CHAPTER 14 Moscow’s Long Shadow
Moscow’s Long Shadow
On November 21, 2013, Mustafa Nayyem, a thirty-two-year-old liberal television journalist, had been deeply disappointed by Ukrainian president Viktor Yanukovych’s decision to postpone the integration of Ukraine into the European Union. Yanukovych hesitated to sign an agreement with the EU because of pressure from Vladimir Putin, who wanted to hold Ukraine close to Russia and opposed any pact with Europe.
Nayyem posted an angry message on Facebook. “Well, let’s get serious,” he wrote. “Who today is ready to come to Maidan before midnight? ‘Likes’ don’t count. Only comments under this post with the words, ‘I am ready.’ As soon as we get more than a thousand, we will organize ourselves.”
This Facebook post started the Ukrainian revolution. Thousands went to Independence Square, popularly known as Maidan, and stayed there. In the months that followed, the Maidan was turned into an improvised fortress, surrounded by barricades, fires, and smoking tires and guarded day and night by protesters. The protesters wanted closer ties with Europe—a sentiment that was shared by part of Ukraine’s population, largely in the western portion of the country, whereas the east felt aligned to Russia, not in the least because most spoke Russian as their first language. The protests in Kiev were a seminal crisis for Putin, who felt a move by Ukraine toward Europe would be intolerable—it would bring the West to Russia’s borders.
On November 30 the Ukrainian riot police, the Berkut, launched an offensive against the protesters on the Maidan, and dozens were severely beaten. The protesters were forcibly dispersed. Some of them took refuge in St. Michael’s Cathedral, an elegant gold-domed monastery not far from the square. The police then besieged the monastery.
Sasha Romantsova worked at a bank in Kiev, but her job didn’t fit her energetic personality. At twenty-seven, she had already successfully created a large student movement at her university and was deeply interested in events at the Maidan. She had joined one of the first marches in favor of Ukraine’s integration with Europe.
When the protests were dispersed into the monastery, Romantsova received a desperate text message from a friend hiding inside, who said the Berkut were battering down the monastery’s doors. Romantsova was frightened for her friend and angry at the use of force against the protesters. She called the Center of Civil Liberties of Kiev and volunteered to do something—anything—to help to defend the protesters. The center, based in a residential apartment in the center of Kiev, was at that moment thinking the same thing; a workshop was under way on human rights. They decided to form a volunteer service to help locate the detained and wounded from the Berkut crackdown and to open a telephone hotline to gather information from those in trouble.
But one of the most important decisions made that day was to open a group on Facebook, called Euromaidan SOS, which immediately gathered over ten thousand followers. When Romantsova called the center to volunteer, she was told, “We opened a phone hotline, and we need a volunteer to sit here from 4:00 a.m. to 8:00 a.m.” Romantsova enthusiastically accepted. She had to be at work at 9:00 a.m. but was more than willing to work the hotline for four hours first. She stayed there for months during the Maidan uprising, shuttling between the office and the hospital where the wounded were treated. When a few radio stations and a major television channel advertised the phone numbers for the hotline—actually three cell phones—the project expanded rapidly. It began with the intention of locating casualties, but it soon became an information service, fielding calls from all over the city. People called in to report eyewitness spottings of the Berkut, which were then posted on the Euromaidan SOS page, asking those who lived nearby to verify them and report back.
The Euromaidan SOS experiment on Facebook took advantage of the horizontal structure of a network, allowing people to share information readily and disseminating it where it was needed without the need for an established organization behind it. What happened in Kiev was reminiscent of Relcom’s request in August 1991 for users to look out their windows and report back troop movements, but this time it was not e-mails but Facebook that provided the platform. The authorities knew where the Euromaidan SOS was based, but the speed of the network took them by surprise. The Euromaidan SOS group on Facebook thrived and grew with the protests. Soon Euromaidan SOS had created comprehensive lists of the wounded or those missing or detained by the Berkut, and the lists were frequently checked and updated. Along with Romantsova, 250 volunteers worked on Euromaidan SOS, searching for the missing and keeping a direct telephone line open to the Maidan protest organizers on the square. Regular announcements were made by megaphone at the square regarding those who were missing or detained.
