Cookies Policy
We use strictly necessary cookies whilst you are here. These are to enable the website to work and cannot be disabled. To read more about what this means, please see our Privacy Policy.

Analysing the first instance of hacktivism in the Russian invasion of Ukraine

March 8, 2022
A leaked file, mil.ru.zip, has been claimed to have been taken from a Russian government website. Arachne Digital obtained a copy of the information and analysed the contents.

by Kade Morton (CEO)

Introduction

At the beginning of the recent Russian and Ukrainian conflict, a zip file was uploaded to a clear web file sharing site, called mil.ru.zip, and posts on social media claimed that this information had been taken from a Russian government website. Posts claimed that the site had been hacked in retaliation for the Russian invasion of Ukraine.

The post went viral, however the .zip file quickly had a password placed on it to prevent downloading. Arachne Digital obtained a copy of the leaked information and analysed the contents. While there has been news coverage of this alleged hack and multiple others since then, there has been little coverage of the exact contents of that first alleged leak. News outlets, such as Vice Motherboard, said on their Cyber podcast they held off reporting on the contents as they couldn’t verify its authenticity.

Given that news reports continue to swirl around hacktivism on both sides of the conflict with little to show in the way of real-world impact, Arachne Digital has decided to break down this first leak as an illustration of how murky claims of hacking can be at this stage of the conflict.

The Contents of mil.ru.zip

The file mil.ru.zip contained nine files.

Four of those files were .asc files. When examined, these were found to be public encryption keys. Public keys are obtainable online by their very nature, public keys must be shared so that people can encrypt information with them that can be decrypted by the corresponding private key. If these particular keys are from a hacked Russian website as alleged, they are likely also available online.

The data.txt file contained information about open source libraries, so again if this was taken from a hack this is information that is available online.

The gov.ru & mil logins.txt contains emails and passwords, those will be examined.

Packages.gz contains VLC packages. VLC is widely used open source software, so again information available from the public domain.

The file passwd.txt doesn’t contain passwords as one might assume, it contains generic file paths, notably some containing English names. It is possible these file paths came from a hacked system, but given the generic nature of the file paths and that some of them had English names it is deemed unlikely they came from a system belonging to the Russian government.

Finally, vlc_0.8.6a-jb-videolan-1.tar.gz contained files such as open source libraries for VLC.

Analysis

Why any of the files surrounding gov.ru & mil logins.txt were included in the leak is unknown as they don’t add to the authenticity of the leak.

gov.ru & mil logins.txt contained 117 emails with plaintext passwords. Given that this is alleged to be a leak of an official Russian government website, more emails would be expected.

There are also some notations through the file, stating that some emails and passwords were dumped as part of the cfire-mail.ru leak of 2014, a combined hack of three separate gaming related forums. That hack resulted in, among other details, usernames and hashed passwords being leaked.

This hack is an example of why work email addresses shouldn’t be used for registering personal accounts on websites.

Many of the weaker passwords were also cracked. According to Zdnet, “the most common four passwords were some combination of “123456789”, which in part made it easier to determine a significant portion of the leaked passwords.” This is reflected in the gov.ru & mil logins.txt list with multiple passwords being simple numeric combinations.

Most of the passwords in gov.ru & mil logins.txt are also short and lacking complexity. It would be expected that even if the specific government systems didn’t mandate strong passwords that in a security conscious cohort there should be some long passwords showing complexity. At first glance, gov.ru & mil logins.txt does look like a subset of a wider dataset, the weak passwords that were able to be cracked. This aligns with the cfire-mail.ru leak, but isn’t concrete proof the entire contents came from that prior leak.

It is notable that the emails in gov.ru & mil logins.txt don’t seem to follow any strong naming convention. Some appear to be partial first names and last names, some are just first names, some are numbers like 123, some are a full first name with an underscore and then two letters, some are government department names. If they had come from a single government department, while some emails may diverge it would be expected that an overall naming convention would be discernible.

Some, strangely, are also outright English names.

