“Here we are in Lviv Underground again” – this would be just the right line to open this interview with a FalconsFlame hacktivist. The group is known for numerous spectacular hacking operations against the sites of Russian terrorists, as well as breaking into the cloud accounts and gadgets of Russian servicemen spotted fighting in Donbas. FalconsFlame hacktivists, along with hacker groups CyberHunta, Trinity and RUH8 , make up the Ukrainian Cyber Alliance, which has come into the spotlight after a series of hacks into the office of the Russian presidential aide Vladislav Surkov (SurkovLeaks).
We decided to publish this interview in the form of the story about one of the Ukrainian hacktivists’ operations, which has not yet been made public but could one day become a textbook case of the cyber warfare for freedom and independence of Ukraine.
Our interviewee liked the idea of “dusting off” the story of a yet unknown hacking operation. He took his laptop out of a shabby backpack and began sorting through the files and telling his story…
“In early 2015, Ukrainian hacktivist groups were faced with a choice – either to hack popular pro-Russian bloggers and Novorossia lovers one-by-one, or come up with a solution to automate this process.
We decided to target the platform which actively hosted aggressive Russian jingoists and spread anti-Ukrainian propaganda. We are talking about the popular blogging platform called cont.ws. It attracted about 200,000 daily visitors.
It did not take long to get access to the admin panel of the platform.
So we began to read the internal messaging and probe some users.
As a result, we got access data for ALL users of the project, however, the passwords were encrypted, and their decryption could have taken a while.
We took a creative approach, and through a phishing attack got the rest of the user access data. We analyzed the data, and identified among active Cont users many idea-driven supporters of Novorossia and paid Russian bloggers. The collected data was anonymously sent to the Ukrainian Security Service (SBU) and to the Peacemaker web site.
This way, for example, we found the user under the nickname «ales0ne», one Alexey Zhukov, citizen of Belarus with a residence permit in Donetsk, who was a member of illegal armed groups.
As another example, the nickname messer turned out to belong to a professional soldier, a veteran of the Transnistrian conflict named Sergei Leshchenko. He is the chairman of the Union of Veterans of Spetsnaz “Dniester” and the administrator of a website serving Russian special forces veterans. He published instructions for making booby traps against the Ukrainian military.
There were also many others
Then, on behalf of the users of this platform, we started to spread materials that were at odds with the ideological line of the jingoist project. In one of our articles, we “interviewed Zakharchenko” [Ed.: leader of Donetsk People’s Republic (DPR) separatists] making him say the following:
Often, we just trolled Novorossia fans in their own style. Once, we posted the spoof story of a nurse who breast-fed “a company of militia”.
Soon cont.ws sported its first article in Ukrainian telling the users that the site had been hacked by Ukrainian hackers.
We hacked them again and again, and they continued their clumsy attempts to patch up the holes in the content management system. Eventually, after a few months of constant hacks, the portal’s administration begged us to leave them alone, for a fee. But we break into aggressor’s systems for ideological motives rather than gain, so we put forward our conditions for the “truce” – the administrators hand over to us decrypted access data of the users that we are interested in, allocate us a separate page for our articles; and in return, we keep the hacking mum.
Cont’s administrators surely agreed, and thus began their secret cooperation with the Ukrainian hacktivists. On April 14, 2015 they wrote a post about their site hacking by Ukrainian hacktivists with the “thanks” for the technical audit of the site.
From that moment on, we had the free hand on cont.ws. In one year, we published several hundred articles proving the facts of Russian aggression. By the way, we reprinted more than 200 articles of InformNapalm. We also got the access data for hundreds of the site’s users.
Now we can talk about this saga, as Cont administrators have recently started to violate our own small “Minsk agreement”. Perhaps it is because their Kremlin curators began to suspect something and push them for tougher moderation of the publications. By the way, among Cont admins, there are employees of the DPR [Ed.:Donetsk People’s Republic] propaganda ministry, as well as many other ranking militant propagandists.
As the site administration has apparently decided to disremember our agreement, it is time to remind them about it publicly.
I have offered you a peek into just one of the many operations that have been going on behind the scenes. By the way, Russian bloggers no longer need to wonder, why the credentials they use to access their pages and email promptly fall into the hands of Ukrainian hacktivists. It happens, because the administrators of Russian propaganda platforms are all for the numbers – users, traffic. They are ready to leak their data to anyone, just to keep a project running.
By the way, the Cont project is not your ordinary Russian site, and its daily traffic of 200,000 visits is just one piece of evidence of that. By analyzing access rights and user profiles the Cyber Alliance hacktivists established that cont.ws is but one of the cogs in the Russian propaganda machine, and this graph makes it evident.
So the word “leaky” would be very appropriate of the Russian sites administrators. Stay tuned for more.”
Apart from this story, we discussed many other aspects of cyber warfare with our interviewee, but they are beyond the scope of this publication.
The world of Ukrainian hacktivism is very exciting and diverse, and we will continue to study it. We will keep contact with the hacktivists and present materials about their victories in the war for freedom and independence of Ukraine.
Evidence data was exclusively provided to InformNapalm by the hacktivists of the Ukrainian Cyber Alliance for analysis and processing. InformNapalm Community bears no responsibility for the sources and origin of the data.
Translated by Artem Velichko
Edited by Max Alginin
An active link to the authors and our project is obligatory for any reprint or further use of the material. (Creative Commons — Attribution 4.0 International — CC BY 4.0 )
For notifications about InformNapalm investigations follow us on Facebook.