An interview with Ukrainian hacker 'Herm1t' on countering pro-Kremlin attacks
Editor's Note: Andrey Baranovich, who is known online as "Herm1t," spent much of the '90s and '00s chronicling the history of malware development on a site known in the hacking community as VX Heaven.
But about 10 years ago, the site was shut down by Ukrainian security authorities, and Baranovich was charged with spreading computer viruses. The charges were dropped — cybersecurity experts argued that the site was of little use to cybercriminals, and was mainly a reference tool for researchers — and Baranovich moved to Kyiv and started to take on a more activist role.
In 2014, when Russia invaded Crimea, Baranovich helped launch groups aimed at countering Russian aggression and protecting Ukraine in cyberspace. Groups he's affiliated with, such as RUH8 and the Ukrainian Cyber Alliance, made a name for themselves by breaching Russian government sites and leaking information on top officials.
"Despite previous disagreements, [I] decided to help our state a little," he said.
Baranovich talked to Recorded Future analyst and product manager Dmitry Smilyanets about the war in Ukraine and fending off pro-Kremlin hackers. The conversation, which has been edited for space and clarity, was conducted in Russian and translated to English with the help of linguists from Recorded Future’s Insikt group.
Dmitry Smilyanets: In one of my previous interviews, Smelly_VX mentioned you as the creator of VX Heaven. Tell me how you created the project and what happened next.
Andrey Baranovich: The VX Heaven project was from another time: the mid-’90s, no Google yet, Windows 95 had just come out and there was no browser yet, connecting to the internet was prohibitively expensive, and the main place to communicate with people and look for information was FidoNet and BBS [Bulletin Board System]. The criminal codes of the post-Soviet countries did not yet have articles criminalizing hacking and computer viruses. Instead of websites, hacker groups collected their articles and code into e-zines, DIY publications that circulated widely from bulletin board to bulletin board. Now it’s even hard to imagine how primitive those systems were when, in order to find the desired file, it was necessary to call the BBS using a modem, download a list of files at a speed of 2-3 kilobytes per second, find the desired file, and download it.
On my site, which was called SoftWAR, there was a typical hacker's kit — collections of cracks for software, viruses, magazines, and documentation. When I got a job in 1999 on an ISP with unlimited traffic and space, the idea naturally came up to make a site from an already existing collection. Gradually, it became an important element of the viral scene, which always needed collectors to maintain continuity and a place to show off their skills to their peers. Generations of hackers changed, and sooner or later this ideal period had to end.
In 2012 my project attracted the attention of the then newly created DKIB SBU [Ukraine counterintelligence authority]. These guys were not looking for lost causes but for brighter minds, and they expected to recruit me in order to find out what happens in the hacker community. After a categorical refusal, the Chekists [special services] organized a criminal case under article 361-1 [a law concerning the spread of computer viruses], but everything went not as they expected, and instead of "cooperation" they got a small, but quite a noticeable scandal.
The case crumbled during the pre-trial hearing during which they attempted to make their case and it never reached the court. After that, I moved to Kyiv, changed my specialty to information security, and the site [VX Heaven] was supported by “Dahmer” for some time, this time on a bulletproof hosting, to get rid of intrusive attention. A lot has changed in twenty years, and as someone famously joked at LovinGod/SGWW [one of the most famous post-Soviet viral groups], VX Heaven has become the "portable coffin of the VX scene." And it's true, the hacker scene that formed in the early ‘80s and peaked in the early ‘00s has just ceased to exist in its usual form. However, it is a part of our history that I would like to keep.
vx-underground would not exist if not for the original VX historian herm1t. He was the first to aggregate malware related material in a centralized location and inspired thousands of people. He is on Twitter.— vx-underground (@vxunderground) January 11, 2021
Pay homage to @vx_herm1t. The founder of VxHeaven.
DS: You are a member of the Ukrainian Cyber Alliance and RUH8. Tell us about these organizations and your role in them.
AB: In 2014, after the Revolution of Dignity and the flight of [Ukrainian President Victor] Yanukovych, Russia annexed Crimea and invaded Donbas. Almost immediately after the start of the war, a Russian "CyberBerkut" appeared, imitating hackers. And the Ukrainian intelligence services also became interested in what can be done with the help of the internet, while their practical preparedness, both in the field of defense and in the field of attack, was practically zero. Throwing a tracker picture was the maximum of their capabilities. And, realizing that with such "special equipment" you won't get far, they began to turn to specialists from the private sector, including Tim "Jeff" Karpinsky and me.
