stories

‘It’s our time to serve the Motherland’ How Russia’s war in Georgia sparked Moscow’s modern-day recruitment of criminal hackers

Meduza
20:35, 7 august 2018

Anna Shnygina for Meduza

On the night of August 8, 2008, Georgian troops started shelling Tskhinvali, the capital of South Ossetia, and then began their assault on the city. Within a few hours, Russia’s armed forces entered Georgia, leading to a five-day war that cemented South Ossetia’s secession. The conflict was fought not only on Georgian soil, but also in cyberspace, where Russian hacker groups hijacked the websites of Georgian news outlets and state agencies. This was the moment when Moscow first turned its attention to Russia’s so-called “patriotic bloggers,” and started relying systematically on their services, which were provided both voluntarily and compulsorily. Meduza special correspondent Daniil Turovsky looks at the history of Russia’s cyberwar with Georgia, and traces its links to the hacking of the Democratic Party in the United States and the arrest of several Russian Federal Security Service agents in 2016.

On August 8, 2008, a hacker named Leonid Stroikov (better known by his online moniker, “R0id”) was relaxing at home in his Khabarovsk apartment, draining a can of beer and reading the humor website Bashorg, when suddenly a breaking news story flashed across his television screen: Georgian artillery forces were shelling the city of Tskhinvali, the capital of South Ossetia.

Enraged by the news, Stroikov (an experienced hacker who two years earlier had published detailed instructions on how to break into online banks) started looking for vulnerabilities in the websites of Georgian state agencies and major news networks. Before long, several of these resources had been hacked, and the attacks continued throughout and after the brief shooting war.

Several Russian-speaking hackers told Meduza that the 2008 Russo-Georgian war catalyzed the Russian intelligence community’s cooperation with “patriotic hackers,” transforming these criminals into valuable state assets. Ever since, Meduza’s sources say, the authorities have regularly recruited hackers to work for them, sometimes voluntarily and sometimes under the threat of criminal prosecution.

Sources told Meduza that Russian intelligence agencies prefer not to keep many “technical experts” on staff, opting instead to supervise freelancers whom they find on hacker online forums and through criminal cases against hackers and credit-card fraudsters. One hacker told Meduza that the Defense Ministry and Federal Security Service (FSB) have a “diffuse network for attracting and incentivizing criminal hackers and creating the conditions for their work, supplying them with the necessary information.” Often, Russia’s intelligence agencies apparently hide hackers in safe houses, so the Interior Ministry’s cybercrime investigative unit doesn’t catch them.

Ruslan Stoyanov, the former head of Kaspersky Lab’s investigations department who’s worked extensively with the FSB, has warned openly that Russia is flirting with disaster by cooperating so closely with criminal hackers. “There’s an enormous temptation for the ‘decision makers’ to use Russian cybercrime’s ready-made solutions to influence geopolitics,” Stoyanov wrote in an open letter. He’s been in pretrial detention since January 2017, facing treason charges. “The most terrifying scenario is one where cyber-criminals are granted immunity from retaliation for stealing money in other countries in exchange for [hacked] intelligence. If this happens, a whole class of ‘patriotic thieves’ will emerge, and semi-legal ‘patriot groups’ can invest their stolen capital fаr more openly in the creation of more sophisticated Trojan programs, and Russia will end up with the most advanced cyber-weapons.”

Meduza’s sources say the Russian authorities have been relying on intelligence gathered by these “patriotic groups” for at least a decade.

“The bandit’s automatic has gone quiet in the mountains”

In August and September 1999, bombs ripped through apartment complexes in Moscow and Volgodonsk, killing 307 people and injuring roughly 1,700. The attacks were pinned on Chechen terrorists, just as militants under the command of Shamil Basayev raided settlements in Dagestan, in a campaign to liberate the region from “occupation by the infidels.”

Russian troops soon blockaded Chechnya’s borders, and on September 30 — a week after President Boris Yeltsin signed an executive order implementing a new “counter-terrorist operation” — the military re-entered Chechnya. The “operation,” as Moscow called the renewed war, lasted another 10 years, and wasn’t formally concluded until April 2009.

The Second Chechen War was the first conflict in which Russian hackers sided with the government and effectively fought against the enemy. After the bombings in Moscow and Volgodonsk, while people in cities across the country started guarding the entrances to their apartment buildings, watching for any suspicious characters, some Russians decided to take the fight to the enemy, without ever leaving their homes.

