How Russia recruited elite hackers for its cyberwar
MOSCOW — Aleksandr B. Vyarya thought his job was to defend people from cyberattacks until, he says, his government approached him with a request to do the opposite.
Vyarya, 33, a bearded, bespectacled computer programmer who thwarted hackers, said he was suddenly being asked to join a sweeping overhaul of the Russian military last year. Under a new doctrine, the nation’s generals were redefining war as more than a contest of steel and gunpowder, making cyberwarfare a central tenet in expanding the Kremlin’s interests.
"Sorry, I can’t," Vyarya said he told an executive at a Russian military contracting firm who had offered him the hacking job. But Vyarya was worried about the consequences of his refusal, so he abruptly fled to Finland last year, he and his former employer said. It was a rare example of a Russian who sought asylum in the face of the country’s push to recruit hackers.
"This is against my principles — and illegal," he said of the Russian military’s hacking effort.
While much about Russia’s cyberwarfare program is shrouded in secrecy, details of the government’s effort to recruit programmers in recent years — whether professionals like Vyarya, college students or even criminals — are shedding some light on the Kremlin’s plan to create elite teams of computer hackers.
U.S. intelligence agencies say that a team of Russian hackers stole data from the Democratic National Committee during the presidential campaign. On Thursday, the Obama administration imposed sanctions against Russia for interfering in the election, the bedrock of the U.S. political system.
The sanctions take aim at Russia’s main intelligence agencies and specific individuals, striking at one part of a sprawling cyberespionage operation that also includes the military, military contractors and teams of civilian recruits.
For more than three years, rather than rely on military officers working out of isolated bunkers, Russian government recruiters have scouted a wide range of programmers, placing prominent ads on social media sites, offering jobs to college students and professional coders, and even speaking openly about looking in Russia’s criminal underworld for potential talent.
Those recruits were intended to cycle through military contracting companies and newly formed units called "science squadrons," established on military bases around the country.
As early as 2013, Sergei Shoigu, the Russian defense minister, told university rectors at a meeting in Moscow that he was on a "head hunt in the positive meaning of the word" for coders.
The Defense Ministry bought advertising on Vkontakte, Russia’s most popular social network. One video shows a man clanging a military rifle on a table beside a laptop computer, then starting to type.
"If you graduated from college, if you are a technical specialist, if you are ready to use your knowledge, we give you an opportunity," the ad intoned. Members of the science squadrons, the video said, live in “comfortable accommodation,” shown as an apartment furnished with a washing machine.
University students subject to mandatory conscription in the nation’s armed forces, but who wanted to avoid brutal stints as enlistees, could opt instead to join a science squadron. A government questionnaire asks draftees about their knowledge of programming languages.
The ministry posted openings on job forums, according to an investigation by Meduza, a Russian news site based in Riga, Latvia, that first disclosed the recruitment effort. One post from 2014 advertised for a computer scientist with knowledge of "patches, vulnerabilities and exploits," which refers to sabotage used to alter a computer.
Given the size of Russia’s cybercrime underworld, it was not long before the military considered recruiting those it delicately described as "hackers who have problems with the law."
In an article titled "Enlisted Hacker" in Rossiiskaya Gazeta, the government newspaper, a deputy minister of defense, Gen. Oleg Ostapenko, said the science squadrons might include hackers with criminal histories. "From the point of view of using scientific potential, this is a matter for discussion," he was quoted as saying in 2013.
Experts say the strategy was more than just talk.
"There have been cases where cybercriminals are arrested but never ended up in prison," said Dmitri Alperovitch, the co-founder and chief technology officer of CrowdStrike, the cybersecurity company that first identified the group known as Fancy Bear as the perpetrator of the Democratic National Committee hacking.
Vyarya, the programmer who turned down the government’s job offer, was an attractive recruit from the opposite end of the spectrum: someone with a career protecting people against hackers.
Specifically, he had experience shielding websites from a maneuver called a distributed denial of service, or DDoS attack, in which the sites are overwhelmed and disabled by a torrent of fake traffic. Among his clients were Vedomosti, an independent newspaper; TV Rain, an opposition-leaning television station; and the website of Aleksei Navalny, the opposition leader.
Vyarya said that in 2015 he was invited to accompany Vasily Brovko, an executive at the military contracting company Rostec, on a trip to Sofia, Bulgaria. But he said it turned out to be a demonstration of a new software suite capable of staging DDoS attacks.
The Bulgarian firm demonstrating the software briefly crashed the website of Ukraine’s Defense Ministry and Slon.ru, a Russian news website, Vyarya said. Slon has confirmed its site went down inexplicably for about two minutes that day, Feb. 5, 2015.