Yet the digital pathways that enabled protest could also be used against the protesters. The night of January 21, 2014, was frosty and only about 10 degrees at the Maidan. Most of the protesters were sleeping in tents. Suddenly, all their cell phones vibrated with a new text message. The number was disguised as a service message, and it read, “Dear subscriber, you are registered as a participant in a mass disturbance.”
The identical message went to users of each of the three mobile operators in the city—Kyivstar, MTS, and Life. But it went only to people who were on Independence Square. The phrasing of the message echoed language in a new Ukraine law that made it illegal to take part in a protest deemed violent. The law had taken effect that very morning.
The sense of the message was clear: the protesters had been identified. The text message was a means of intimidation.
Romantsova also received the text. She wasn’t taken aback by it, but she and the protesters saw it as a new trick by the authorities against the protesters. Many of the Maidan protesters quickly took a screen shot of the message and posted it online—the network answered back, defiantly.
In fact, the texts appeared to have an effect opposite the one intended—they outraged many Ukrainians and were widely reported. All three Ukrainian mobile operators immediately denied they had sent the text messages. So the question emerged: If the message was not sent by the mobile operators, how it was done?
Kyivstar suggested that it was the work of a “pirate” cell phone tower set up in the area. This could have referred to something called an IMSI-catcher, a device that can emit a signal over an area of nearly four square miles, forcing hundreds of cell phones per minute to release their unique IMSI and IMEI identification codes, which can then be used to track a person’s movements in real time. Every phone has such identification codes, although most people are not aware of it. This technology also can be used to intercept text messages and phone calls by duping cell phones within range into operating with a false cellular tower. A transceiver around the size of a suitcase can be placed in a vehicle or at another static location and then operated remotely by security agents.
However, the telephone carriers could offer no evidence that a pirate tower was used, but there is another possibility: SORM—the black boxes, which can monitor both Internet and cellular communications—could identify the protesters and send the message. If security services had SORM, they could use it as a back door into the Ukrainian mobile networks, giving them the ability to carry out such an operation without being detected.
A fascinating clue then emerged. A Kiev city court had ordered Kyivstar to disclose to the police which cell phones in their network were turned on outside the courthouse during a protest that occurred on January 10. The warrant, No. 759, which we obtained, was issued by a Kiev district court on January 13. Its goal was to identify people in the particular area of the protest. Further, the police specifically requested that a representative of Kyivstar be excluded from the proceedings to keep the operation secret. The judge agreed with the police request.
This warrant made clear that the Security Service of Ukraine (SBU) and other law enforcement agencies had the capability to eavesdrop on communications networks without the telecom operator’s knowledge. Thus, the security services could have used their surveillance systems against protesters. On February 3 the communications regulatory agency of Ukraine reported that it could not determine who had sent the text messages to protesters in January. Secrecy prevailed.
After March 1, the day Russia annexed Crimea, many Western experts told us at different cyber security gatherings that they expected a massive denial-of-service attack to be launched against Ukrainian websites. The fears were well founded: every Russian conflict with a neighboring country in the 2000s—including Georgia and Estonia—had been accompanied by such relatively crude onslaughts against the countries’ online resources. For a while the Ukraine conflict developed along the same lines. On March 3 the Ukrainian information agency UNIAN reported a powerful denial-of-service attack, causing the agency’s website to be temporarily taken offline. The Internet infrastructure of the country seemed weak, almost begging cyber hackers to try their hand. Ukrainians clearly understood this vulnerability. That same day Konstantin Korsun, an SBU cyber-security officer in 1996–2006 and now in the cyber security business, working as the head of the NGO Ukrainian Information Security Group and supporting Maidan, appealed for help. “Because of the military intervention of Russia against Ukraine I ask everybody who has the technical ability to counter the enemy in the information war, to contact me and be prepared for a fight,” he wrote on LinkedIn. “Will talk to the security forces to work together against the external enemy.”
Almost immediately he received a reply from Maxim Litvinov, head of the cyber crime department in the Interior Ministry of Ukraine: “You can count on me.” Litvinov said he had analysts, a laboratory, and loyal personnel, and he didn’t want to wait until the country was already under attack.