Several students at the Tomsk Technical University organized the “Siberian Network Brigade,” executing DDoS-attacks against sites operated by Chechen militants, where they published their news stories and interviews. These cyber-attacks began even before Russian troops marched back into Chechnya. On August 1, 1999, the group hacked the homepage of Kavkaz.org, uploading a picture of the poet Mikhail Lermontov in camouflage, holding a Kalashnikov, with the caption: “Misha was here. This site, run by terrorists and murderers, has been shut down by Russians’ numerous requests.”

Anna Shnygina for Meduza

Members of the Siberian Network Brigade also wrote letters to Kavkaz.org’s hosting companies in the U.S., demanding that they refuse to do business with terrorists. On November 17, 2001, the brigade’s leader made another appeal to the U.S. State Department and American news media, saying, “The events that took place in your country on September 11, 2001, have brought our states closer on issues related to the fight against international terrorism. The company XO Communications, Inc. provides hosting services to the Kavkaz Center news agency, which is owned by persons recognized as terrorists, including in your own country. This website is used not only to disseminate materials that discredit the global community’s fight against international terrorism, but also to recruit new combatants and raise money for terrorists.”

Within a month, Kavkaz Center had lost its American host, and the website moved to servers in Georgia. (This wasn’t its last relocation, however. To date, Kavkaz Center has been chased from Estonia, Latvia, and Finland, and its current host is hidden by Cloudfare’s DDoS-protections.)

In 2002, the brigade’s hackers hijacked Kavkaz Center once again, this time posting the following message: “We pulled out the teeth from this center’s stinking piehole, and silence hung over the Chechen terrorists’ lair. It choked on [then Chechen propaganda chief Movladi] Udogov’s barking. The bandit’s automatic has gone quiet in the mountains. The wily Arab didn’t send money to his Chechen mercenaries. The evil Taliban in Afghanistan has grown despondent. If you shut your trap tomorrow, the world will become calmer and safer still.”

The Siberian Network Brigade called openly on hackers to target online resources operated by Chechen militants, telling colleagues that their reward would be the respect and admiration of fellow brothers in arms. Within a couple of months, Russian-speaking hackers started spreading the “Masyana” virus, which was harmless to infected computers, while mobilizing them in DDoS-attacks on Kavkaz Center.

Movladi Udugov, Kavkaz Center’s director, says he is sure that Russia’s Federal Security Service was behind the cyber-attacks on his website. FSB officials in Tomsk stated openly that the Siberian Network Brigade violated no Russian laws, calling its actions “a civic expression worthy of respect,” despite the fact that Criminal Code 272 already banned unlawful access to computer information. (A new police unit in the Interior Ministry was charged with investigating these cyber-crimes.)

A few months later, on October 23, 2002, when Chechen terrorists seized a Moscow theater during a performance of Nord-Ost, the brigade swung back into action, launching new attacks against Kavkaz Center. Soon, however, the group’s activities ceased, and it’s unknown what former members have been doing ever since.

Civilian anti-terrorism

2005 marked the beginning of a new era in Russia’s patriotic hacking, when messages started appearing on Internet forums calling for a united assault on extremist resources.

The most active proponent of this new campaign was a St. Petersburg man named Petr Levashov — an infamous Russian hacker and spammer responsible for creating Kelihos, one of the world’s largest botnets, comprising more than 100,000 infected computers. American officials referred unlovingly to Levashov as “the king of spam.”

Several of Levashov’s acquaintances told Meduza that he was one of the first Russian hackers to start collaborating with the country’s intelligence agencies. He later put his skills to use for political purposes: in 2012, his botnet allegedly helped spam Russians with emails about presidential candidate Mikhail Prokhorov’s supposed homosexuality. The messages linked to an article that credited Prokhorov with the following statement: “Everyone who knows me has long understood that I’m a pedo.”

Levashov also says he’s “worked for United Russia” (the country’s ruling political party) since 2007, collecting intelligence about opposition groups and “delivering this information to the right people at the right time.”

In 2013, Levashov wrote what seemed to be a facetious April Fool’s Day post on a hacker forum, announcing the creation of a new Information Security Center inside the FSB that would counter U.S. cyber-warfare. “I’ve been instructed not only to lead [this unit], but to form its main staff,” he wrote at the time. “A college degree in computer science is a plus, but it’s not required, and what you can actually do is far more important. Having finished at a military academy or completed Russian military service is also a plus. The Motherland raised us, giving us our educations. Now our time has come to serve Russia.”

