Skip to main content

Russian Cyber Forces

An evolution of approaches to cyber security started well before Russia deployed its troops on the field of hybrid aggression against countries of world. And if it took on average 4 years from the start of aggression against Ukraine for Western countries to believe in the threat of disinformation to their national security, the fights in cyber space against the Russian special forces already was a routine job. Starting with Russian attack against Estonian bank system back in 2007, and ending with exemplary case of cyberoperation directed against the infrastructure: the Stuxnet worm, directed against the nuclear centrifuges of Iran factory for uranium enrichment.

Yet even in this area there were some tectonic movements caused by a crude and unpunished actions of Russian intelligence in the digital space. In the beginning the term “cybersecurity” was confused with term “informational security”, because of close attention of the media experts to this topic, who often confused the terms, even on cameras and TV screens.

But the questions of cybersecurity are much more palpable, both in terms of their description and in terms of their financing. To demonstrate how seriously US treats these questions, Pentagon even cemented the cyberspace in the new military doctrine, as a “fifth bettlefield” (along with earth, sea, sky and cosmic space).

But it didn’t help much to clarify the usage of “informational space” and “informational security” terms, even though the “well known expert” Anton Vaino, an author of ridiculous concept of non-existing device “nooscope”, became a Chief of Staff of the Presidential Executive Office for Vladimir Putin. Western world is not used to a concepts as ethereal as this one. That’s why they focus on existing problems, trying to understand the landslide of Russian attacks.

The Evolution of Cyber Attacks

The main problem of the traditional approach to the “fifth battlefield” (a cyberspace) is that the toolkit of hybrid war extended the options of how to use the results of cyber attacks. Now the hands reach much further, well beyond the digital sphere and infrastructure.

We can say that the main goals of interfering with automated systems were:

  • first, to get a classified or privileged information which was sent through the communications.
  • second, causing harm or complete destruction of the infrastructure.

First kind of attacks is a feature of intelligence services. One of the examples of attack like this could have been the hacking of servers of US Democratic Party, if not for a little detail we will explain later in this article.

A second kind of attacks, from a logistic point of view, is a part of an arsenal of military forces or a Ministry of Defense, as another way of hitting the enemy and his infrastructure.

We should differ between the risks of the disclosure of origins and initiators of attack. Military operations of causing harm are deliberately more crude in nature, and they can lead to the source of attack. A lead like this is called an “attribution”, the factual evidence of the traces of attacker.

In the same time in case of operation of information espionage the victim may not realize that its messages are read by someone else. And that gives to the intelligence a constant and reliable source of information. Only the moron will publish the results of the information stolen, thus depriving himself from the chance to keep getting the information in future — as it was with the case of US Democratic Party mail servers hacking.

This is indeed one of the exemplary cases of how Russian hackers are hacking mailboxes not to steal information for the use, or not to benefit from selling it, but specifically to leak it into the public space. And that’s even though that every hacking attempt requires some investing, both of time and, sometime, finances. So where’s the profit?

It’s quite simple actually. There is a third category of cyber attracks added recently, which is actively used by Russian side — a hacking with a goal of publishing of information and a future influence onto media and informational space.

This is one of the crucial instruments for hybrid aggression. The particular subjects of Russian special forces are not interested in the long-term strategic operations against the Western countries. While fighting for their place under the sun (in other words, for their place next to Putin), they gamble, by organizing tactical operations, and not thinking about the consequences. And this makes them vulnerable.

Hack and Leak

It is media themselves who are guilty for making this kind of operation to be super-effective. Well, who would not be tempted to share some shocking revelation story  without any proofs? “I’m a journalist, my task is to present a reader with an information to let him make a decision…”

To exploit such position of journalists blog Guccifer 2.0 was used, as was used before the world-wide-known web site WikiLeaks of Julian Assange. United States Department of Justice connects both of them with Russian military intelligence. A man hidden behind the Guiccifer 2.0 nickname even started his personal blog to comment on Hillary Clinton’s associates messages, leaked into the public access. But the chance is high for him being merely a smokescreen for a hacker group controlled by a Russian Main Intelligence Directorate. Regarding the Assange’s collaboration with Russian intelligence, we only can wonder who still has any doubts in this fact.