But the large and much-feared cyber attack on Ukraine did not come as it had been anticipated; instead it came from another direction, a tidal wave of propaganda spread on social networks. The Kremlin launched a massive campaign to infiltrate social networks—first of all, VKontakte—and exploit the digital pathways for its own purposes. Russia possessed certain natural advantages on this information battleground. First, both Russia and Ukraine shared a common cultural and historical legacy in the Soviet Union, such as the experience of World War II and the shared Russian language, used widely in Ukraine. Second, the Russian-based social network VKontakte is the most popular social network in Ukraine, with more than 20 million users. Russian officials knew how to frame the messages they wanted to send and had all but taken control of VKontakte. They then decided to take their information combat to the enemy, fighting on Twitter, YouTube, and Facebook.
From the Kremlin an army was unleashed, a fighting force whose weapons were words. Legions of trolls, people who disrupt online discussions by deliberately posting inflammatory, extraneous, or off-topic messages, were deployed to provoke and intimidate people. The trolls are not usually volunteers but paid propagandists. In the 2000s they were used inside Russia against liberal and independent media and bloggers. Now this army, hundreds of people, was directed outside.
The trolls often appear in the comments section of traditional news media and social media. Katarina Aistova, a former hotel receptionist, then twenty-one years old, was one of them. In April 2014 she spotted something negative written about Putin on WorldNetDaily. “You are against Putin!” she exclaimed in response to another user. “Do you actually know what he does for his country and for people?? The fact is that Obama is losing ground as a leader.” A lot of the commentary was much more strident.
The Guardian was among the first in the Western media to find itself in the Russian trolls’ crosshairs. On May 4 the newspaper reported that a particularly nasty strain emerged in the midst of the conflict in Ukraine, “which infests comment threads on the Guardian and elsewhere, despite the best efforts of moderators.” Readers and reporters became concerned that these comments came from “those paid to troll, and to denigrate in abusive terms anyone criticising Russia or President Vladimir Putin.” The first complaint to the moderators of the Guardian was reported on March 6, when a reader complained, “In the past weeks [I] have become incredibly frustrated and disillusioned by your inability to effectively police the waves of Nashibot trolls who’ve been relentlessly posting pro-Putin propaganda in the comments on Ukraine v Russia coverage.” The Guardian replied that there was no conclusive evidence about who was behind the trolling, although Guardian moderators, who deal with forty thousand comments a day, believed there was an orchestrated campaign.
In 2014 French and then Italian journalists told the authors that they were attacked by trolls when they published critical stories on Russia. In both countries the onslaughts were carried out in fluent and faultless French and Italian, and the trolls attacking the critical reporting from Russia were the same ones who separately were known to write xenophobic and anti-immigrant posts, which led French journalists to suspect that the comments could be coming from a community of far-right-wing activists.
In May, Ilya Klishin, the editor of the TV Dozhd website, shed some light on the trolls focused on the Western media. On May 21 Klishin exposed in Vedomosti the organization of trolls that had been directed to target the American audience. He reported that the team serving under Vyacheslav Volodin, the deputy chief of the presidential administration in Moscow, who had replaced Surkov at the peak of the 2012 protests, had proposed a “systematic manipulation of public opinion through social media.”
Sources close to the presidential administration told Klishin that preliminary work began in the fall of 2013 and that Volodin personally approved the strategy. Volodin also moved Konstantin Kostin—the Kremlin official who once had been on the other end of a phone line, pressuring the Yandex News team to shape their news report to fit Kremlin wishes—into a key position at the Civil Society Development Foundation, a pro-Kremlin organization, although Kostin remained directly subordinate to Volodin. In the summer of 2013 he announced the launch of a new, large system for social network monitoring called “Mediaimpuls.”
It was an ambitious attempt to monitor and manipulate social networks. Kostin boasted that they joined efforts with the Boston-based firm Crimson Hexagon, using a system designed to figure out consumer trends on social networks. According to Kostin, Mediaimpuls could monitor LiveJournal and Twitter along with Russian social networks. But it was cursed with the same trouble the Russian secret services had been lamenting since 2011: it could not deal with Facebook because Facebook does not give up the data.
In the fall of 2013 the newspaper Novaya Gazeta exposed a “farm” of trolls writing away in a suburb of St. Petersburg known as Olgino. There the employees were paid over 25,000 rubles a month, then equivalent to about $900, to post comments on blogs and news articles. The troll farm occupied two rooms in a posh home with large glass walls. According to the report, employees in one room wrote blog posts for social networks, while those in the other room worked on comments. The troll farm had close ties with pro-Kremlin youth movements. Among those working in the glass-walled house was Katarina Aistova, the young woman mentioned above.
