28 January 2019

This Time It’s Russia’s Emails Getting Leaked

Kevin Poulsen

The Russian oligarchs and Kremlin apparatchiks spared by WikiLeaks in the past will not be so lucky this week, when transparency activists drop a massive archive of leaked docs.

Russian oligarchs and Kremlin apparatchiks may find the tables turned on them later this week when a new leak site unleashes a compilation of hundreds of thousands of hacked emails and gigabytes of leaked documents. Think of it as WikiLeaks, but without Julian Assange’s aversion to posting Russian secrets.

The site, Distributed Denial of Secrets, was founded last month by transparency activists. Co-founder Emma Best said the Russian leaks, slated for release Friday, will bring into one place dozens of different archives of hacked material that, at best, have been difficult to locate, and in some cases appear to have disappeared entirely from the web.


“Stuff from politicians, journalists, bankers, folks in oligarch and religious circles, nationalists, separatists, terrorists operating in Ukraine,” said Best, a national-security journalist and transparency activist. “Hundreds of thousands of emails, Skype and Facebook messages, along with lots of docs.”

Distributed Denial of Secrets, or DDoS, is a volunteer effort that launched last month. Its objective is to provide researchers and journalists with a central repository where they can find the terabytes of hacked and leaked documents that are appearing on the internet with growing regularity. The site is a kind of academic library or a museum for leak scholars, housing such diverse artifacts as the files North Korea stole from Sony in 2014, and a leak from the Special State Protection Service of Azerbaijan.

The site’s Russia section already includes a leak from Russia’s Ministry of the Interior, portions of which detailed the deployment of Russian troops to Ukraine at a time when the Kremlin was denying a military presence there. Though some material from that leak was published in 2014, about half of it wasn’t, and WikiLeaks reportedly rejected a request to host the files two years later, at a time when Julian Assange was focused on exposing Democratic Party documents passed to WikiLeaks by Kremlin hackers.

“A lot of what WikiLeaks will do is organize and re-publish information that’s appeared elsewhere,” said Nicholas Weaver, a researcher at the University of California at Berkeley’s International Computer Science Institute. “They’ve never done that with anything out of Russia.”

There’s no shortage of information out there. While barely known in the West, hacker groups like Shaltai Boltai, Ukrainian Cyber Alliance, and CyberHunta have been penetrating and exposing Russian secrets for years. Those leaks can be hard to find, though, particularly if you can’t read Russian.

Last year, Best agreed to help another journalist locate a particular Shaltai Boltai leak, a hunt that sent her into the world of Russian hacktivism. “Later I’m talking to some hackers—this is after DDoS’ public launch—and they hooked me up with a few archives,” Best told The Daily Beast. “A couple gigabytes, something like that. I do some digging, ask around, and manage to stir up a good bit more.”

Once word got around that Best was collecting Russian hacks, the floodgates opened. In late December, the project was on the verge of publishing its Russia collection when “middle of the night, more files come in,” Best said. Then an organization with its own collection of Russia leaks opened its archives to Best and her colleagues.

The DDoS project compiled more than 200,000 emails into a spreadsheet for ease of searching. In all, its cache now contains 61 different leaks totaling 175 gigabytes, dwarfing, by quantity at least, Russia’s leaks against the Democratic National Committee and Hillary Clinton campaign. 

The collection includes files from Alexander Budberg, a Russian columnist married to Dmitry Medvedev’s press secretary; Kirill Frolov, vice-director of the Kremlin-backed Institute for CIS Countries; and Vladislav Surkov, a top aide to Vladimir Putin who was hacked by CyberHunta in October 2016. The Surkov files contained documentary evidence of the Kremlin’s covert coordination with pro-Russia separatists within Ukraine, and though the Kremlin denounced the leak as a fake, several independent forensics examiners agreed the emails were the real deal.

DDoS differs from WikiLeaks in that it doesn’t solicit direct leaks of unpublished data—its focus is on compiling, organizing, and curating leaks that have already appeared somewhere in public. “Emma Best, I think, is someone who will actually do a good job,” said Weaver, citing Best’s aggressive use of the Freedom of Information Act to extract documents from recalcitrant U.S. agencies. “Things get so scattered that putting it all into one place is a huge benefit.”

In an age where leaks and counterleaks have become geopolitical blood sport, any secret-spilling organization has to weigh the risks of a hoax or a leak that’s been maliciously tampered with. DDoS mitigated that danger in its Russian email leaks using the same technique WikiLeaks employed to authenticate the DNC emails—verifying the cryptographic signatures added by the receiving mail server under a security standard called DKIM. “In order to fake that, post hoc, you need the mail server’s private key,” said Weaver. “So when you deal with mail dumps where you have DKIM signatures, tampering can only act to remove entries. You can’t add or modify.”

The DDoS project received some pushback ahead of its December launch over plans to include the 2015 Ashley Madison leak, which exposed thousands of users of the infidelity dating site. Best rethought the plan and now keeps that leak offline, along with other sensitive database breaches primarily affecting people who aren’t public figures.

Though the project is less than two months old, Best is already feeling the creeping paranoia that comes with publishing secrets. At one point, while compiling the Russia leaks, she and her colleagues thought they detected signs of potential “cyber shenanigans” aimed at interfering with the release. They reacted quickly.

“We moved things up and sent copies to several servers and arranged for some secure offline storage by third parties,” she said. It may have been nothing, Best added. “We opted for caution.”

No comments: