Vladimir Putin's Cyber Warriors

The Kremlin's Ham-handed Effort to Squelch Online Dissent

Andrei Soldatov 

ANDREI SOLDATOV is the co-founder of the Web site Agentura.ru [1]. He is the author, with Irina Borogan, ofThe New Nobility: The Restoration of Russia’s Security State and the Enduring Legacy of the KGB [2].

Early on Tuesday morning, my Web site, Agentura.ru, which covers the activities of Russia's secret services, was shut down by a distributed denial of service (DDoS) attack. My technical staff and I were forced to reset the site's server every 15 minutes, but it didn't help: the site was down for the most of the day.

This came later than I expected: many independent Russian news and analysis Web sites faced attacks and disruptions on Sunday, the day of Russia's parliamentary elections, in which the party favored by Prime Minister Vladimir Putin, United Russia, suffered an embarrassing setback at the polls, even after engaging in widespread voting fraud.

In total, 14 sites were victims of DDoS attacks, including those of the radio station Ekho Moskvy, the newspaperKommersant, and Golos, the country's only independent election watchdog. Those Web sites were attacked as early as 6:40 on Sunday morning, according to Alexei Venediktov, Ekho Moskvy's editor-in-chief, and remained offline for the entire day. According to information-security experts at Yandex, Russia's largest search portal, more than 200,000 computers were turned into "slaves" for the DDoS attack, in which a targeted site receives so many requests for access that it simply shuts down. It is a simple, cheap, and effective way to disrupt a Web site, at least temporarily.

The attacked sites responded by migrating elsewhere. For example, the news portal Slon.ru and the Web site of the newspaper Bolshoi Gorod moved their content to the Web site of the television channel Dozhd. For their part, Ekho Moskvy and Golos used blogs on LiveJournal.com; when LiveJournal later came under attack, Golos switched to Google Docs to publish its data on electoral violations.

Putin's announcement in September that he, and not Dmitry Medvedev, would run for president in March prompted a backlash of renewed political activism among the Russian middle class. Many everyday citizens, along with journalists and activists, joined the ranks of volunteer election observers from the country's political parties for Sunday's parliamentary elections. They tried to prevent ballot stuffing, and documented violations with cell-phone cameras. The large-scale hacking attacks were clearly intended to prevent the news of these violations from getting out. Almost all the Web sites attacked on Sunday intended to publish Golos' data, which included video footage of ballot stuffing and photographs of banners for United Russia, forbidden on the day of elections.

The disabling of my Web site was part of the second wave of attacks. This phase had a different objective: instead of suppressing information about election fraud, the goal was to eliminate reporting about street protests against the election violations. On Monday, the small Web site Epic-hero.ru was attacked, apparently for announcing the first large-scale demonstration, at Chystie Prudi, a square in the center of Moscow. On Tuesday came an attack against Agentura.Ru, and on Thursday, an attack temporarily crippled the Web site of Novaya Gazeta, the newspaper that published Anna Politkovskaya, the journalist who was murdered in 2006 after years of reporting about Russian abuses in Chechnya.

Of course, DDoS attacks against Russian Web sites deemed to be hostile to the Kremlin are nothing new. This tactic first appeared in January 2002, when Russian hackers brought down for a day Kavkaz.org, the Web site of Chechen separatist fighters. It turned out that the perpetrators were students in Tomsk, a city in central Russia; the local department of the Federal Security Service was fully aware of the attack, putting out a press release that defended the actions of the students as a legitimate "expression of their position as citizens, one worthy of respect." Since then, what the Russian press calls "hacker patriots" have launched a series of DDoS attacks aimed at the Web sites of independent media sources in Russia, as well as at government agencies in Estonia, Georgia, and Lithuania. (The Russian state always denies responsibility for these attacks.)

What was new in the latest attacks, however, was that the DDoS campaign was combined with open government pressure. This was especially true in the case of Golos: a few days before its Web site was taken down, the organization was charged with violating Article 5.5 of the Russian Federation Administrative Code, which forbids the publication of voter polls less than five days before elections; its head, Liliya Shibanova, had her laptop confiscated at the Moscow airport by the customs service.