Anonymous International publicized the internal reports of this group in May 2014, with documents consisting of dozens of analytical briefs detailing the way the comments were dealt with on US media sites. There were also recommendations, such as this one for the site Politico: “In the future, there should be more provocative comments to start the discussion with the audience.”
The documents show that the masterminds of the troll movement were curious about legitimate online movements—the documents included, for example, a detailed analysis of Barack Obama support communities on Facebook and Twitter. They were also aware of the perils of being deleted by moderators; one brief cautions about “Censorship on the American Internet.” But the most interesting document was one that all but acknowledged that users in the United States could easily spot the troll campaigns supporting Russia, rendering the postings useless. “In the study of major US media, some pro-Russian comments were seen. After a detailed study, it became clear that such comments are extremely negatively perceived by the audience. In addition, users suggest that these comments were written either for ideological reasons or were paid.”
Although the campaign may not have worked well in the United States and Britain, Ukraine was different. False reports from the east of Ukraine and fake photographs of purported atrocities and victims flooded VKontakte and Facebook. Photographs of casualties from the war in Syria were doctored and presented as coming from the Ukraine provinces of Luhansk or Donetsk. The trolls claimed the violence was caused by Ukrainian “fascists” and sometimes borrowed images from war movies to make their point. There was a heart-wrenching photograph of a grieving young girl, sitting by the body of a dead woman sprawled on the ground and carrying the caption, “This is democracy, baby, Ukrainian army is killing Donbass people.” It went viral on social networks under the hashtag #SaveDonbassPeople. In fact, however, the photo was borrowed from a famous Russian film, Brest Fortress, released in 2010, about the Nazi invasion of the Soviet Union in 1941.
Although this and many other postings in the troll campaigns were filled with deceptions, they also struck a nerve, appealing to the historical memory of the Soviet Union—a country that lost over 30 million people in World War II—and carrying a highly emotional message to the Internet audience: fascists were coming again, this time with backing from the West, and there could be no questions asked, no place for skepticism, doubt, or opposition in this fight to the death.
By the end of 2014 the army of trolls enjoyed a major boost. The trolls at Olgino left the glass-walled house and moved to a four-story building in the same suburb of St. Petersburg in order to accommodate their growing numbers, now 250 people. They worked in twelve-hour shifts and were required to post 135 comments a day. New initiatives were launched, such as a quasi-news agency, like ANNA News, which was registered in Abkhazia, a breakaway region of Georgia. The agency set up accounts on a Russian replica of YouTube, known as Rutube; on YouTube itself; and on VKontakte, Facebook, Twitter, Google+, and Odnoklassniki. They posted videos that were presented as news but were largely propagandistic, including videos celebrating fighting by separatists in Ukraine. Another faux news agency, Novorossia television, set up accounts in social networks, posted videos on a daily basis, and collected money for separatists. The videos were then picked up by conventional pro-Kremlin TV channels and disseminated domestically and internationally. The efforts of these fake news agencies were combined with those of dozens of online communities positioned as blogs of patriotic citizens.
Some of the individual trolls enjoyed large, committed audiences. One of them writes under the name Lev Myshkin, taking his name from a character in Fyodor Dostoyevsky’s famous novel The Idiot. The character in the novel is a symbol of Russian humility and kindness, but the troll Lev Myshkin is different. No one knows his true identity, but he is very active online as a Russian propagandist. On Facebook he lists among his friends some prominent pro-Kremlin spin doctors and often mocks Ukraine’s political leaders. His message is bitterly anti-American and anti-Western, and he frequently publishes doctored photographs to make his point. As of this writing, he had almost five thousand followers on Facebook and over twenty-six hundred on Twitter, and more than a million people have watched his videos on YouTube. For all his activity, however, Myshkin’s biggest coup appeared to be something that almost escaped notice.
On February 4 the audio recording of an intercepted phone conversation between Victoria Nuland, the US assistant secretary of state for Europe, and Geoffrey Pyatt, the US ambassador to Ukraine, was posted on YouTube and the next day reposted by Myshkin, opening a new front on the digital battlefield.