Despite previous disagreements, we decided to help our state a little. And already in March and April , we managed to hack a couple of suitable targets, for example, the mail of Alexei Karyakin from the "LNR," [Luhansk People’s Republic] since then he has been wanted for treason, or the hacking of the State Duma in April 2014. A year later, we decided to somehow streamline our hacking activity and called ourselves RUH8.
In 2016, several hacker groups united around InformNapalm, and the Ukrainian Cyber Alliance was born. It included Falcons Flame, Trinity, and Cyberjunta. When I made the RUH8 site in the fall of 2015, I wrote a little "old school" intro on the main page, more like a parody of the old hacker groups with "presidents" and "public relations departments," so the hackers laughed at the corporate culture. In this text, I called myself the "press secretary" of the new hacker group and the joke seemed very funny to me, however, after the May hacks of the "DPR" [Donetsk People’s Republic, a separatist region backed by Russia] and the mega-scandal arranged by the Myrotvorets [Peacemaker] around the list of journalists that messed up our #OpMay9, it was simply necessary to explain who we are, what we do and what our goals are.
I discussed the first interview for the Focus magazine with the team, then, as the positions were determined, I began to communicate with the press on my own. After #SurkovLeaks hit the news as a kind of "counter-attack" after Russian interference in the U.S. elections, the initially parodic position of the press secretary turned into a hard daily job.
DS: Is there cooperation between the Cyber Alliance (and the Ukrainian cyber community) and the government (Viktor Zhora, the head of the cybersecurity agency, in particular)?
AB: There has always been a connection between the cybersecurity community and the state, so already at the very beginning of the war in 2014, Kostya Korsun, the former head of CERT-UA [Computer Emergency Response Team of Ukraine] and co-founder of the Ukrainian Information Security Group [UISG], organized a meeting. Employees of the SBU, the Ministry of Internal Affairs, and the State Special Communications Service came to it because it was immediately clear that the efforts of state institutions to counter Russia was not enough, and then the exchange of information continued, both informally — at the UISG and NoNameCon conferences, and more formally, when in 2019 we were invited to a meeting in the National Security Council dedicated to cybersecurity. We have known Viktor Zhora for a long time, ever since he was in business, and despite the difference in opinions about certain events, communication continues.
"The differences between IT and conventional war are becoming less obvious. And I believe that if it is quite acceptable to disable the power plant, then opening the spillway of the dam, which will simply wash away thousands of civilians, no matter how you look at it, will be a war crime, and it does not matter whether partisans or the military carry out such sabotage."— Andrey Baranovich
DS: On February 26, 2022, you made a social media post about searching for initial access to the networks. What I found interesting is the list of what not to do. Tell me in detail about ethical standards in cyberspace during a military conflict. Has your attitude changed after six months of the war?
AB: First of all, with the beginning of a full-scale war, the goals have changed. Previously, we called ourselves hacktivists, in addition to collecting useful information, we tried to promote a certain civic position: "everything they can do to us, we can do to them"; and "there is nothing to negotiate with Russia," "Russia is incapable of negotiating, and even if an agreement is reached, which is a mistake in and of itself, the agreements will be violated;" "cybersecurity in Ukraine is not given enough attention," and "Ukraine needs not only volunteers but also official cyber troops."
Now everything is different, it is no longer activism. Those ideas that I spoke about have become commonplace, on the verge of banality: a rose is a flower, oak is a tree, Russia is our enemy, Ukraine needs not just peace, but victory. Now we are closer to the guerrillas than to the activists in Guy Fawkes masks. With so many new players joining the cyber war, the debate over what is and isn't allowed is immediately on the rise.
