Analysing the first instance of hacktivism in the Russian invasion of Ukraine

The file mil.ru.zip contained nine files.

Four of those files were .asc files. When examined, these were found to be public encryption keys. Public keys are obtainable online by their very nature, public keys must be shared so that people can encrypt information with them that can be decrypted by the corresponding private key. If these particular keys are from a hacked Russian website as alleged, they are likely also available online.

The data.txt file contained information about open source libraries, so again if this was taken from a hack this is information that is available online.

The gov.ru & mil logins.txt contains emails and passwords, those will be examined.

Packages.gz contains VLC packages. VLC is widely used open source software, so again information available from the public domain.

The file passwd.txt doesn’t contain passwords as one might assume, it contains generic file paths, notably some containing English names. It is possible these file paths came from a hacked system, but given the generic nature of the file paths and that some of them had English names it is deemed unlikely they came from a system belonging to the Russian government.

Finally, vlc_0.8.6a-jb-videolan-1.tar.gz contained files such as open source libraries for VLC.

Why any of the files surrounding gov.ru & mil logins.txt were included in the leak is unknown as they don’t add to the authenticity of the leak.

gov.ru & mil logins.txt contained 117 emails with plaintext passwords. Given that this is alleged to be a leak of an official Russian government website, more emails would be expected.

There are also some notations through the file, stating that some emails and passwords were dumped as part of the cfire-mail.ru leak of 2014, a combined hack of three separate gaming related forums. That hack resulted in, among other details, usernames and hashed passwords being leaked.

This hack is an example of why work email addresses shouldn’t be used for registering personal accounts on websites.

Many of the weaker passwords were also cracked. According to Zdnet, “the most common four passwords were some combination of “123456789”, which in part made it easier to determine a significant portion of the leaked passwords.” This is reflected in the gov.ru & mil logins.txt list with multiple passwords being simple numeric combinations.

Most of the passwords in gov.ru & mil logins.txt are also short and lacking complexity. It would be expected that even if the specific government systems didn’t mandate strong passwords that in a security conscious cohort there should be some long passwords showing complexity. At first glance, gov.ru & mil logins.txt does look like a subset of a wider dataset, the weak passwords that were able to be cracked. This aligns with the cfire-mail.ru leak, but isn’t concrete proof the entire contents came from that prior leak.

It is notable that the emails in gov.ru & mil logins.txt don’t seem to follow any strong naming convention. Some appear to be partial first names and last names, some are just first names, some are numbers like 123, some are a full first name with an underscore and then two letters, some are government department names. If they had come from a single government department, while some emails may diverge it would be expected that an overall naming convention would be discernible.

Some, strangely, are also outright English names.

The emails in gov.ru & mil logins.txt are split into two lists, a larger gov.ru list and a smaller mil.ru. The passwords for the gov.ru list all use characters from the English alphabet or numbers. Some use outright English words. There appear to be no anglicised Russian words and there are no Cyrillic characters used. This is odd given the passwords are reported to have come from a government department that doesn’t speak English as a first language.

The mil.ru list has some Cyrillic character passwords, along with some English characters and words, which is more in line with the alleged source of the leak. Some passwords are notably anglicised versions of the name used in the email. This is again expected, but is bad password practice as it makes the password easier to guess.

It is impossible to identify the exact source of the information in the alleged leak. However, when assessing all of this information together, it is deemed unlikely that this first alleged leak came from a hacked Russian government website.

Given some emails are known to have appeared in earlier breaches that were not related to the Russian government, and the weak characteristics of the passwords appearing to be a subset of cracked passwords from a larger dataset, it is more likely that this password list has been cobbled together from multiple prior leaks with cracked passwords. Given the irregularities in the emails and passwords, some parts of the list may be fabricated, or at least altered.

There is an outside possibility that the contents of gov.ru & mil logins.txt came from a hacked Russian government website and the contents of the file are just the easily crackable passwords. But the question remains, if the intent of the leak was to cause damage, why not leak everything obtained and let others try and crack the remained difficult hashes?

The utility of a viral social media post claiming that a Russian government website was hacked is likely more impactful than the contents of the alleged leak itself, and may have been the original goal.

As the war in Ukraine continues, people are advised to remain vigilant and critical of the information about the conflict they consume.