Russian media have been fighting global cyber troops for three months

The goal of the hackers, as they themselves say, is to reduce the Russian information field. Russian developers have to compose solutions on their knees in fire mode.

Yulia Suntsova, Natalya Seybil

Prior to the start of the special operation in Ukraine, the number of hacker attacks on Russian companies was at the level of tens of thousands per week. Now the figure has risen to hundreds of thousands. Crackers are more likely to unite, act more organized, faster and more decisively. If earlier attacks were based on large coverage, now they are more targeted, aimed at a specific victim.

Previously, hackers were conventionally divided into three types: cyber spies (hunting for confidential information; financially motivated (attacking for money), hacktivists (hungry for fame and recognition).

Now the boundaries are gone. After February 24, everyone and everything is attacked. Even those who considered themselves uninteresting for hackers are forced to defend themselves in Russia. Today, according to various estimates, up to 100 thousand programmers from all over the world are acting against the Russian authorities. These are mainly European and American teams, but Russian teams often join them.

The actions of cyber troops are coordinated in special chats, most often in Telegram or Discord.

Everything that is tied to a number is attacked:

• On February 28, Anonymous attacked the websites of the largest Russian media: Kommersant, TASS, Izvestia, Forbes, Lenta.ru, Fontanka, Buro 24/7, Mel, E1, and others. stop [special operation] in Ukraine.
• On the same day, electric charging stations on the Moscow-St. Petersburg highway were subjected to a hacker attack.

At the end of February, the attacks fell mainly on government agencies, state corporations and critical infrastructure companies. Hackers sought to disable key components that ensure the smooth operation of business and government systems in finance, banking, transport, logistics, communications, government, IT and energy.

• On March 8, the websites of federal agencies were hacked - the Federal Penitentiary Service, the Ministry of Internal Affairs, the Federal Antimonopoly Service, the Ministry of Culture, the Ministry of Energy, the Federal State Statistics Service, the FSSP, Rosmolodezh, Roszheldor, the Federal Property Management Agency, Rosmorrechflot and FADN. Anti-war slogans and illustrations appeared on the main pages of departments. The failures occurred due to the hacking of the Gosmonitoring service, which is serviced by the Ministry of Economic Development and integrated into the websites of a number of government agencies.
• On March 16, the websites of Russian arbitration courts were attacked. Pages of courts in the Far East, Siberia, the Urals and other regions were not available. Along the way, the websites of several courts of general jurisdiction were hacked.
• In mid-March, users of online games on smartphones watched political slogans instead of advertisements. The situation affected the developers of Voodoo, PHX, Goodjob and Magiclab.
• On March 23, the Boxberry delivery service was hacked. Problems arose with placing orders, sending them through points, receiving parcels, with the work of a personal account for both individuals and legal entities.
• On the night of May 9, cyber troops hit Rutube, pay TV and the Yandex TV program. The hacked TV channels broadcast anti-war inscriptions, and they also appeared in the Yandex program guide.

The editorial offices of Russian media holdings and regional editorial offices are strengthening their protective infrastructure. The minimum tariff for connecting to special programs that the market offers today is 250,000 rubles per month, that is, about 3 million additional costs per year. For many regional media, this amount is unbearable.

What challenges does the media face today and what is it like to fight off thousands of cyber troops?

The peak of the attacks came in March, when the IT department of the editorial office worked around the clock, now the attacks seem to be weakening, NI was told in the editorial office of Arguments and Facts.

Attacks do not stop for all three months, they go constantly, sometimes very serious and harsh, notes Pavel Gusev, editor-in-chief and owner of the Moskovsky Komsomolets newspaper:

- For several months now we have been under the enhanced protection of Kaspersky Lab. Security costs have grown, of course, but we have not increased the staff of programmers. Before that, we only had our own equipment, but, as it turned out after February 24, it does not protect us to the extent that we would like. Our programmers fought as hard as they could, but they breathed out only after they completely went under Kaspersky.

On May 9, on Victory Day, a long and complex attack was carried out on the video hosting Rutube, the press service of Rutube (owned by Gazprom-Media Holding) reported:

- This attack was perhaps the most difficult, but we have restored the platform and continue to constantly improve the security of services. We made certain conclusions - now, if the cyber-teams want to repeat the attacks on Rutube, they will need a much larger budget. We are considering this incident and plan to share our experience and plans within the framework of the upcoming St. Petersburg International Economic Forum.