Thus, it is obvious that the real goal of hackers were not the leaking of mail messages itself. The main goal was to destabilize the American political landscape. And it followed, after each and every respectful (and not respectful) media started to discuss and comment on the leaks. So, the real goal was an informational influence on media space and on people’s perception.

Who’s Behind the Façade?

Even though Western special forces and US Department of Justice already made public a good share of information about particular subjects of Russian cyber attacks, the main source of information about who really is behind the Kremlin cyber attacks is a conflict between Sergey Shoygu (Russian Minister of Defence) and Russian Main Intelligence Directorate, at one side, and Russian Foreign Intelligence Service and Federal Security Service on the other side.

Media already has so much information on Russian intelligence structures, that merely listing them all is a hard task.

Thus, for example, the indictment of US Department of Justice mentions the particular divisions ( of Russian Foreign Intelligence Service in Moscow: a military base #26165 (also known as “Main special service center of Foreign Intelligence Service #85”, located on 20 Komsomolsky avenue) and military base #74455 (located in Khimki satellite city, 22 Kirov street). Daniil Turkovsky, a journalist of “Meduza” media, described ( a similar structures more than a year ago.

Media also has a lot of information onto so-called “science squadrons” ( which were invented and created by Russian Minister of Defence Sergey Shoygu in 2012 (for example a 9th science squadron, located in Tambov).

But the experience of studying Russian special operations tells us that official structures and divisions often play no role at all in the “real fights”. All the more they are not suitable for domestic usage, as shows the case of “Shaltay-Boltay” (“Humpty Dumpty”) group.

The victims of hacking and leaking by “Humpty Dumpty” group were: the famous “Putin’s cook” Yevgeny Prigozhin, the head of domestic affairs department of Presidential Administration of Russia Timur Prokopenko, and the former head of Ministry of Defense department of construction Roman Filimonov. That’s after hacking of mailbox of Filimonov’s assistant, which had some seriously sensitive documents in it, “Humpty Dumpty” members sent ( a letter to Sergey Shoygu suggesting he should shoot himself or resign. Shoygu was taking this very personally, and he started ( to retaliate.

As it often happens in Russia, it soon became known that behind the “Humpty Dumpty” group hides the Center of Information Security of Federal Security Service. To somehow sweep the story under the rug, the participants of these special operations were (metaphorically) thrown into the lion’s cage. The head of Center of Information Security of Federal Security Service Sergey Mikhailov and his deputy Dmitry Dokuchaev were arrested and charged ( with treason.

More members of the “Humpty Dumpty” group were arrested ( and jailed: Vladimir “Lewis” Anikeyev, Alexander Filinov and Konstantin Teplyakov. The head of Center of Information Security of Federal Security Service general Andrey Gerasimov was dismissed. Sergey Mikhailov was also made responsible ( for leaking the data of hackers who hacked DNC.

The whole story of the incident ( with Center of Information Security administration is well known to the Ukrainian hackers from Ukrainian Cyber Alliance, who commented ( on it not once.

It seems that an important link of Russian cyber-forces chain, and the one connected with Federal Security Service, took a hard blow from its political opponents. But then the officers of Main Intelligence Directorate, including those working in the same cyber sphere, have one fail after the other. In September 2018 in Netherlands two Russian spies are detained (, who intended to get the information from the chemical laboratory in Spiez, Switzerland — the laboratory which investigates the chemical attacks in Syria and Great Britain. It is mentioned that Russian spies have some hacking equipment with them. Do we need to remind you which one of Russian lame security forces got their hands burnt on chemical attack itself?

Thus, what we have here ( Are these two professional teams in cybersports, which compete in the senseless and merciless Russian championship?

