Breaking Down the Surkov Leaks

What the leaked inbox of the Kremlin’s “Grey Cardinal” tells us about the war in the Donbass

@DFRLab
@DFRLab
Oct 25, 2016 · 8 min read
Image for post
Image for post

Today, a Ukrainian hacker group called “Cyber Hunta” released a cache of emails linked to the Kremlin’s “grey cardinal” — Vladislav Surkov. This political operative is well known in the West as the creator of Russia’s “sovereign democracy” and has been the point-man for Russia’s management, and sometimes direct control, of the so-called states of South Ossetia, Abkhazia, and the self-declared Donetsk and Luhansk People’s Republics.

The hacked inbox was for prm_surkova@gov.ru, which was handled by his secretaries or assistants, including a “Masha” (Mariya) and “Yevgenia” (last names unclear). The majority of the emails are briefings from Surkov’s assistants, such as Aleksandr Pavlov. Some of these briefings include:

— “Information about the current internal political developments in the Republic of Abkhazia, Republic of South Ossetia, Ukraine, and the Republic of Moldova”

— “Ukraine: a calendar of announced events”

— Weekly briefing: “current picture of the situation in Ukraine”

— Weekly briefing: “Abkhazia and South Ossetia: events of the day, that have caught public attention”

However, there are also some bits of revealing information hidden under piles of minutiae, including a list of casualties in the Donbass sent from a high-ranking separatist official, expense reports for a government office in Donetsk, and requests for edits on documents that later be published under the guise of independent individuals.

Authenticity

Return-path: <Durdyeva_AA@gov.ru>
Envelope-to: prm_surkova@gov.ru
Delivery-date: Fri, 30 May 2014 10:03:55 +0400
Received: from [95.173.128.181] (helo=DurdyevaAAPC)
by ipaccess.gov.ru with esmtp (Exim 4.80.1 (FreeBSD))
(envelope-from <Durdyeva_AA@gov.ru>)
id 1WqFv0–0004qY-LI; Fri, 30 May 2014 10:03:54 +0400
From: =?koi8-r?B?5NXSxNnF18Eg4S7hLg==?= <Durdyeva_AA@gov.ru>
To: <prm_surkova@gov.ru>
Cc: <prm_govoruna@gov.ru>,
=?koi8-r?B?J+3Bzc/Oz9cg7cnIwcnMJw==?= <mamonov2004@yandex.ru>,
<abbatnoehl@gmail.com>,
“‘Pavel Laptev’” <paulmira@mail.ru>
Subject: =?koi8-r?B?z8Laz9LZ?=
Date: Fri, 30 May 2014 10:03:54 +0400
Message-ID: <000601cf7bcc$eff3f080$cfdbd180$@gov.ru>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=” — — =_NextPart_000_0007_01CF7BEE.770605B0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac97zLXyNKravgPbQx2NbBoD8rjV/A==
Content-Language: ru
X-Virus-Scanned: Antivirus engine

Every message in the .PST database released by “Cyber Hunta” — 2,337 in total — contains the same type of header information. It is possible that these headers were forged (though it would be fairly difficult to do it convincingly with every email), thus we should also authenticate the data by cross-referencing data points. Often, we can tell when leaked data is fake based on there only being screenshots available, or the majority of the information in the hacks is explosive without boring day-to-day emails. Nearly all genuine hacks have an extremely high “uninteresting : interesting” ratio. In other words, political officials’ inboxes look much like the average person’s work inbox: full of boring information, schedules, routine briefings, and with only a handful of incriminating or scandalous emails.

We can verify nearly every bit of information in Surkov’s inbox. For example, on July 23, 2014, Surkov received an invitation to an art exhibit in Moscow called “The New International,” at the Garage Museum of Contemporary Art.

Image for post
Image for post
Screenshot of the invitation received by Surkov on July 23, 2014 to an art exhibit.
Image for post
Image for post
Email inviting Surkov (and one other guest) to an art exhibit for July 31, 2014.

This exhibit really did take place, and the email seems authentic, judging by the email header and included information.

Image for post
Image for post
Photograph from Vogue.ru at the art exhibit “The New International” at the Garage museum, as detailed in the invitation to Surkov.

This is only one detail of thousands within the email archive, but it shows that even inconsequential details with no geopolitical significance can be corroborated with real events with basic digital forensics. A more conclusive confirmation of the hack’s authenticity will likely appear in the coming days, but initial indications point to the emails — or, at least, the vast majority of them — being real.

