Russia: Analysis of Hacker Attacks On Bloggers

Over the last five years, more than 40 RuNet bloggers have become targets of hacker attacks, most of which were carried out by a group of hackers named The Brigade of Hell. The hackers’ targets have been both political and commercial bloggers. After defacing and deleting content of their victims, hackers have received no punishment. Moreover, it's been recognized that the group receives orders from high-ranking government officials when employed to attack political bloggers.

The Brigade of Hell, a territorially-dispersed network consisting of nearly 20 bloggers and IT-specialists, is headed by a Germany-based hacker who calls himself Hell (also known as Helloween, Torquemada, Hacker Hell, or Great Hacker Hell). According to Vladimir Pribylovski [EN], a renowned dissident, historian, political analyst, and the main investigator of hacker attacks on bloggers, the group is coordinated by Timofei Shevyakov [RUS], a lead analyst of the pro-Kremlin resource politonline.ru and a former employee of the Foundation for Effective Politics [EN], the main pro-Kremlin political think tank.

Screenshot of the site "Virtual Inquisition"

A screenshot of the site "Virtual Inquisition", the main medium of hacker 'Hell'.

The first attacks began at the end of 2005 and were initially carried out by Hell and another highly-skilled hacker, Kazakhstan-based Yuri Makhno [RUS] (also known as maxho_mactep, mactep_maxho). The first hacker attacks were performed in two steps. First, a hacker would get access to the blog (most of the hacked accounts were based on LiveJournal), deface it, and delete the content. Then, another hacker would contact the victim offering help in restoring access to the blog in order to gain the victim's trust. Everything would happen within several hours of the hacking action, so the blogging platform's technical support had little or no time to intervene. After the initial attacks, LiveJournal started to make backups for all the blogs it hosted.

As the Russian election period was approaching (the parliamentary election in December 2007, the presidential election in March 2008), the activity of the hacker group rose exponentially. Eighteen of the 43 known hacker attacks took place during 2007. Both liberal and conservative political bloggers were attacked (including a nationalist politician Viktor Alksnis [EN], as well as a number of websites of the liberal “Yabloko” [EN] party). At the same time, journalists and investigative bloggers were attacked (e.g., a top-ranking blogger Andrei Malgin [RUS], or Yelena Tokareva, executive editor of the online tabloid stringer.ru). A full list of hacked accounts with dates of the attacks and background on the Brigade of Hell is available here [RUS].

Another case, when a hacker attack was used for a political reason, was the Russian-Georgian war of August 2008. The blog of Oleg Panfilov [RUS], a Russian journalist who took the Georgian side in the conflict, was hacked two weeks after the start of the war. Later, Panfilov himself had to move to Georgia due to personal security reasons: he had received several threats of physical reprisal.

The blog of Vladimir Varfolomeev [EN], deputy executive editor of the liberal radio station Echo Moskvy, was hacked after a critical post on Russian economy and censorship practiced in Russian newspapers: he had claimed that newspapers were forbidden to use the word “crisis” and to write about the recession. A couple of months later, the exchange rate of the Russian ruble rose almost twice towards the U.S.. dollar, while the country's economy faced a downfall as a part of the global recession [EN]. Varfolomeev later explained [RUS] the attack:

Кто-то считает, что взлом блога готовился давно. Скорее всего, так и было – сигнальчики в виде соответствующих угроз поступали периодически.
С другой стороны, думаю, последней каплей стал недавний пост о кремлёвской финансовой цензуре, уж слишком большой и серьёзный отклик он вызвал.

Some people think that the hijacking of the blog had been prepared long in advance. Probably it was like they said – from time to time, I used to receive signals with threats. On the other hand, I think the last straw was my recent post about the Kremlin's financial censorship; it got way too much exposure.

Most of the hijacking cases were carried out through e-mail hacking. The New Times explained [RUS] how it worked: hackers were combining technical and “social” methods of hacking, researching their targets, then hijacking e-mail accounts with the help of additional questions (mother maiden's name, pet's name, etc.), and then attacking blog accounts.

