then starts distributing the data using BitTorrent for public consumption, publicizes it, and helps journalists at a wide range of newsrooms access and report on it. DDoSecrets has published about 30 hacked datasets from Russia since its invasion of Ukraine began in late February.

The vast majority of sources who provided the hacked Russian data appear to be anonymous individuals, many self-identifying as part of the Anonymous hacktivist movement. Some sources provide email addresses or other contact information as part of the dumped data, and some, like Network Battalion 65, have their own social media presence.

Still, with so many datasets submitted by anonymous hackers, it’s impossible to be certain about their motives or if they’re even truly hacktivists. For instance, in 2016 hackers compromised the network of the Democratic National Committee and leaked stolen emails to WikiLeaks in an attempt to hurt Hillary Clinton’s presidential campaign. Guccifer 2.0, the hacker persona responsible, claimed to be a lone actor but was later revealed to be an invention of the GRU, Russia’s military intelligence agency.

For this reason, the recent Russian datasets published by DDoSecrets include a disclaimer: “This dataset was released in the buildup to, in the midst of, or in the aftermath of a cyberwar or hybrid war. Therefore, there is an increased chance of malware, ulterior motives and altered or implanted data, or false flags/fake personas. As a result, we encourage readers, researchers and journalists to take additional care with the data.”

Hacks Begin in February

On February 26, two days after Russia’s invasion started, DDoSecrets published 200 gigabytes of emails from the Belarus weapons manufacturer Tetraedr, submitted by the hacktivist persona Anonymous Liberland and the Pwn-Bär Hack Team. Belarus is a close ally to Russia in its war against Ukraine. A message published with the dataset announced “#OpCyberBullyPutin.”

On February 25, the notorious Russian ransomware gang known as Conti publicly expressed its support for Russia’s war, and two days later, on February 27, an anonymous Ukrainian security researcher who had hacked Conti’s internal infrastructure leaked two years of Conti chat logs, along with training documentation, hacking tools, and source code from the criminal hackers. “I cannot shoot anything, but I can fight with a keyboard and mouse,” the anonymous researcher told CNN on March 30 before he safely slipped out of Ukraine.

In early March, DDoSecrets published 817 gigabytes of hacked data from Roskomnadzor, the Russian federal agency responsible for monitoring, controlling, and censoring Russian mass media. This data specifically came from the regional branch of the agency in the Republic of Bashkortostan. The Intercept made this dataset searchable and shared access with independent Russian journalists from Meduza who reported that Roskomnadzor had been monitoring the internet for “antimilitarism” since at least 2020. In early March, Roskomnadzor began censoring access to Meduza from inside Russia “due to systematic spread of fakes about the special operation in Ukraine,” a spokesperson for the agency told the Russian news site RIA Novosti.

The hacks continued. In mid-March, DDoSecrets published 79 gigabytes of emails from the Omega Co., the research and development wing of the world’s largest oil pipeline company, Transneft, which is state-controlled in Russia. In the second half of March, hacktivism against Russia began to heat up. DDoSecrets published an additional five datasets:

• 5.9 gigabytes of emails from Thozis Corp., a Russian investment firm owned by billionaire oligarch Zakhar Smushkin.
• 110 gigabytes of emails from MashOil, a Russian firm that designs and manufactures equipment for the drilling, mining, and fracking industries.
• 22.5 gigabytes of data allegedly from the central bank of Russia. The source for this data is the persona The Black Rabbit World on Twitter.
• 2.5 gigabytes of emails from RostProekt, a Russian construction firm. The source for this data is the persona @DepaixPorteur on Twitter.
• 15.3 gigabytes of data from Rosatom State Nuclear Energy Corp., Russia’s state-run company that specializes in nuclear energy and makes up 20 percent of the country’s domestic electricity production. It’s also one of the world’s largest exporters of nuclear technology products. The source for this data included an email address hosted at the free encrypted email provider ProtonMail.

On the last day of March, the transparency collective also published 51.9 gigabytes of emails from the Marathon Group, an investment firm owned by sanctioned Russian oligarch Alexander Vinokurov.

April Is Cruel to Orthodox Church

On the first day of April, DDoSecrets published 15 gigabytes of emails from the charity wing of the Russian Orthodox Church. Because the emails might include sensitive and private information from individuals, DDoSecrets isn’t distributing this data to the public. Instead, journalists and researchers can contact DDoSecrets to request a copy of it.