The recording was explosive, a conversation between two US diplomats, discussing how to resolve the ongoing standoff between the Ukrainian government and protesters. In the private conversation, recorded in January 2014, Nuland cursed the European Union, expressing frustration at the EU’s handling of the Kiev crisis. According to our sources, Pyatt in Kiev used an ordinary cell phone for this conversation, not an encrypted one. Although the recording was embarrassing to the United States, as Nuland declared “Fuck the EU,” another aspect of it proved incendiary. Nuland expressed a preference for who should enter the new Ukrainian government—proof positive, in the Kremlin’s view, that the United States was calling the shots in Ukraine. It isn’t known precisely who obtained the conversation, but it was someone who wanted to embarrass the United States and had the means to intercept and record a telephone call.
The audio was initially uploaded on the YouTube channel “Re Post,” which had been mostly uploading anti-Maidan videos and smearing Ukrainian politicians. In some videos the voice of the cameraman is heard, he speaks in Russian and pretends to be a journalist, but he is very focused on documenting protesters’ faces, weapons (self-made batons and the like), and actions. Most of the videos got only a few hundred views on YouTube.
Quite suddenly, on February 4, the channel’s moderators uploaded the conversation, along with another conversation between European officials. Two days passed, and no one noticed. Finally, on February 6, Christopher Miller, then the editor of English-language Ukrainian daily Kyiv Post, received an e-mail with a link to the Nuland video. The person who sent it to him, an acquaintance in the security service, asked, “Did you see this?”
Miller was thrown at first. The video had been viewed only three times before Miller watched it, and he wondered whether it was authentic. But the more he listened to it, the more he came to realize it was genuine. He called the embassy to get a comment and asked if it was real. They had no idea what he was talking about and were shocked. Miller at once published the story, on February 6, quoting the intercept on the website of the Kyiv Post.
But a strange thing happened on the way to a public uproar over the Nuland comments: Miller was not the only recipient. In fact, before he published his article, the hot intercept had fallen into the hands of the mysterious troll Lev Myshkin, who posted it on his YouTube channel a day before Miller, on February 5. And when Myshkin uploaded it, the video went viral.
The story of the recording—a murky one of phone calls recorded and mysterious uploads—highlights a larger picture depicting the security services, both in Russia and Ukraine, attempting to influence the political course of events with underhanded means. The eavesdropping on Nuland and Pyatt was probably made possible by SORM technology in Ukraine identical to Russia’s. The recording was then passed from one hand to another until it became public, in the process removing any fingerprints of who originally made the interception and recording. That’s the way combat in the shadows of the digital world is done.
The call created a sensation, but the Ukrainian security service, the SBU, denied any involvement. In two days the SBU held a press conference in Kiev. When asked about the Nuland recording, Maxim Lenko, a senior investigations official in the SBU, who was present at the conference, stepped forward and said, “The Ukrainian Security Service is not conducting any investigation into the matter at this time.”
The video was extensively used by Russian propaganda outlets to portray Maidan as an American conspiracy. The circumstances of the intercept and its circuitous route to the media suggest that it was the SBU, not the Russian secret services, that conducted the interception. It is impossible to know for sure, but we think some SBU officers likely intercepted the Nuland call and then shopped around until they found a colleague or friend who would post it on YouTube. When the scheme didn’t ignite a media storm, they kept shopping for an alternative outlet and eventually found one.
Time and again intercepted conversations in Ukraine were used to compromise political opponents, and surveillance on telecommunications was used as a means of intimidation. This strategy provoked a great deal of speculation about conspiracies; for months a Ukrainian mobile operator was accused of sending Ukrainian citizens’ personal data to Russia and maintaining their servers in Moscow. No proof was ever found.
The truth, however, might be much simpler, tracing back to SORM, the black boxes first deployed in Russia years earlier to monitor telecommunications and Internet traffic. Ukraine’s security services possess their own SORM; except for a period after the Orange Revolution in 2005–2010, they always kept close ties with the Russian security services. The two countries’ security officers carried out joint operations and exchanged information, and that special relationship ended, rather spectacularly, only in February of 2014 when the SBU exposed the names of FSB generals who were present in Kiev on the day Yanukovych fled his capital.