The emails in gov.ru & mil logins.txt are split into two lists, a larger gov.ru list and a smaller mil.ru. The passwords for the gov.ru list all use characters from the English alphabet or numbers. Some use outright English words. There appear to be no anglicised Russian words and there are no Cyrillic characters used. This is odd given the passwords are reported to have come from a government department that doesn’t speak English as a first language.

The mil.ru list has some Cyrillic character passwords, along with some English characters and words, which is more in line with the alleged source of the leak. Some passwords are notably anglicised versions of the name used in the email. This is again expected, but is bad password practice as it makes the password easier to guess.

It is impossible to identify the exact source of the information in the alleged leak. However, when assessing all of this information together, it is deemed unlikely that this first alleged leak came from a hacked Russian government website.

Given some emails are known to have appeared in earlier breaches that were not related to the Russian government, and the weak characteristics of the passwords appearing to be a subset of cracked passwords from a larger dataset, it is more likely that this password list has been cobbled together from multiple prior leaks with cracked passwords. Given the irregularities in the emails and passwords, some parts of the list may be fabricated, or at least altered.

There is an outside possibility that the contents of gov.ru & mil logins.txt came from a hacked Russian government website and the contents of the file are just the easily crackable passwords. But the question remains, if the intent of the leak was to cause damage, why not leak everything obtained and let others try and crack the remained difficult hashes?

The utility of a viral social media post claiming that a Russian government website was hacked is likely more impactful than the contents of the alleged leak itself, and may have been the original goal.

As the war in Ukraine continues, people are advised to remain vigilant and critical of the information about the conflict they consume.

Benefits

Why 
select 
Arachne?

Do you want to maximise your security within your budget? Arachne Digital is the logical choice.

Our platform searches the internet for information on threat actors, gathers reports, and categorises the findings by region, industry, and threat actor. Our process automatically maps TTPs to MITRE ATT&CK®, slashing research time and saving you money.

Threat Mitigation Experts

Connect with a way to see and neutralise potential attacks before they impact your organisation. Arachne Digital empowers organisations to anticipate and avoid cyber threats by delivering actionable intelligence.

Optimised Security Posture

By integrating the precise threat intelligence provided by our reports, you can evolve, prioritise and implement effective and continually updated security controls relevant to your organisation.

Streamlined Compliance

Comprehensive, insightful threat intelligence reports support audit preparations. Demonstrate a proactive approach to cybersecurity and achieve and maintain compliance more easily.

Testimonials 
& 
Partnerships

“Arachne Digital’s team works closely with us in integrating our tool, Speculo, with their data. Speculo is designed to help organisations get a full picture of their cyber risk with reliable analytics and a streamlined risk assessment process. The integration of Arachne Digital’s threat intelligence into Speculo provides evidence-based insights into cyber risks, making the tool more relevant to our customers. Arachne facilitated multiple face-to-face meetings and video calls, provided technical resources, comprehensive documentation, and example reports. This collaboration ensured that we could seamlessly integrate and utilize their data, significantly enriching the value we deliver to our clients.

Arachne Digital’s commitment to excellence and their proactive approach in supporting our needs have made them an indispensable partner. We highly recommend their services to any organisation looking to strengthen their threat intelligence capabilities.”

Partnership

We 
are 
partnered 
with 
DISARM 
Foundation.

Arachne Digital is proud to partner with the DISARM Foundation as the inaugural member of their Partner Programme, launched at the beginning of 2024.

This partnership is crucial in supporting the DISARM Foundation’s mission to maintain and enhance the DISARM Framework, ensuring it remains a free and continuously updated resource in the fight against disinformation.

Through our collaboration, Arachne Digital provides valuable feedback, promotes the integration of the framework into our operations, and encourages wider adoption within the defender community. This partnership highlights our commitment to combating evolving threats and fostering a secure digital environment.


Empower. 
Defend. 
Prevail.

Newsletter
Stay in the loop with our latest updates, exclusive offers, and content by subscribing to our newsletter.

© 2024 Arachne Digital, ALL RIGHTS RESERVED
Built by