The Kremlin and the hackers: partners in crime?
4th December 2011, the date of the Russian parliamentary election, was a difficult day for the system administrators of many liberal internet sites. DDoS (distributed denial of service) attacks shut down access to the websites of the radio station ‘Ekho Moskvy’ [‘Echo of Moscow’], the ‘New Times’ and ‘Bolshoi Gorod’ [‘The Big City’] magazines, the election monitoring organisation ‘Golos’ and the business news and blogging site Slon.Ru. Our own site, ‘Agentura.Ru’, was also one of the sites attacked.
‘The attack began at about 7.30 on Sunday morning’, Vadim Petrov, Slon.Ru’s technical manager, told us, ‘but it was about nine o’clock before we reacted to it. At first we tried to solve the problem ourselves, by getting our hosting provider to cut off foreign internet addresses trying to access the site. This fixed the problem for a short time, but then the volume of traffic increased and there was a change in the behaviour of the bots, and the server went down again. We spent about an hour matching our site with the ‘Qrator’ protection system, and then we switched to their servers.’
After Slon.Ru, ‘Bolshoi Gorod’, the ‘Dozhd’ TV channel, ‘Ekho Moskvy’, and ‘Golos’ all switched to Qrator’s servers. According to the report by Highloadlab, owners of the service, the active attack phase continued into the evening of 4th December. Slon.Ru alone was bombarded by 200,000 to 250,000 bots, mostly from India and Pakistan. In other words, someone used a botnet, a network of ‘zombie’ computers, to send a high volume of fake requests to the targeted sites with the aim of producing a server overload, which would then cause the site to crash.
By the next day, the active phase of most of the attacks was over, although in certain cases (that of ‘Ekho Moskvy’, for example) it switched to a ‘state of anticipation’: about 100 bots attempted to send ‘difficult’ requests to the server, to catch the moment when the site would start to fail and possibly emerge from its protected state.
It took two months for things to return to normal. ‘The DDoS attack finally stopped about the end of January,’ Vadim Petrov explained. ‘Incoming traffic fell gradually from 200 megabits to 20-25 by the end of the attack. Our normal volume of traffic is 1-5 megabits.’
It looked as though everyone’s worst fears had been confirmed, that the Kremlin would be able to use the hacker community to organise attacks on independent media sites and the opposition, not to mention the web resources of countries considered unfriendly by Moscow. These fears seemed to have been well-founded. Hackers who had grown up in post-Soviet Russia had earned a reputation of being among the most active and dangerous cybercriminals in the world. At the same time Russian technical universities, the main suppliers of computer programmers, hackers included, had become a base for ‘patriotic’ minded young people. Many budding Russian IT specialists were angry with the changes of the 1990s, which brought with them, among other things, cutbacks in the defence industry – the main employer of the Soviet technical intelligentsia.
It is also worth remembering that in the Cold War years Soviet intelligences agencies were on a more or less equal footing with the two most powerful centres of electronic intelligence gathering in the world, the USA’s National Security Agency (NSA) and the UK’s Government Communications Headquarters (GCHQ).
Analysts warned that this combination of factors looked pretty worrying, and cited the example of China. In the words of the eminent cyber security expert Mikko Hypponen, ‘Hackers in the post-Soviet space are pretty patriotically minded, and this is even more true of Chinese patriotic hackers, who are happy to attack the West if they think it will help their country.’
Early cyber crime
In February 2002 students from Tomsk University conducted a cyber attack on the ‘Kavkaz-tsentr’ site, which supported the Chechen rebels, and the local FSB refused to prosecute them, calling the attack ‘an expression of a civil position that is worthy of respect’.
In 2007 foreign government sites were subjected to attacks for the first time. Estonia had angered the Kremlin by removing the so-called Monument to the Liberators of Tallinn, which featured a bronze soldier in Red Army uniform, from the centre of the city. And on 27th April Russian hackers carried out a series of attacks on Estonian governmental, parliamentary, ministerial, newspaper and TV and radio sites.The Estonian Minister of Foreign Affairs Urmas Paet accused the Kremlin of being behind the attacks, Russia denied any involvement in the affair, and as a result Estonia requested and received NATO help with countermeasures to this new form of aggression. Estonia was unable to present any proof of the Russian authorities’ complicity, however in March 2009 Konstantin Goloskokov, a ‘commissar’ in the pro-Kremlin youth movement ‘Nashi’ admitted responsibility for the attack in an interview with the Financial Times. ‘I would not call it a cyber attack;’ he said, ‘it was cyber defence. We taught the Estonian regime a lesson.’
After Estonia came Lithuania. In 2008 this former Soviet republic antagonised the Kremlin when its parliament voted to ban the public display of both Nazi and Soviet symbols. This triggered an immediate massive cyber attack: on 30th June the Lithuanian telecommunications service reported an attack by hackers on 300 websites, where they had pasted Soviet red flags and anti-Lithuanian slogans.
In August 2008, the war between Georgia and South Ossetia triggered a cyber attack on Georgia’s internet infrastructure. At the same time a number of groups appeared, among them ‘Civil Anti-terror’ (www.anticenter.org ↑ ) and ‘Internet Underground Community vs. Terrorism’ (www.peace4peace.com ↑ ), whose aim was to mobilise web users against sites that supported the Chechen rebels, and who suggested using DoS attacks to do this. In 2007 we noticed the National Anti-Terrorist Committee, whose chair is the head of the FSB, taking an interest in the patriotic hackers of ‘Civil Anti-terror’ and trying to contact them, seeing them as potential allies.
The same year saw the emergence of a figure known as ‘Hacker Hell’ as the main scourge of liberals on the Russian Internet. A group of supporters attached themselves to him on the ‘Live Journal’ blog site, calling themselves sometimes ‘the Hell Brigade’, sometimes ‘the Hell Party’, and then settling on ‘the FSB Brigade for the Strangulation of Democracy’ (http://fsb-brigada.livejournal.com/ ↑ ). While most of his gang busied themselves with trolling on liberal sites, posting inflammatory messages to disrupt discussions, Hell was hacking into opposition leaders’ email accounts – most famously, those of Aleksey Navalny and his wife in October 2011. Among his other victims were the blogger Andrey Malgin, an exposer of corrupt officials, and ex-MP Viktor Alksnis, who led the campaign against the illegal sell-off of public land in the trendy residential Moscow district of Rublyovka. And in January 2012, when opposition hackers accessed the email account of the Nashi press officer Kristina Potupchik, it turned out that the Kremlin’s youth movement was planning a DDoS attack on the Kommersant newspaper’s website.
© Agentura.ru, 2000-2011