A hacker who knows Levashov told Meduza that the “spam king” first started encouraging his friends to help the Russian government online back in the mid-2000s. In the beginning, he called for attacks on Chechen terrorists’ websites, and later shifted to targeting resources operated by the anti-Kremlin opposition. The hackers weren’t paid to carry out these attacks. The investigative journalists Andrei Soldatov and Irina Borogan have reported extensively on these cyber-attacks and similar operations orchestrated by Russia’s intelligence agencies.

Levashov also urged hackers to join “Civil Anti-Terror,” a community created by a group of self-described patriotic Russian hackers in the spring of 2005. The founders published a manifesto proclaiming that information is the 21st century’s most dangerous weapon. “Our goal,” the document said, “is to block access to resources that disseminate distorted information about terrorism and terrorists, propagating the correctness of their actions, whatever their reasons.” The group used the same tactic as its predecessors: DDoS-attacks.

A month later, another group emerged: the Internet Underground Community vs. Terrorism, whose website sported black and blue tones and a logo that featured a hacker squaring off against a person in a Muslim headscarf. The project’s creators said they were looking for a “solid team” of DDoS-specialists from across Russia and the Commonwealth of Independent States. The founders strongly denied any connections to Russia’s state intelligence agencies, referring to themselves as individuals “on the other side of the law.” The group’s website included a worksheet listing all its successful cyber-attacks.

When militants raided the city of Nalchik in October 2005, patriotic hackers mobilized again, this time targeting not just Kavkaz Center but various media outlets that, in their view, misrepresented the terrorists’ actions in their news reports: Ekho Moskvy, Novaya Gazeta, Radio Liberty, and others. A month later, a DDoS-attack knocked out the website for Eduard Limonov’s now banned National Bolshevik Party. (A day later, Russia’s Supreme Court liquidated the party’s interregional infrastructure.) After this incident, cyber-attacks on opposition websites, independent media outlets, and online resources used to mobilize anti-Kremlin protests gradually became more common. In the spring of 2007, when the Estonian authorities decided to remove a monument to fallen Soviet soldiers from the center of Tallinn, Russian hackers attacked the state’s websites.

Around this time, a programmer in St. Petersburg named Anton Moskal got a phone call from someone who claimed to be a representative from the FSB’s National Anti-Terrorism Committee. According to Andrei Soldatov, the caller asked if Moskal was the true owner of the “Civil Anti-Terror” website, leading him in a conversation about “patriotism and the fight against terrorists’ websites.” Moskal didn’t own the website, however, and had merely hosted a mirror to the resource on his blog. When the caller learned this, he allegedly asked if Moskal knew how to contact the hackers who ran the project.

Stop Georgia

In the summer of 2008, the DDoS-attacks against Georgian government websites started two weeks before the war with Russia, when the first sustained clashes broke out along the South Ossetian border.

On August 9, the day after Russia sent its armed forces into Georgia, Russian-speaking hackers launched the website StopGeorgia.ru, sharing tips about which Georgian websites to target, as well as hyperlinks to software needed to carry out these cyber-attacks. The project’s forum had roughly 30 regular participants: mostly hackers who made a living stealing credit card information. The effort was promoted in comments on the magazine Hacker and other forums for Russian computer programmers, like Exploit.in, Zloy.org, and Web-Hack.ru.

The creators of StopGeorgia.ru identified themselves as “representatives of the Russian hacker-underground.” In a greeting to visitors, they said, “We will not tolerate provocations by Georgia in any form. We want to live in a cyberspace free from aggression and lies.” The hackers threatened to attack Georgian websites “as long as the situation remained unchanged,” and called for help from “everyone who isn’t indifferent to the lies of Georgian political sites.” StopGeorgia.ru also posted a list of “prime targets,” and shortly afterwards DDoS-attacks took down the websites of Georgia’s president, parliament, Interior Ministry, and Defense Ministry.

There were also cyber-attacks on Russian Internet resources, including the news agency RIA Novosti and several Russian and Ossetian outlets. Russia Today’s website was knocked out by a DDoS-attack for roughly an hour. Someone even created a site with fake stories designed to look like an Ossetian news agency.

StopGeorgia.ru didn’t disband with the end of the war in August 2008. More than a year later, in December 2009, the group again targeted government websites in Tbilisi, when Georgian officials demolished a Soviet military monument in Kutaisi. “We will not tolerate the destruction of our historical heritage and attempts to pit the peoples of the former USSR against one another,” the hackers wrote in one message on an online forum. “We stand for peace and friendship of our peoples and will not allow the incitement of interethnic hatred between people whose history is forever bound by the bonds of brotherhood.”

Researchers later determined that StopGeorgia.ru was hosted by Naunet, a Russian registrar long-ago blacklisted by the Spamhaus Project for providing cybercrime, spam, and phishing domains. Naunet’s office building is located in central Moscow not far from the Belorussky train station. It shares its premises with “Etalon,” a research institute that produces information security systems and has close ties to the government. In 2015, Etalon was acquired by Rostec, a state company that’s spent many years pursuing software and equipment capable of launching massive DDoS-attacks.

Anna Shnygina for Meduza

The email address and phone number listed in StopGeorgia.ru’s registration paperwork appears repeatedly in online forums for credit-card fraudsters. They belonged to a hacker who went by the presumably invented name “Andrey Uglovatoi,” who sold databases of stolen credit card numbers, along with fake passports and driver’s licenses.

StopGeorgia.ru’s IP address belonged to Steadyhost, a small company located at 88 Khoroshevsky Highway, in a Moscow district where almost all the buildings are affiliated with Russia’s Main Intelligence Directorate (GRU). The neighboring building at 86 Khoroshevsky Highway houses a Defense Ministry institute that researches military-technical information and foreign states’ military potential. The institute used to report directly to the GRU. Locals refer to the four-story building as “the Pentagon,” not for its shape but because of the secrecy that surrounds it. The facility’s staff were known as “the most informed people in the GRU,” and its leadership belongs to Russia’s Security Council.

The hunter from Khabarovsk

Leonid Stroikov (the hacker “R0id”) attacked Georgian websites on his own, without the help of colleagues or communities. First, he went after local news websites and search engines. “No single large-scale occurrence is without the participation of the mass media, which actively uses the Internet to convey its version of events and publishes only what it wants or has been told to publish,” Stroikov later argued. Next, he turned his attention to Georgia’s government websites, and before long the parliament’s website soon featured photographs comparing Georgian President Mikheil Saakashvili to Adolf Hitler. “And it will end for him the same way,” read a caption on the images, with the inscription: “Hacked by South Ossetia Hack Crew.”

Speaking to the magazine Hacker about his exploits in Georgian cyberspace, Stroikov said that “cyberwars have become an integral part of real, deadly events.” It’s unknown what he’s been doing since the Russo-Georgian War, but his updates on Vkontakte suggest that he enjoys camouflage clothes and hunting. Stroikov refused to speak to Meduza for this story.

On Vkontakte, Stroikov has 36 listed friends, most of whom are from Khabarovsk, where he still lives to this day. One exception is Dmitry Dokuchaev, the FSB agent known as the hacker “Forb.” Like Stroikov, he wrote for Hacker (a publication that has introduced many Russian hackers to one another), and he even served as editor for the magazine’s section on security breaches.

Several Russian-speaking hackers told Meduza that Dokuchaev was the first major cyber-criminal to take a full-time job with a Russian intelligence agency. This apparently happened sometime between 2005 and 2006, when credit-card fraud put him on the federal authorities' radar. Fellow specialists who interacted with him on Internet forums say they remember getting suspicious about his new employment around 2008, after which they monitored more carefully what they were writing online.

It’s possible that Dmitry Dokuchaev supervised Russia’s cyber-attack on the Democratic Party ahead of the 2016 U.S. presidential election. He was, after all, responsible for recruiting new hackers to work for Russia’s intelligence community.

The poet from Kamensk-Uralsky

As a young man, like so many young people, Dokuchaev was fond of poetry. Sometimes it was lyrical poems, and other times it was poems about electronics and the Internet. “Even the biggest computer person is occasionally drawn to romance and poetry,” he once wrote. In 2001, for example, he composed an inspired rhyme about Linux, Windows, backup disks, and the Red Hat open-source software company. The first line read, “Linux rules, Windows must die forever.”

Dokuchaev was born in Kamensk-Uralsky, an impoverished city about an hour’s drive from Yekaterinburg. The last time Kamensk-Uralsky made national news headlines was in 2013, when a group of homophobic thugs started terrorizing gay men (they once brought a victim to a cemetery, forced him to dig up a headstone, and then chased him in their jeep, calling these assaults “safaris”). Dokuchaev has described his hometown in the following terms: “Made up of 200,000 people, Kamensk-Uralsky isn’t all that big. There are a lot of factories, mostly metalworking plants: pipes, metallurgical, and aluminum. The city will celebrate its 300th anniversary soon, so it’s not that old, but neither is it a young place. A bit about its landmarks: this isn’t Moscow, of course, but Kamensk has a local history museum, lots of theaters, a library, sports stadiums and facilities, and Internet cafes.”