On April 3, DDoSecrets published 483 gigabytes of emails and documents from Mosekspertiza, a state-owned corporation that provides expert services to the business community in Russia. On April 4, DDoSecrets published 786 gigabytes of documents and emails from the All-Russia State Television and Radio Broadcasting Co., referred to with the English acronym VGTRK. VGTRK is Russia’s state-owned broadcaster; it operates dozens of television and radio stations across Russia, including regional, national, and international stations in several languages. Former employees of VGTRK told the digital publication Colta.ru that the Kremlin frequently dictated how the news should be covered. Network Battalion 65 is the source for both the VGTRK and Mosekspertiza hacks.

Russia’s legal sector also got hacked. On April 8, DDoSecrets published 65 gigabytes of emails from the law firm Capital Legal Services. The persona wh1t3sh4d0w submitted the data to the transparency collective.

In the following days, DDoSecrets published three more datasets:

• 244 gigabytes of emails from Petrovsky Fort, an office building complex in St. Petersburg.
• 154 gigabytes of emails from Aerogas, an engineering company that works in the oil and gas industries.
• 35.7 gigabytes of emails from a Russian logging and wood manufacturing company called Forest.

By April 11, DDoSecrets had published another three datasets:

• 446 gigabytes of emails from the Ministry of Culture of the Russian Federation. This government agency is responsible for state policy regarding art, film, copyright, cultural heritage, and in some cases censorship.
• 150 gigabytes of emails from the city administration of Blagoveshchensk. This is in the same region of Russia that the Roskomnadzor dataset was hacked from.
• 116 gigabytes of emails from the governor’s office of Tver Oblast, a region of Russia northwest of Moscow.

In mid-April, DDoSecrets published several datasets from the oil and gas industries:

• 440 gigabytes of emails from Technotec, a group of companies that develops chemical reagents for and provides services to oil and gas companies.
• 728 gigabytes of emails from Gazprom Linde Engineering, a firm that designs gas and petrochemical processing facilities and oil refineries. This company was a joint venture between the state-owned Russian gas company Gazprom — the largest corporation in Russia — and the German company Linde. In late March, in response to economic sanctions against Russia, Linde announced that it was suspending its Russian business ventures.
• 222 gigabytes of data from Gazregion, a construction company that specializes in building gas pipelines and facilities. Three different sources — Network Battalion 65, @DepaixPorteur, and another anonymous hacker — hacked this company at roughly the same time and submitted data to DDoSecrets, which published all three overlapping datasets to “provide as complete a picture as possible, and to provide an opportunity for comparison and cross-checking.”

On April 16, DDoSecrets published two more datasets:

• 221 gigabytes of emails from the education department of the Russian city of Strezhevoy.
• 399 gigabytes of data from Continent Express, a Russian travel agency. This data was hacked by Network Battalion 65.

Just during the last week, DDoSecrets published these datasets:

• 107 gigabytes of emails from Neocom Geoservice, an engineering company that focuses on oil, gas, and drilling.
• 1.2 gigabytes of data from the Belarusian firm Synesis, which develops surveillance systems.
• 9.5 gigabytes of emails from the General Department of Troops and Civil Construction, a construction company owned by the Russian Ministry of Defense. This was hacked by @DepaixPorteur.
• 160 gigabytes of emails from Tendertech, a firm that processes financial and banking documents on behalf of businesses.
• 130 gigabytes of emails from Worldwide Invest, a Russian investment firm.
• 432 gigabytes of emails from the Russian property management firm Sawatzky. Its clients include major brands like Google, Microsoft, Samsung, and Johnson & Johnson
• 221 gigabytes of emails from Accent Capital, a Russian commercial real estate investment firm.

Earlier today, DDoSecrets published 342 gigabytes of emails from Enerpred, the largest producer of hydraulic tools in Russia that works in the energy, petrochemical, coal, gas and construction industries.

Researching the Hacked Data

Despite the massive scale of these Russian data leaks, very few journalists have reported on them so far. Since the war began, Russia has severely clamped down on its domestic media, introducing penalties of years in prison for journalists who use the wrong words when describing the war in Ukraine — like calling it a “war” instead of a “special military operation.” Russia has also ramped up its censorship efforts, blocking Twitter and Facebook and censoring access to international news sites, leaving the Russian public largely in the dark when it comes to views that aren’t sanctioned by the state.

One of the barriers for non-Russian news organizations is language: The hacked data is principally in Russian. Additionally, hacked datasets always come with considerable technical challenges. The Intercept, which was founded in part to report on the archive of National Security Agency documents leaked by Edward Snowden, has been using our technical resources to build out tools to make these Russian datasets searchable and then sharing access to these tools with other journalists. Russian-speaking journalists from Meduza — which is forced to operate in Latvia to avoid the Kremlin’s reach — have already published a story based on one of the datasets indexed by The Intercept.