Explanations of hacker attacks were often posted at the ‘official’ website of the hacker group called Virtual Inquisition [RUS] (the site seems to be authentic). The language of the site is a highly transformed Russian Internet slang with lots of cursing and personal threats towards earlier and potential future victims.

However, by the end of 2009, hacker attacks stopped. Not for a long time, though: in spring 2010, they resumed. This time, they were aimed at commercial bloggers (those who earn money by promoting certain products or services). In March 2010, the blog of Igor Bigdanov, one of the top Ukrainian bloggers, was hijacked [EN]. Somewhat later, the blog of another top-ranking paid blogger Maxim Sviridenkov was hijacked and defaced [EN]. Hackers also attacked Sviridenkov's supporter Renata Guseletova, who declared publicly that hackers should be prosecuted. The attacks on the blog and Facebook account of journalist Igor Maltsev took place next [EN].

After the attack, Sviridenkov called for justice [RUS], especially considering the fact that the alleged hacker lived on the territory of the European Union (several victims spotted German IP-addresses of several attacks) – he asked his readers to spread the news about the attack. To back up his words with actions, Sviridenkov filed a complaint [RUS] with the Russian police.

Several conclusions can be made. First, every blogger (both in Russia and elsewhere) is a potential target of blog hijacking as long as the Brigade of Hell exists. Currently hackers enjoy impunity, while bloggers can only resort to tightening blog and e-mail security, but cannot rely on legal enforcement. Second, currently the hacker group is not receiving orders to attack political bloggers, but is spending its time on commercial cases. However, this is likely to change closer to the upcoming elections. Third, the most significant hacker methods are social – bloggers who deal with controversial issues should be careful about the information they leave about themselves on the Web.

7 comments

  • Did the “group of hell” attack other bloggers than Russian? Have it worked with other governments other than Russian? In Madagascar, we did not reach that level of threat yet but I tend to think potential attacks against Madagascar-based bloggers remains possible. The Malagasy transitional government (known as the HAT: High Authority of Transition, led by Andry Rajoelina, a former DJ who took over the power on March 17th, 2009) does not like opposition press (case of Fahazavana radio, a protestant FM radio which was shut by the government on May 20th 2010 – 10 journalists working for this radio were imprisonned) (case of Radio MADA, a FM radio which belonged to the former president Marc Ravalomanana, which has been shut by the government) but they can not “control” Malagasy bloggers who are very active. It is possible that the Malagasy government hires the “services” of the Group of Hell to deface and delete us …

    • Dear The Cyber Observer,

      Up to the present moment I don’t have any information that would confirm attacks of this hacker group beyond the ‘borders’ of the Russian segment of the Internet. I assume, the interest of such group, as well as other hacker groups that aren’t practicing political hi-jacking so far, in blog attacks depends on the ability of potential clients (governments in this case) to pay. The governments, however, might not be aware of such thing as political blog hi-jacking. Which leads us to a conclusion that this might be practiced elsewhere.

  • […] (Russian liberal politician and a former Soviet dissident) LiveJournal account [RUS]. “The Brigade of Hell,” dispersed group of generally pro-Kremlin hackers, took the responsibility for the attack. […]

  • […] Hell, a German-based cyber-criminal (still not arrested) who has a reputation of hacking accounts of opposition activists, gave an interview [ru] claiming he hacked Navalny's mailbox in late summer. Then he […]

  • […] Hell, a German-based cyber-criminal (still not arrested) who has a reputation of hacking accounts of opposition activists, gave an interview [ru] claiming he hacked Navalny’s mailbox in late summer. Then he […]

  • […] interjúban Hacker Hell német online bűnöző (még mindig szabadlábon), aki hírnevét ellenzéki aktivisták felhasználói fiókjainak feltörésével szerezte [en], azt állította, ő törte fel Navalnij e-mail fiókját is. A megszerzett adatokat meg nem […]

  • […] interjúban Hacker Hell német online bűnöző (még mindig szabadlábon), aki hírnevét ellenzéki aktivisták felhasználói fiókjainak feltörésével szerezte, azt állította, ő törte fel Navalnij e-mail fiókját is. A megszerzett adatokat meg nem […]

Join the conversation

Authors, please log in »

Guidelines

  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.