Findings

Casualty list from Denis Pushilin

Image for post
Image for post
Screenshot of the document “Морг. Ополченцы+Гражданские.docx,” sent by Denis Pushilin to Vladislav Surkov on June 14, 2014.

Most of the people listed are locals, Chechens, or not outwardly connected to the Armed Forces of the Russian Federation. However, there is one peculiar row: an unnamed soldier who was listed as “VDV Pskovsky,” referring to the paratroopers based in Pskov.

Image for post
Image for post

However, it is unclear if this soldier was active in the Russian Armed Forces at the time of his death, or if he was a veteran. Two months later, funerals would be held in Pskov for numerous active Russian servicemen who died fighting in the Donbass.

A letter from “the public representatives of the Donbass”

Image for post
Image for post
Email from August 25, 2014 to Surkov with an attached document holding the text of a letter from the “public representatives of the Donbass” to the Ukrainian government

This Vitaly Leybin is the head editor of the news magazine Russian Reporter. Almost the exact same letter was published on the Russian Reporter site a few days later, with a few minor changes. Below, the document sent to Surkov on August 25 is on the left, and the document posted on the Russian Reporter site is on the right.

Image for post
Image for post
Left: original sent to Surkov. Right: version posted on Russian Reporter

One week after Surkov received the document, it appeared on various Russian websites, including Russia Today. The letter was presented as a genuine outcry from local citizens, with no mention of how the letter was first passed through the highest organs of the Kremlin with requests for “corrections” in the document.

Image for post
Image for post
Source

A DNR expense list

The first is a general expense list for a newspaper with three staff members (editor, journalist, webmaster), along with equipment costs (notebook, router, camera…), printing costs (70–75,000 copies of a newspaper), and so on.

Image for post
Image for post
Expense list from the first tab of the spreadsheet

The second tab is an expense list for staff at the Ministry of Information and MK (presumably the Ministry of Culture) in Donetsk.

Image for post
Image for post
Expense list for staff from the second tab of the spreadsheet

Lastly, the third tab shows staff costs for the press center in Donetsk, including three analysts, journalists, and web designers, among others.

Image for post
Image for post
Expense list for staff from the third tab of the spreadsheet

While the costs of the Ministry of Information, Press Center, and a newspaper in the DNR are interesting, the most important question is why Pushilin was sending the expense list to Surkov. While there is no reply to the message, there was clearly a reason why Pushilin sent the spreadsheet directly to Surkov, a high-ranking Kremlin official.

Puppet government

The attached PDF contained a list of candidates for the government of the Donetsk People’s Republic, including the Speaker of the People’s Soviet (Pushilin), Ministry of Defense (Igor “Strelkov” Girkin), and other key officials. At the bottom of the document, a note says that the individuals with asterisks next to their name were “checked by us” and are “especially recommended.” These individuals included Aleksandr Zakharchenko, who is mentioned as under consideration for the role of Prime Minister. Eventually, this came true, and Zakharchenko was “elected” to the job. At the end of the document, the author (presumably Malofeev or someone working under him) says to ask for the opinion of “Vladimir Ivanovich” regarding Aleksandr Khodakovsky, the commander of the Vostok Battalion. It is currently unclear who this Vladimir Ivanovich is.

Image for post
Image for post
Image for post
Image for post

This document was sent to Surkov on May 13, 2014. Three days later, on May 16, the full government of the self-proclaimed Donetsk People’s Republic was announced. There is no direct proof that Malofeev and Surkov decided the representatives of the forming government, but all indications point to them having a guiding or approving role, as they reviewed a list of ministers days before they were officially announced.


The Surkov Leaks, as they have been called on Twitter since their release, show us a picture of the conflict in Eastern Ukraine that we have long suspected: the Kremlin had a guiding hand in orchestrating and funding the supposedly local and independent government.


Follow the latest Minsk II Violations via the @DFRLab’s #MinskMonitor.

For more in-depth analysis from our regional experts follow the AtlanticCouncil’s Dinu Patriciu Eurasia Center. Or subscribe to UkraineAlert.

DFRLab

@AtlanticCouncil’s Digital Forensic Research Lab.

@DFRLab

Written by

@DFRLab

@AtlanticCouncil's Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.

DFRLab

DFRLab

@AtlanticCouncil’s Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.

@DFRLab

Written by

@DFRLab

@AtlanticCouncil's Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.

DFRLab

DFRLab

@AtlanticCouncil’s Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store