After the demonstration, Vyarya said Brovko asked him how the program might be improved. Then, according to Vyarya, Brovko offered him a job running the DDoS software, which he said the Russians planned to buy from the Bulgarians for about $1 million.
Vyarya said his problems began when he turned down the offer: He was surveilled, and an acquaintance in law enforcement advised him to flee the country. He left in August 2015 for Finland to seek asylum, he and his former employer said. The Finnish government, citing safety and privacy concerns, would not comment on the asylum application.
"As soon as we saw what was on the table, Sasha was given direct instructions to return to his hotel and stop all contacts," said his former boss, Aleksandr V. Lyamin of Qrator, a cyberdefense company in Moscow, using Vyarya’s Russian nickname. But the overtures from the military contractor persisted, Lyamin said, and Vyarya fled.
Rostec strongly denied Vyarya’s account. Brovko did travel to Bulgaria with Vyarya, the company said, but to evaluate software for defensive, not offensive, cybersystems. A spokeswoman for Brovko called the account of crashing sites in a product demonstration the imagination of a “mentally unstable” man.
The military’s push into cyberwarfare had intensified in 2012, with the appointment of a new minister of defense, Shoigu. The next year, a senior defense official, Gen. Valery Gerasimov published what became known as the Gerasimov Doctrine. It posited that in the world today, the lines between war and peace had blurred and that covert tactics, such as working through proxies or otherwise in the shadows, would rise in importance.
He called it "nonlinear war." His critics called it "guerrilla geopolitics."
But Russia is certainly not alone.
"Almost all developed countries in the world, unfortunately, are creating offensive capabilities, and many have confirmed this," said Anton M. Shingarev, a vice president at Kaspersky, a Russian antivirus company.
Recruitment by Russia’s military should be expected, he said. "You or I might be angry about it, but, unfortunately, it’s just reality. Many countries are doing it. This is the reality."
U.S. intelligence agencies, including the National Security Agency, have for decades recruited on college campuses. In 2015, the NSA offered a free summer camp to 1,400 high school and middle school students, where they were taught the basics of hacking, cracking and cyberdefense.
In Russia, recruiters have looked well beyond the nation’s school system.
In 2013, as Russia’s recruitment drive was picking up, Dmitry A. Artimovich, a soft-spoken physicist, was awaiting trial in a Moscow jail for designing a computer program that spammed email users with advertisements for male sexual enhancement products.
One day a cellmate, convicted of selling narcotics online, sidled up to him with some news. The cellmate said that people incarcerated for cybercrimes could get out before trial, in exchange for working for the government. Another inmate had already taken a deal, he said.
"It was an offer to cooperate," Artimovich said.
"Why else would you work for the government?" he added. "The salaries are tiny. But if you do something illegal, and go to prison for eight or nine years, the FSB can help you," he said, using a Russian abbreviation for the Federal Security Service.
Artimovich said he decided to take his chances at trial, and served a year in a penal colony.
As Russia ramped up its abilities, government agencies were also in the market for surveillance and hacking software, including some from legal suppliers in the West.
In 2014, a Russian company called Advanced Monitoring that has a license to work with the FSB, the agency that succeeded the KGB after the fall of the Soviet Union, bought iPhone hacking software from an Italian company called Hacking Team, according to invoices published by WikiLeaks. Hacking Team has since lost its export license.
Western cybersecurity analysts believe they have identified the one responsible for the breaching the Democratic National Committee: a group nicknamed Fancy Bear.
First known as Advanced Persistent Threat 28, the group has been active since 2007 but its abilities evolved to emphasize attacks, rather than gather intelligence, after the military placed a priority on cyberwarfare.
It stepped up “faketivist” actions that released stolen data through contrived online personalities like Guccifer 2 and websites like DCLeaks, according to Kyle Ehmke, a senior intelligence researcher at ThreatConnect, a cybersecurity company. The group had been called Pawn Storm, named for a chess maneuver. It was nicknamed Fancy Bear in 2014.
This year, the group appropriated the nickname for its own use, setting up the website fancybear.net and publishing hacked data from the World Anti-Doping Agency, which showed that many U.S. athletes including the tennis star Serena Williams had medical exemptions to take banned substances. The hack was apparently in retaliation for revelations of Russian doping in sports.
President Vladimir Putin has said repeatedly, most recently at his annual year-end news conference, that the information released in the recent Democratic National Committee hacks was more important than who was behind them.
"The main thing, to my mind, is the information the hackers provided," Putin said of this summer’s cyberattack.
Democratic Party members and the Obama administration should not look abroad for someone to blame for losing the election, Putin said. "You need to learn how to lose gracefully," he said.