On the one hand, researchers pay too much attention, I think, to the legality or illegality of distributed denial-of-service [DDoS] attacks carried out by the Ukrainian "IT Army." Yet the fact that the Russian GRU [Main Intelligence Directorate] and FSB [Federal Security Service] are more active than ever, and sometimes use Russian groups as a cutout to leak information, is not included in the scope of these questions. On the other hand, Viktor Zhora, at a recent conference in Las Vegas, accused the Russian Federation of nothing less than military cyber crimes. From the point of view of international law, this is a gray area — the Russian military, the GRU and the FSB have been attacking civilian objects for years, starting with Prykarpattyaoblenergo and the Severnaya substation, including the hacking of Diya on January 14, however, no matter how great the damage was (in the case of NotPetya, it reached, according to the White House, the mark of $10 billion) it is not comparable to a missile attack.
"Cyber" has always fallen just a little short of conventional war, nevertheless, the differences between IT and conventional war are becoming less obvious. And I believe that if it is quite acceptable to disable the power plant, then opening the spillway of the dam, which will simply wash away thousands of civilians, no matter how you look at it, will be a war crime, and it does not matter whether partisans or the military carry out such sabotage.
DS: What do you think of the KillNet faction and the like?
AB: With Russian hacker groups, everything is difficult, because the Russians managed to impose a certain point of view. Often they write "pro-Russian hacker group." Cyberberkut and Beregini are not hacker groups that work in the interests of the special services, these are the Russian special services personas, they were mimicking Anonymous, then supposedly Ukrainian hackers who support Russia, this is all deliberate disinformation, part of their usual way of dealing with "active measures," forged documents and anonymous stuffing.
I am glad that numerous Russian black hats are still trying to stay away from politics and continue business as usual; on the other hand, the fierce hype that accompanied the emergence of the Ukrainian "IT army" provoked symmetrical movements — Killnet, Xaknet, FRWL and even "Anonymous Russia" (which is very funny in itself). Some of the hacks that these groups publish may not be their work at all. For example, I am almost sure that the leak of the document flow of the Ukrainian Ministry of Foreign Affairs is the consequence of the GRU attacks on January 14 and February 23.
Other hacks are really theirs — apart from a few smart hackers who really are present there, the rest are not of the slightest interest. I just don't see the slightest point in DDoS-ing thousands of targets in turn, putting each one down for a few hours. This is not cyber war, but cyber hooliganism, throwing virtual trash cans and benches at the entrances to supermarkets.
DS: How do you assess the work of the Belarusian Cyber Partisans?
AB: I really liked some of their hacks, we communicate.
DS: How well protected is the critical infrastructure of the Russian Federation and Ukraine in 2022?
AB: We started asking the same question in 2017, after NotPetya. Then a law “on the basics of cybersecurity” appeared, and officials, as is customary with any officials, immediately began to say: you see, before everything was not very good, but now everything will be fine! This is a kind of legalism, the belief that the law is enough to affect reality. In such cases, I advise you to pass laws on the growth of the economy, victory in the war, and in general, it would be nice if the criminals themselves came to the police, otherwise it would be illegal.
just because I'm paranoid doesn't mean they're not out to get me. a bit chilling, less chilling than "Government-backed attack alerts" (seen 'em too) pic.twitter.com/3mkJZcHIMt— herm1t (@vx_herm1t) January 19, 2021
Oh, wait... But these are all words, after that we started the flash mob #FuckResponsibleDisclosure, searching for vulnerabilities in the public sector, without hacking, and then publishing them. The first "victim" was CERT-UA, they forgot the password for the mail account on the site. Other “victims” include the Academy of the Ministry of Internal Affairs which stored a database of teachers and students on a passwordless disk, the Kyiv police, a dozen ministries — justice, education, health, presidential administration, documents of all candidates from the civil service agency, critical infrastructure, including water and electricity, up to and including a nuclear power plant. There is no "security," however, the officials stubbornly did not want to admit their mistakes and did not want to move from denial to acceptance, arguing that “this is not ours, that it is ours, but old, not old, but unimportant, and so on.”
They even attempted to fabricate criminal cases, in 2018 (“Ministry of Justice”) and 2020 (“Odessa Airport”). The cases fell apart and also did not reach court. After the power in Ukraine changed and the "digitalization" program began, things got even worse, and the worst forecasts were confirmed in January 2022, when Russian special services hacked Diya and almost the entire cabinet. I hope that now Deputy Prime Minister Fedorov's catchphrase that "the role of cybersecurity is greatly exaggerated" is no longer relevant and the attitude towards security has changed significantly. The public sector has always been defended by the fact that from a commercial point of view this is an extremely unprofitable target, the risks associated with it are significantly higher than the benefits, plus the ban on "working for the CIS" [Commonwealth of Independent States] on black sites is part of a long-standing compromise between black hats and special services.