“A typical regime of a besieged fortress” - this is how Irina Golmgrein, 1MI Product Director, characterizes the work of the editorial offices of the 1MI media holding.

- Previously, we often encountered commercial attacks. We studied their model enough, it was clear how to deal with them - both at the level of communication and technically.

After February 24, everything changed.

In the first days we were hacked. Hacking is a more malicious hacking activity than a DDoS attack because it can result in loss of data or code. Hacking is carried out by highly qualified specialists. A living person on the other side of the screen squeezes into “bottlenecks” and gains access to the internal part of the infrastructure, can change content, form pictures and text that the audience sees and which are, as it were, served on behalf of the editorial team. So in the first days of the special operation, content related to the conflict in Ukraine was posted on the main page of our website like a solid sheet.

- NI: did you analyze what gap made this hack possible?

- I. Holmgrein: Attackers changed the site code through the io-analyst's statistics counter. Initially, this analytics system was developed by a company in Ukraine, then the office moved to the USA. Today, we do not know whether the company itself decided on these actions to its own detriment, or whether it was done by individual hackers. We notified the company that we were terminating the contract with them, to which we received a response, politically motivated, in my opinion: in general, they, for their part, also refuse to work with us.

Since then, there have been no hacks, but massive DDoS attacks have been going on for three months, and the degree of their power is increasing. We have not seen such attacks before - they are organized on the principle of crowdfunding.

The attack mechanism is as follows: a huge number of requests simultaneously fly to the site, create large queues, the channel is clogged, the servers do not withstand. Unlike commercial DDoS attacks, it is difficult for our security filters to distinguish between hackers and real readers under current attacks, because both are real people on the other side of the screen and they act identically. As a result, a real visitor, a reader, is deprived of access to the content, the site page on his gadgets looks as if he was blocked from the Internet.

- NI: what did you find out about these cyber-teams? Who are these people, what is their geography?

- I. Holmgrein: There is a large network of agents. It is well organized - thousands of volunteers of varying degrees of qualification from all over the globe. Even schoolchildren with a minimum level of knowledge cope with the tasks. The group calls itself the "IT Army of Ukraine". The goal is to reduce the internal volume of information in Russia, as they themselves declare it.

Volunteers, as we see, work from Ukraine, European countries, even Russia. From a personal computer or laptop, go to the Internet and then follow the detailed instructions. The organizers form and post a list of publications, sites that need to be attacked at a certain time. Volunteers run the script, and then they can go about their business, eat, sleep, take a walk. Attacks do not even require their constant presence at the computer. The raids intensify on weekends, apparently, when, in addition to the main work, you can take a computer for such purposes. Reduce attacks at night. We joke: "Mom doesn't let me leave the computer on at night."

- NI: Have you calculated what additional budgets the newsrooms need to withstand these attacks?

- I. Holmgrein: Today, media holdings are more likely to calculate how much has already been lost and is being lost every day due to such attacks. The collapse of traffic is a stop of monetization, which means a direct loss of income.

Attacks on 300-600 megabits, on gigabits, as was the case last weekend, completely block the Internet channel. This is comparable to downloading 500 movies to your computer at once. We tested different combat methods. They cut off visits from other countries, created blacklists of IP addresses, turned on traffic filtering, caching, wrote auxiliary scripts, and still traffic fell by 30-70%. By the same amount, accordingly, the income of editorial offices also falls.

What can be said about the additional costs of strengthening the “defense”? A simple increase in capacity, resources, or staff of programmers does not solve the problem of attacks, since intelligent solutions are required here! It is necessary to teach the system to distinguish between malicious traffic and ordinary human traffic, only then the power of attacks ceases to make sense.

The attack model is changing - you need to quickly develop a new protection model again, then quantitative methods will not help.

The work schedule of our programmers for the last three months: on weekends we fight off attacks, on weekdays we patch holes and get ready for the next weekend. A typical besieged fortress, now we live like this. However, there is also positive news, the other day we repelled an attack in 5 minutes, almost no one noticed the harm from it. It seems that there is hope that we will soon be able to return to the usual course of work.