How the Kremlin Handles Hacks: Deny, Deny, Deny
The U.S. presidential election has made "Russian hackers" a powerful brand. There is, however, another that surpasses it: Ukrainian hackers. And the story of their most recent hack contains valuable lessons for U.S. politicians, particularly Hillary Clinton and the Democrats.
A Ukrainian hacker collective calling itself CyberHunta -- a mocking reference to Russian propaganda outlets' moniker for the Kiev government, the junta -- claimed on Oct. 23 to have broken into an electronic mailbox that belongs to Vladislav Surkov, President Vladimir Putin's adviser for dealing with former Soviet breakaway regions. The purported hacked e-mails supposedly contain sensitive information, including, for example, a lengthy plan of "urgent measures for the destabilization of the situation in Ukraine."
Unlike Clinton's allies after their e-mails were published, the Kremlin immediately denied the authenticity of the leaked communications. Putin's press secretary, Dmitri Peskov, told reporters that Surkov didn't use e-mail, so those who claim to have broken into has mailbox "must have had to sweat quite a lot" to forge messages.
Peskov's denials have been refuted. The Atlantic Council's Digital Forensic Research Lab explained that the hackers' proof -- a large Microsoft Outlook data file -- contained header information for 2,237 messages, which would have required an impossible amount of sweat to forge. Besides, like any normal mailbox -- that of Clinton aide John Podesta, for example -- email@example.com received plenty of routine and spam messages. They were all in the Ukrainian data dump, and they were consistent with those other Moscow recipients got at the same time.
The denial, however, precluded journalists from asking the Kremlin about the stolen e-mails again, and it cast just enough doubt on the Ukrainian feat to make the story a little less newsworthy. The Democrats could have said the WikiLeaks e-mails were forged or doctored -- and no one could have proved otherwise.
Besides, there was a grain of truth in the denial, which contains an even more important tip for the Democrats. The cautious Surkov, indeed, doesn't send or receive messages himself; he is known to always correspond through intermediaries, sometimes asking them to reply to an e-mail, sometimes calling a correspondent on the phone. The firstname.lastname@example.org mailbox was checked by two women, presumably Surkov's assistants. No outgoing e-mails were directly from him.
This is a rather secure way to conduct one's affairs. Surkov doesn't even have to use encryption: His involvement in a matter cannot be proved by any kind of electronic trail. If people send documents to his office, it's their affair, not his.
Here's an example described by the Atlantic Council's Digital Forensic Research Lab. A Moscow magazine editor sent an "open letter from the residents of the Donbass" to a government official for approval and editing. The bureaucrat sent it on to Surkov's office. It's not clear whether Surkov saw or edited it, but a few days later the magazine published a slightly altered version of the "letter."
It's not clear what Surkov thought of the plan to destabilize Ukraine, sent to him by Pavel Karpov, alias Nikolai Pavlov, a Muscovite without an official government position who has often been seen in one of the rebel-held cities -- Luhansk -- coordinating the activities of pro-Russian forces. The plan called for infiltrating the Ukrainian parliament and civil society groups, providing anti-corruption activists with evidence of the misdeeds of President Petro Poroshenko and his allies.
So what if Karpov sent this document to Surkov? He might have spammed the entire Russian government with it. So what if a leader of the separatist Donetsk People's Republic sent financial plans and casualty lists to email@example.com? It's known that the separatists want Moscow's support, but there's no evidence Surkov reacted to the messages. So what if a wealthy ultranationalist, Konstantin Malofeev, who is suspected of financing Russian volunteer units that backed the pro-Moscow rebellion in eastern Ukraine, sent his proposed candidacies for the separatist "republics'" leadership to the address?
As things stand, the Ukrainian hackers, though they executed an admirable deed -- Russian government communications are better protected than those of the U.S. Democrats -- did not obtain any direct evidence of Surkov's personal involvement in the running of the separatist regions or the disruption of Ukrainian political life. There were no e-mails from Russian officials with formal roles in the government or on the presidential staff that would shed light on their role in the conflict. All kinds of freelancers and fringe characters wrote them -- but what does that prove?
The degree of Russia's involvement in eastern Ukraine is well-known, yet no one has evidence of specific Putin aides giving any incriminating orders.
It's a cynical but effective way to play the game if you believe you'll be hacked at some point -- and if your e-mails are of interest to a hostile party, you probably will be. I understand if the Democrats don't want to act the way Putin's people do: It may seem dishonest and distasteful. But it's less naive than their strategy of blaming Russia for everything that is revealed about them. They have only themselves to blame for not giving enough thought to security.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
To contact the author of this story:
Leonid Bershidsky at firstname.lastname@example.org
To contact the editor responsible for this story:
Max Berley at email@example.com