Authorities in Moscow continue to struggle to stem the tide of data breaches from hackers inside and outside Ukraine, who have been one of the unsung heroes in the resistance to the Russian invasion.
Updated Nov. 20, 2023 at 5:45 p.m.
It was a concerted effort that began with Russia's Feb. 24, 2022 full-scale invasion, and has not relented since: pro-Ukrainian hackers have been targeting Russian government agencies and businesses, gathering secret information and passing it on to the Ukrainian security and intelligence forces.
Discrepancies exist in total reported breakthroughs and leaks obtained over the past 20 months. This year so far, Roskomnadzor, Russia’s digital watchdog, identified 150 major leaks, while Kaspersky Lab, a Russian cybersecurity firm, reported 168 leaks, totaling about 2 billion lines of data, including 48 million with top secret passwords.
Following the Russian invasion, a substantial number of hackers worldwide expressed solidarity with Ukraine, and took action. "My colleagues and I operate under the principle that 'if it can be hacked, then it needs to be hacked,'” said a representative of the Cyber.Anarchy.Squad group. “We believe in targeting anything accessible, especially if it's significant to defeating the enemy."
“BlackBird,” one of the founders of the DC8044 community, explained that the primary objective of hacking Russian entities is to acquire data useful to Ukrainian security forces.
"The personal data obtained by our groups is typically shared with security forces,” he said. “They aggregate and analyze this information to support their operations effectively.”
Hackers closely cooperate with Ukrainian intelligence services as well: they are engaged in reconnaissance, sabotage and information operations. Andrey Baranovich, co-founder of the Ukrainian CyberAlliance group said that “If we spend 24 hours hacking something, our victims should spend at least a week recovering, and in the optimal case, the victim should not recover at all.”
Hackers unanimously agree that known leaks are just the tip of the iceberg; in most cases, having gained access to data, hackers try not to reveal the information publicly so that the organization that has been hacked cannot respond. “Some databases to which hackers already have access are constantly being saturated with large amounts of new data, and spitting it out publicly means losing this access,” says BlackBird.
How susceptible is Russia to hacking?
Data breaches become public when hackers want to hurt an enemy or build a reputation for themselves. Of course, data is also sold for money - to spammers, scammers, and data aggregators. “We constantly sell and leak data,” says admits Michael Myers, a member of the UHG hacker group. “We mainly try to help our military personnel, but we also have to fund our technical operations.”
Obviously, all else being equal, the more people use the Internet, leaving their data there, the more data leaks will happen. Russia is among the world leaders in the use of the Internet, and the COVID-19 pandemic only increased this reliance.
The West's economic sanctions do not make matters easier for Moscow: many Western IT companies, whose anti-hacking solutions were previously purchased by Russian businesses — Cisco, IBM, Imperva, Fortinet, Norton, Avast — have limited or stopped their activities in Russia.
“If previously Russian companies could afford to use the largest, best known, most proven anti-hacking software, now they have to improvise,” notes one expert, who wished to remain anonymous.
“The fact that Russia is extremely dependent on Western technologies, which are now incredibly difficult to source in the absence of manufacturers, makes hacking Russia all the easier,” notes Baranovich from the Ukrainian Cyber Alliance.
Cyber war continues on both sides.
How does Russia fight hackers?
In theory, Roskomnadzor, Russia's media and information technology agency, has the mandate to protect personal data. This is a otherwise a very active government body: it blocks opposition sites, enforces censorship in Russia, studies ways to disconnect Russian networks from the outside attacks, and even makes sure that Vladimir Putin is not called offensive names. Because of its breadth of tasks, there are simply no resources left to protect the personal data of Russians, and the law does not provide any real help in this regard.
“The entire fight against leaks today involves sending letters and simulating vigorous activity," notes the information security expert. "Some meager fines are applied only after a scandal arises in the media."
Personal data protection looks like this. Each operator of personal data — be it Russia's leading internet company Yandex or a regional pizza delivery service — must be included in the register of operators. Now there are almost one million companies like this. If a leak occurs, the company is obliged to notify Roskomnadzor, which typically launche an investigation and then, possibly, force the company to face administrative liability. The maximum fine under it is 100,000 rubles ($1,100).
Businesses are scared
The Ministry of Digital Development is now preparing a bill that it hopes can reduce the number of data breaches. It increases fines for companies whose data has been leaked. For the first breach - 3–15 million rubles ($33,000 - $170,000), for a repeat leak - 3% of the company’s annual turnover, but no less than 15 million rubles and no more than 500 million rubles ($5,500,000).
At the same time, the company will be able to reduce the fine if it is able to reach an agreement with the majority of victims, including people whose data was leaked, offering them compensation. This is supposed to be done through State Services.
Business is traditionally afraid that officials will use it not for good, but rather their own personal interests
Roskomnadzor has proposed introducing actual licensing of large personal data operators (more than a million records) with the same law. The proposal entails transitioning to a licensing system, where companies with more than one million data records would need to meet specific criteria. These criteria include hiring at least five individuals with higher education in information security, demonstrating the capability to pay major fines, and restricting data processing to within Russia. Subsequently, Roskomnadzor would conduct an assessment of the company's IT infrastructure to determine it sufficiently protected.
While all this sounds reasonable, business is traditionally afraid that, having received leverage in the form of large fines and licensing, officials will use it not for good, but rather their own personal interests — economic or otherwise.
“Such a law encourages officials to try to increase the number of fines rather than to stop leaks,” the cybersecurity expert concludes.