Before they pulled off one of the most embarrassing cyber heists ever to hit the Kremlin, the hackers from the Ukrainian Cyber Alliance, who styled themselves as the online shock troops in Ukraine’s conflict with Russia, weren’t really on the radar. They had mostly spent the last two years on easy targets—the computers and cell phones of Russia-backed separatist rebels in eastern Ukraine, who are not known for their discipline when it comes to virus protection or, for that matter, anything else. Every once in a while, the hackers would also deface a Russian website, the cyber equivalent of spray-painting graffiti.
Victor Zhora, the head of Infosafe, one of Ukraine’s leading cyber security firms, had never met any of these hackers or heard much about them in the local tech community. “They just weren’t doing much,” he says—that is, until the past two weeks, during which they posted two troves of emails apparently stolen from the inboxes of Vladislav Surkov, the Kremlin’s former propaganda czar, who is now in charge of Russia’s shadow war in eastern Ukraine. Among the close aides to Russian President Vladimir Putin, Surkov is about as tough and consequential a hacking target as they come.
Which is partly why the hack looked so suspicious to Zhora and other cyber experts. Its sophistication seemed well beyond the reach of amateurs, as did its presentation, which featured slickly produced video announcements and textual analysis translated into five languages, including flawless English and, for some reason, Bulgarian. Ukrainian hackers had never pulled off anything close to this level of operation. “This clearly involved top-level professionals,” Zhora says. And based on the resources that would have been required, he suspects the hackers may have had help from a foreign intelligence service—most likely a Western one.
The timing would seem to support that theory. In a joint statement on Oct. 7, the U.S. Department of Homeland Security and the Director of National Intelligence formally accused “Russia’s senior-most officials” of authorizing the theft and disclosure of emails from Hillary Clinton’s presidential campaign and its allies in the Democratic Party, via WikiLeaks and other online conduits. A week later, Vice President Joe Biden said in an interview with NBC News that the U.S. would respond to these attacks “at the time of our choosing, and under the circumstances that have the greatest impact.” Pressed for details, Biden would only add that the U.S. was “sending a message” to Putin, and that he would know when that message arrives.
The following week, starting on Oct. 23, a group calling itself the CyberHunta, which is part of the Ukrainian Cyber Alliance, released the first batch of emails from a Russian government address that appeared to belong to Surkov’s office in the Kremlin. The documents showed in minute detail how Russia has micromanaged the separatist rebellion in eastern Ukraine over the past two years, picking its leaders, managing their finances and choreographing their propaganda.
Asked to respond, the Kremlin’s chief spokesman, Dmitry Peskov, dismissed the documents as an elaborate forgery, pointing out that Surkov is so cautious with his digital affairs that he does not even use email. This appears to be true from the hack, at least: all of the messages taken from his accounts were handled by intermediaries and assistants; none came directly from him.
But in a detailed analysis of the leaked emails, the Atlantic Council’s Digital Forensic Research Lab concluded that they are almost certainly genuine—though not exactly rich in surprises: “The Surkov Leaks,” the analysts said, “show us a picture of the conflict in Eastern Ukraine that we have long suspected: the Kremlin had a guiding hand in orchestrating and funding the supposedly local and independent government.”
More striking than the actual contents of the documents, however, was the sudden reversal in what had previously been a fairly one-sided cyber conflict between Russia and its rivals. It appears the “message” Biden promised to send Putin may have been delivered through Ukraine. “From a technical and operational point of view, this does look like a message in reply to the attacks on the U.S. electoral system,” says Zhora.
Biden’s office, as well as the spokesman for the Director of National Intelligence, did not respond to requests for comment. But Zhora is not the only expert to voice suspicion of U.S. involvement in the hack. Mark Galeotti, a senior researcher at the Institute of International Relations in Prague, and an expert on Russian intelligence services, told USA Today that, “This kind of a leak is enough to warn the Russians [that] the USA has certain capabilities and is willing to use them.” But, as he was also careful to stress, “we are a long way from having any evidence of this—if we ever will.”
Such plausible deniability seems to be the nature of cyber conflict going forward. In hacking the Clinton campaign and the Democratic National Committee, Russia appears to have used a series of intermediaries and decoys in order to maintain deniability and keep the state’s fingerprints as far from the hack as possible. According to the Oct. 7 statement from U.S intelligence agencies, these Kremlin fronts have included WikiLeaks and an “online persona” known as Guccifer 2.0, who claimed to be a lone Romanian hacker after he posted emails from the DNC.
For their part, the members of the Ukrainian Cyber Alliance, appearing in video interviews this week with Halloween masks over their faces, have denied being anybody’s sock puppet. “Ukrainian hacking groups have fairly high technical skills,” one of them told Reuters on Nov. 3. “And so there is no need for the U.S. or any other NATO country to support us. What’s more, it would be quite an extreme foreign policy move from the U.S.” But probably not extreme enough to make Russian hackers back off in the cyberwars to come.