The team of Federal Security Service and Foreign Intelligence Service:

  • Center of Information Security (“Humpty Dumpty” group)
  • APT29 (“The Dukes” / “Cozy Bear”)
  • 16th center of Federal Security Service
  • 18th center of Federal Security Service
  • TURLA (Snake/Uroburos).

The team of Minister of Defence of the Russian Federation Sergey Shoygu and Main Intelligence Directorate

  • 6th Directorate
  • APT28 (“Sofacy” / “Fancy Bear”).

Why Main Intelligence Directorate hackers suck?

On July 13th 2018 the court of Columbia state pronounced the indictment for Russian citizens suspected in cyber attacks against Democratic National Committee and the Democratic Congressional Campaign Committee during the presidential election campaign in USA in 2016. The analysis of this document shows that hackers used everyday instruments and self-made software to launch the directed attacks and to infiltrate the networks of DNC and DCCC.

First the infiltrated the DCCC computer network by sending fishing e-mails to a notable participants of Hillary Clinton’s presidential campaign.

Then, after getting access to computers inside the network, the installed the malware X-Agent and X-Tunnel, connected to the control server to extract and transfer the stolen data.

Finally, they switched onto disclosure of confidential documents and personal data through the web sites and Twitter accounts Wikileaks, Guccifer 2.0).

In the process of these actions, hackers of Main Intelligence Directorate left a lot of traces. Some e-mails and accounts and servers were re-used for different stages of the process, for hacking, data extraction and disclosure of information. For example, they used the same e-mail account to lease the web server for fishing operations conduction, and, in the same time, the same e-mail was used to register the Bitcoin account, used for payment for web domain name.

More even, the same computer infrastructure and proxy server located in Malaysia, hosted the accounts of DCLeaks and Guccifer. This proves the fact that the hacking and data extraction were intended to publish them in open access later. Or, to influence the media environment.

The next fail of Main Intelligence Directorate hackers were in the usage of some servers, which were located physically in the data processing centers in USA, including the control server which was used as a main tool for hacking, because all the infected computers will connect to it.

That’s how they made the job easier for them from the technical point of view, but in the same time it was easier for US forces to get the physical access to servers and to conduct all the necessary examinations to find the traces of hackers.

Let’s continue. Hackers used the same hacking tools few times, leaving the same “digital fingerprints”, which was something Putin was very offended with, when he was asked about them on the press conference. The source code of X-Agent was very similar to the one “Fancy Bear” used in past.

Hackers used the same device and the communication channel to log into different accounts. More even, the logging into Guccifer Twitter account was made, apparently, from the Main Intelligence Directorate building in Moscow.

Some of the payment systems accounts were used more than once for paying for online services: servers, domain names etc. Aside from this, some electronic wallets were disclosed by American service providers, which again gave the opportunity to US forces to find all the necessary information and to get the proofs of “digital fingerprints”.

Some data for the investigation was provided by the Dutch intelligence, which may be a proof that Netherlands feel at home in Main Intelligence Directorate computer systems since 2014 approximately.

Analysis of all these fails allows to make three conclusions. First of all, we cannot eliminate the possibility that people employed by Main Intelligence Directorate simply do not have adequate hacking skills. And even when they are successful in hacking someone, there are little issues with finding and attribution of the forces behind the operation.

Second. Perhaps the poor hackers are exploited, and work under constant pressure of the administration, because in structures like that you always need to do something yesterday. Being under pressure, they make mistakes, which against tells us that the intellectual level of their management leaves to desire.

Third. Some Western experts claim that such obvious negligence is a part of show-off. As in “See how we can hack you, and you can’t do anything about it. Some hackers apparently don’t even bother to hide their traces.

This explanation is not quite probable, as in any case this undermines Putin’s positions on the world political arena. Though if you take into the account that Kremlin special forces always fighting each other and try to frame each other, we cannot exclude the possibility that negligence like this is merely to blame the opponent from another special force.

У самурая нет цели, есть только путь. Мы боремся за объективную информацию.
Поддержите? Кнопки под статьей.