Ukraine’s version of SORM was even more intrusive than Russia’s. “The Ukrainian SORM is tougher—they have the right to interrupt the conversation and we have no such powers,” said Victor Shlyapobersky, a chief of the SORM-testing laboratory at the St. Petersburg branch of the Central Research Institute of Communications, one of three main Russian research centers working on SORM development. To be stuck in the Soviet legacy means to be dependent on Russian supplies of surveillance. When Ukraine updated its national needs for SORM equipment in 2010, the Russian company IskraUraltel, a manufacturer of SORM equipment, was happy to announce that it had successfully tested its SORM devices under the new requirements, and it had been approved by the SBU.
Although Ukraine hewed to Russia’s eavesdropping system with equipment supplied by Russia, this does not necessarily mean that Russian secret services conducted all sensitive interceptions, but this option cannot be ruled out. But it does suggest that the Ukrainian security services modeled their surveillance capabilities after the most opaque and nontransparent example, with origins tracing back to the KGB.
Ukraine possessed not only the same equipment as Russia but also used the same terminology. In two decades of independence Ukraine didn’t modify the basic terms used to label its surveillance departments. In the Soviet KGB the unit in charge of surveillance was called the OTU (Operativno-Technicheskoye Upravlenie, or the Operative-Technical Department), and eavesdropping and surveillance operations were identified in official documentation as ORM. That Soviet-style euphemism means Operativno-Rozisknie meropriatiya, or Operative-Search Measures.
In the 1990s the Russian FSB changed the name of the department to the UOTM (adding the word Measures to its title), but for years Ukraine remained attached to the Soviet acronym OTU. Now this department is called the DOTM (the Department of Operative-Technical Measures), echoing the Russian experience.
In late February in Kiev the chief of DOTM was fired along with Maxim Lenko, who had denied SBU’s role in intercepting the US diplomats’ conversation just three weeks before. In July the chief of DOTM was changed again. This musical chairs of the DOTM indicated that the new Ukrainian authorities didn’t accept that the SBU had had nothing to do with the eavesdropping.
The saga of the Nuland interception and the larger battle for the digital space in Ukraine also reflects the reality throughout the former Soviet Union. Some of the nations that became independent in 1991 simply preserved the methods they inherited from the old regime. “Ukraine, Kazakhstan, Belarus, and Uzbekistan, they all use a system that is much closer to SORM than to the European or American systems,” Shlyapobersky told us. In our own investigations we found documents confirming that Belarus, Ukraine, Uzbekistan, Kazakhstan, and Kyrgyzstan all have their national SORM systems. And in most cases this means their legislation and equipment has also been copied and imported from Russia.
In September 2014, seven months after Maidan, Kiev was back to near normal. Independence Square was cleared; there was no sign of the barricades or burning tires that had once clogged the streets. It was time for the parliamentary elections, and Mustafa Nayyem, who had done so much to launch the Maidan movement with his post on Facebook, was one of the candidates. Andrei had difficulty catching up with his busy schedule, so Nayyem suggested they meet at the city court.
Nayyem had found out that a Ukrainian oligarch was trying to run for parliament despite the fact he had spent most of the 2000s out of the country, and this was against Ukrainian law. So Mustafa went to the court, and on the day we met, the hearings were under way.
The shabby Soviet-style building on Moskovskya Street, where the city court occupies a few floors, posed a striking contrast to the Moscow city court, which is all marble, statues, and expensive furniture. In a tiny room packed with journalists, a bald-headed Mustafa, wearing all black, with his two lawyers, faced three judges.
Mustafa’s lawyer was in the middle of a long peroration, full of details. The main judge turned left and whispered something to his colleague.
Mustafa’s lawyer exclaimed, “You should listen carefully to what I’m saying!”
“Well, the entire country listens to you now,” the judge said apologetically.
And he obviously didn’t mean only the lawyer.
- CHAPTER 14 Moscow’s Long Shadow
- Shadow count
- 2.1.3. Ôóíêöèÿ getopt_long()
- Chapter 5. Preparations
- Chapter 6. Traversing of tables and chains
- Chapter 7. The state machine
- Chapter 8. Saving and restoring large rule-sets
- Chapter 9. How a rule is built
- Chapter 10. Iptables matches
- Chapter 11. Iptables targets and jumps
- Chapter 12. Debugging your scripts
- Chapter 5 Installing and Configuring VirtualCenter 2.0