Throughout his early adolescence, Dokuchaev spent a lot of his time playing video games like Worms Armageddon, Need for Speed, and Quake 3. His first hack was against the city’s WiFi network, in order to steal free Internet access. “I always felt that information should be free, so I really didn’t want to pay the provider for access,” Dokuchaev later recalled.

After grade school, he studied at the Yekaterinburg Polytechnic Institute in the information systems department, before taking a job as a system administrator at a university also in Yekaterinburg. He wrote about himself extensively on his (now deleted) website, which he called Dmitry’s Homepage: The Best. In an emoji-littered blog post in 2002, he praised his own rising profile, writing that he was “gaining popularity on the interwebs and not only there,” highlighting the honoraria he earned from the magazine Hacker. Dokuchaev based his online nickname, “Forb,” on the beginning of the English word “forbidden.”

In addition to a section where Dokuchaev archived the various software vulnerabilities he discovered, his website also contained a small archive of old personal photos: “me on the couch in 1997” (featuring a blue-shirted teenager blending into a blue-upholstered couch) and visits to McDonald’s, the theater, Crimea, and a dance club, among other trips.

In 2004, Dokuchaev started committing credit-card fraud and hacking websites for money. (He explained in detail on his website how he did this.) The young hacker described his greatest feat as a successful cyber-attack on a U.S. government website. In 2006, he took a staff position at Hacker and moved to Moscow.

People who knew “Forb” when he got to the capital say he married a woman, whom he promptly taught to hack the website of the Russian edition of Cosmopolitan. Dokuchaev was a bit of a wild man in those days, frequently going out drinking with friends and sometimes getting into trouble with the police. “Our mayhem would often cross the line into breaking the law, but it was cool. All the parties and hanging out were crazy, but it was fun,” an old friend told Meduza. During one of these benders, Dokuchaev lifted him up 10 feet high, so he could break a security camera. Afterwards, they fled the police and ran straight into an FSB agent, who apparently clocked the hacker square in the jaw.

Anna Shnygina for Meduza

Dokuchaev soon started working directly with the feds, and before long he took a job with the service and became a senior agent in the second department of the operations office at the FSB’s information security center, working on state cyber-defense and investigating hacker threats to national security. He worked there until 2016, when he was arrested.

Dokuchaev was in contact not only with Leonid Stroikov, but many other hackers. One of his acquaintances was another Kamensk-Uralsky native: Konstantin Kozlovsky, who also spent most of his waking hours on Russian hacker forums. A man who knew both Dokuchaev and Kozlovsky told Meduza that they cultivated an “atmosphere that Russia needed help, it needed to be protected, and banks in the U.S. and Europe should be attacked, since the money is insured there anyways, and Russia needed it more, after the 1990s.”

Kozlovsky is responsible for creating the “Lurk” hacker group, which broke the rules of the game by targeting banks inside Russia (Meduza wrote extensively about these cyber-attacks here). In 2017, when he was finally arrested, Kozlovsky personally took credit for hacking the Democratic National Committee, claiming that he acted on Dokuchaev’s explicit orders. Already in pretrial detention when Kozlovsky made these allegations, Dokuchaev says he played no role in the DNC data breach.

The FBI believes that Dmitry Dokuchaev supervised the hackers who cyber-attacked the computer networks of American state agencies and commercial enterprises. In Russia, he’s apparently charged with working as a double agent and surrendering information to the Americans about Russian hackers. Federal agents also arrested Sergey Mikhailov (one of the directors of the FSB’s information security center, who was brought into custody with a bag over his head) and Ruslan Stoyanov (the Kaspersky Lab expert who now warns Russian officials about cooperating with hackers). All these men are charged with treason.

In April 2018, the magazine RBC reported that Dokuchaev had signed a plea bargain partially confessing to the charges of sharing information with a foreign intelligence agency. He reportedly says he thought his actions would help the fight against global cybercrime.

President Vladimir Putin first commented publicly about “patriotic hackers” in June 2017 at the St. Petersburg Economic Forum. “Hackers are free people!” he said. “They’re like artists who wake up in the morning in a good mood and start painting. It’s the same with hackers: they wake up one day, read that something is happening somewhere in interstate relations, and if they’re patriotically inclined they start to do their part, as they see fit in the fight against those who badmouth Russia.”

By all accounts, the Russian intelligence community is still actively recruiting hackers in exchange for closing the criminal cases against them. In July 2018, for instance, a court in Belgorod dropped the charges against a local man accused of committing 545 cyber-attacks against the FSB. The case was dismissed at the FSB's request.

Story by Daniil Turovsky, translation by Kevin Rothrock