The very nature of the DDoS attack can make it extremely difficult to establish who is behind it. In May 2007, Estonia's foreign minister, Urmas Paet, accused the Kremlin of direct involvement in cyberattacks against the country, but the Estonian government failed to present proof, and in September 2007, Estonian Defense Minister Jaak Aaviksoo admitted that he had no evidence linking the attacks to Russian authorities.
 
This time, however, it would be difficult for the Kremlin to deny at least the encouragement of hackers, if not the direct involvement of state agencies in the attacks. The government used official and open pressure to try to prevent Golos from reporting violations; once that material appeared online, hackers tried to stop the information from spreading.
 
This strategy proved to be only partly successful: pages for posting and sharing information on electoral violations were quickly established on social networks, not just on news sites and blogs. And when LiveJournal, the most popular blog platform in Russia, came under attack, Facebook became the central clearinghouse for collecting information related to the elections and the protests that followed. Facebook is now the main online space for spreading information about the protests, much more popular than local social networks such as VKontakte. The next large protest is scheduled for Saturday, and the event group on Facebook already has more than 35,000 people signed up, compared to some 16,000 who have signed up via VKontakte.
 
This puts the Russian security services in a difficult position; they have no effective response to the problem posed by social networks. The monitoring of the blogosphere carried out by the Ministry of Interior and the FSB works only with open sources, using the so-called semantic approach to construct charts of acquaintances, ties, and views of chosen bloggers. Such surveillance is technically incapable keeping tabs on closed accounts, such as those on Facebook. 
 
The rise of Facebook in particular caught the siloviki, the country's secret service agents, off guard. They long disregarded Facebook because they believed it was the social network used mostly by a handful of journalists, experts, and westernized middle classes. The Kremlin was not concerned about this particular audience, focusing instead on dominating the mainstream media, such as the national television channels.
 
For monitoring or disrupting closed accounts on social networks, Russian law enforcement agencies have only one solution. According to Russian law, the licenses issued to Internet providers and hosts require firms to provide access to their servers to the security services without informing site owners. Russian social networks such as VKontake are subject to this law, but Facebook is not.
 
The FSB is clearly interested in interfering in political activism in Russia's social networks. On Thursday, Pavel Durov, a founder of VKontakte, reported that the FSB requested that his site close down an online protest group; so far, the network has refused to comply. The next day, Durov published a scan of the request, issued by the FSB department in St. Petersburg, signed by an FSB general named Andrei Ruchiev, to close down seven event groups related to the protests on the Web site. (On Friday, Durov was summoned to the Saint Petersburg prosecutor's office, in apparent retaliation for leaking the FSB request.)
 
Facebook, by virtue of being a foreign company, is clearly a different matter. The Chinese way of solving the problem -- to allow people to use a new social communication product until a Chinese equivalent is developed -- seems to be out of question. (Today, China has XiaoNei, instead of Facebook, and Weibo, instead of Twitter.) This is unlikely for Russia in advance of presidential elections in March, since it would be nearly impossible to approve the necessary legislation to ban the use of Facebook in time.
 
All this suggests that although the combination of hacker attacks and pressure from the state might be frightening, neither can inflict too much damage. It may be intimidating when, for example, all my passport pages are copied by an FSB official whenever I pass through border control at the airport, but the work of my Web site is relatively secure. Agentura.ru is already hosted abroad, with the international domain name registered in the United States, not Russia, meaning the FSB has no legal ability to order it taken down as the agency could with Russian-hosted Web sites.
 
This leaves the authorities with only the most crude and obvious measures of control, such as preventing protests by closing off Moscow's central squares for last-minute "construction" projects or moving the sanctioned area of protest to another location, confusing would-be participants. And when crowds do assemble, all the Kremlin can do is gather more police units and internal ministry troops, using brutal detention tactics against protesters. This strategy is shortsighted and ultimately counterproductive, because now every instance of police repression is extensively reported on Facebook and provokes a new wave of political uproar.

Published at Foreign Affairs 9.12.2011