Turns Out You Can’t Trust Russian Hackers Anymore

Often, in war, mistakes are made. Sometimes, in Russia’s information war against the West, mistakes are made and then published for all the world to see.

That seems to be what happened when two supposedly independent hacking groups, believed by security experts to have ties to the Kremlin, posted the same documents stolen from a philanthropic organization run by George Soros. But the hack included a twist: Some of the documents taken by one group were altered in a bid to try and link Soros to Russian anti-corruption activist Alexei Navalny, revealing how hackers likely working for Moscow are editing documents to smear their victims.

After hackers broke into a system for sharing documents at Soros’s Open Society Foundations, material describing the organization’s work in Russia appeared on two different sites: in November on the web platform of CyberBerkut, a pro-Russian hacking group that opposes Ukraine’s current government, and in June on DC Leaks, a website that hosts purloined documents and is believed by security researchers to be a Russian project.

Among the documents posted, at least three appear on both sites. The documents posted by CyberBerkut have been edited to try to show that Open Society provides significant financial support to Navalny.

CyberBerkut edited one budget document to include a line describing a grant to Navalny’s Foundation for Fighting Corruption to the tune of either $240,000 or $122,000 — CyberBerkut’s editors managed to put two different amounts on the same budget line. In another document titled, “Russia Project Strategy, 2014-2017,” CyberBerkut added the name of Navalny’s foundation to a paragraph describing the lack in Russia of “institutions that focus analytically on issues of policy relevance.” By adding the Foundation for Fighting Corruption to that paragraph, CyberBerkut falsely implied that Navalny’s group received financial support from Open Society. And CyberBerkut edited a third document, which describes how Russian nonprofits are complying with the country’s harsh laws governing civil society groups, to claim that Navalny receives support from Yandex, a Russian internet services firm that competes with Google.

Navalny denies receiving funding from Soros and says he has had no support from Yandex. Laura Silber, a spokeswoman for Open Society, said the foundation has never supported Navalny and that the edited documents posted by CyberBerkut amounted to a libelous claim.

The Kremlin, Navalny wrote in an email to Foreign Policy, “really likes that type of [tactic]: posting fake documents among real hacked documents.” The goal, he wrote, is to create a mess for the opposition.

“At the end of the day everyone will understand — documents are fake, but it will be a two-week-long discussion: ‘Is [the] opposition and Navalny in particular using Soros’ money?'” Navalny wrote.

The Kremlin reportedly hates Soros because Open Society, his marquee philanthropic organization, focuses on boosting democracy in the former Soviet bloc and elsewhere. Silber says Open Society “supports human rights, democratic practice, and the rule of law in more than 100 countries around the world.”

Russian President Vladimir Putin, however, views Soros as a deep-pocketed troublemaker whose philanthropy has helped support governments in the former Soviet bloc with distinctly pro-Western leanings. The Russian leader and former KGB officer saw Soros’s hand behind the so-called color revolutions in Ukraine in 2004 and in Georgia in 2003. When Russian authorities banned Open Society from Russia last year, they said the group constituted “a threat to the foundations of the constitutional system of the Russian Federation and the security of the state.”

By claiming that Navalny received financial support from Soros, hackers with apparent connections to Russian security services were attempting to tie Russia’s most outspoken and prominent dissident to one of the Kremlin’s biggest enemies. And by claiming that Open Society funds Navalny’s work, which has in recent weeks leveled explosive and well-documented corruption allegations at senior Kremlin officials, the hackers sought to smear Soros’s work, essentially accusing him of meddling in internal Russian politics.

The “focus of discussion is switched from ‘Putin’s corruption’ to ‘opposition and its shadow money,’” Navalny said.

Both DC Leaks and CyberBerkut have links to Russian security services, but the exact extent of those relationships remains shrouded in mystery. CyberBerkut burst onto the scene following Ukraine’s 2014 revolution, which ousted the country’s pro-Russian president, Viktor Yanukovych, and is most famous for hacking into the computer system of Ukraine’s election authority during the May 2014 presidential elections, leaving bread crumbs suggestive of ties to Russian military intelligence.

Security researchers argue that DC Leaks represents another Russian-backed influence operation. That website was used by the hacker calling himself Guccifer 2.0 to share documents with journalists. Guccifer 2.0 surfaced after the Democratic National Committee announced in June that it had been hacked and took credit for the operation. Security researchers and U.S. intelligence believe he is a creation of Russian intelligence to deflect attention from Moscow.

It could be that “DC Leaks and CyberBerkut are the same people or they have close connections to each other,” said Anton Cherepanov, a researcher for the Slovakian cybersecurity firm ESET who discovered the overlap between the posted documents. It is certainly also possible, he said, that the two groups independently hacked Open Society and posted the same, but slightly different, documents.

Navalny, for one, was not surprised that he was unfairly linked to Soros.

“Generally I believe that Putin really considers using hackers as a legit soft power. No one is dead, you are not using tanks or missiles, no one can 100% prove that he is involved,” Navalny wrote. 

“No men in uniform are involved, just a few guys with thick glasses and reporters who want to write an interesting story.”

Photo credit: MAXIM MARMUR/AFP/Getty Images