In Russia, everything is the same, only a little more money and a little more order, but the defense is actually in a deplorable state, and the decisions made ("cyber defense headquarters," "cyber centers," "NKTsKI [National Coordination Center for Computer Incidents]," "sovereign Internet" and "black boxes of the FSB") are completely ineffective. We sat on one of our targets for a year and a half, helping to support the system administrators, warding off stray hackers, and helping to pass the FSB audit. The Russian Federation should think twice before throwing stones in a glass house.
"No matter how trite it may sound, cyber operations have long been a part of military operations. And although the results are sometimes not as noticeable as in the case of artillery or aviation, they are also needed."— Andrey Baranovich
DS: What attack do you remember the most?
AB: I think that the most interesting attacks are yet to come, but there were many funny moments. Somehow we, with Falcons Flame [FF], lacked a phone number to hack our target, and I wrote a letter to the right person: "Send your number, urgent." He shared and immediately said goodbye to all his accounts. The same FF somehow a raised a phishing site, a "social network for Novorossiya," where there was nothing but a registration page, and all the public cheerfully began to register there. There are so many stories like this, that it's hard to pick just one.
DS: If you were appointed to the position of Cyber Tsar of Ukraine, what would be the first thing you would change in the information security of the country?
AB: I think the two main problems are over-regulation and complete irresponsibility. As in other post-Soviet countries, officials have been building barriers out of the blue for years in order to raise and lower them for money, piled up yet another "national" and "single" registers in order to collect information that they don't really need, and of course, when there are 100,000 state and municipal institutions and enterprises and 200,000 IT specialists in the country, it is physically impossible to ensure the security of all these facilities.
So, I am sure that, first of all, it is necessary to reconsider the approach to public administration and deprive the state of useless and unusual functions. For example, I do not understand why we have a register of providers, but no register of bakeries and hairdressers. Then abandon hyper-centralized solutions, but also avoid complete fragmentation, when each state shop builds its own information system. So if a dozen private integrators appear who will serve the public sector, with clearly-defined responsibilities of the parties, then the situation will change for the better.
DS: What tools and infrastructure do you use in your work?
AB: The same tools used by red teamers, but since we have developers, we add everything that’s missing on our own. For example, the experience of the virus scene was very useful to me, although at that time I thought that this was one of the most harmless and abstract hobbies on earth, like assembling boats in a bottle.
DS: Is it really possible to change something in geopolitics by launching DDoS attacks and publishing leaks from the websites of various departments and corporations? Do you feel the effect of hacktivism?
AB: Even DDoS attacks can be useful, for example, Putin's speech at an economic forum was delayed due to a DDoS attack — a public humiliation and a clear signal that Russia cannot protect even such an important event. When Peskov begins to move his mustache and say that Surkov "does not use e-mail" — a completely visible effect, revealed information can influence the decisions made by politicians. We found spies and saboteurs, and people went to prison or to the afterworld because something was hacked, so no matter how trite it may sound, cyber operations have long been a part of military operations. And although the results are sometimes not as noticeable as in the case of artillery or aviation, they are also needed.
DS: What will the thousands of young specialists, whom the war has taught new methods of solving certain problems, do when the hostilities are over?
AB: I think that the number of specialists is strongly exaggerated, but many, I believe, use the acquired knowledge in the information security business.
DS: Do you have friends who left the keyboard and took the weapon?
AB: Of course. Mobilization continues in the country, and many friends and acquaintances are now in the army, some use their knowledge in communications or information security troops, and some are fighting.
DS: Tell me a secret, what's on the hard drives?
AB: Hacked information from Russia. There is a lot. Russian hackers have become a kind of brand, but Ukrainian hackers are no worse. Russia will pay dearly for the war it started.
Dmitry Smilyanets Mission-driven and Russian-speaking intelligence analyst with type A personality. Dmitry has twenty years of experience and expertise in cybercrime activity that includes being a former member of an elite Russian-based hacking organization.