Breaking Down the Surkov Leaks

What the leaked inbox of the Kremlin’s “Grey Cardinal” tells us about the war in the Donbass

Today, a Ukrainian hacker group called “Cyber Hunta” released a cache of emails linked to the Kremlin’s “grey cardinal” — Vladislav Surkov. This political operative is well known in the West as the creator of Russia’s “sovereign democracy” and has been the point-man for Russia’s management, and sometimes direct control, of the so-called states of South Ossetia, Abkhazia, and the self-declared Donetsk and Luhansk People’s Republics.

The hacked inbox was for prm_surkova@gov.ru, which was handled by his secretaries or assistants, including a “Masha” (Mariya) and “Yevgenia” (last names unclear). The majority of the emails are briefings from Surkov’s assistants, such as Aleksandr Pavlov. Some of these briefings include:

— “Information about the current internal political developments in the Republic of Abkhazia, Republic of South Ossetia, Ukraine, and the Republic of Moldova”

— “Ukraine: a calendar of announced events”

— Weekly briefing: “current picture of the situation in Ukraine”

— Weekly briefing: “Abkhazia and South Ossetia: events of the day, that have caught public attention”

However, there are also some bits of revealing information hidden under piles of minutiae, including a list of casualties in the Donbass sent from a high-ranking separatist official, expense reports for a government office in Donetsk, and requests for edits on documents that later be published under the guise of independent individuals.

Authenticity

After the release of the emails, and a previous publication of a PDF file and screenshots of the inbox, there were reasons to doubt the authenticity of the hack. The Ukrainian Security Service (SBU) stated that the hacks were authentic, but this is hardly a reliable indication. However, with the publication of a nearly-1gb Outlook data file (.PST) (including the inbox, outbox, drafts, deleted email, spam, etc.), it is fairly clear that the emails are authentic. It is quite easy to fake screenshots, PDF documents, and other files, but faking email inboxes is quite difficult. Within the email files (.MSG files, in this instance) is header information, which shows us the “history” of each email — where it originated, which servers it moved through, and so on. An email selected at random, sent from A.A. Durdyeva to Surkov and a few other email addresses, contains the following header information:

Return-path: <Durdyeva_AA@gov.ru>
Envelope-to: prm_surkova@gov.ru
Delivery-date: Fri, 30 May 2014 10:03:55 +0400
Received: from [95.173.128.181] (helo=DurdyevaAAPC)
by ipaccess.gov.ru with esmtp (Exim 4.80.1 (FreeBSD))
(envelope-from <Durdyeva_AA@gov.ru>)
id 1WqFv0–0004qY-LI; Fri, 30 May 2014 10:03:54 +0400
From: =?koi8-r?B?5NXSxNnF18Eg4S7hLg==?= <Durdyeva_AA@gov.ru>
To: <prm_surkova@gov.ru>
Cc: <prm_govoruna@gov.ru>,
=?koi8-r?B?J+3Bzc/Oz9cg7cnIwcnMJw==?= <mamonov2004@yandex.ru>,
<abbatnoehl@gmail.com>,
“‘Pavel Laptev’” <paulmira@mail.ru>
Subject: =?koi8-r?B?z8Laz9LZ?=
Date: Fri, 30 May 2014 10:03:54 +0400
Message-ID: <000601cf7bcc$eff3f080$cfdbd180$@gov.ru>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=” — — =_NextPart_000_0007_01CF7BEE.770605B0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac97zLXyNKravgPbQx2NbBoD8rjV/A==
Content-Language: ru
X-Virus-Scanned: Antivirus engine

Every message in the .PST database released by “Cyber Hunta” — 2,337 in total — contains the same type of header information. It is possible that these headers were forged (though it would be fairly difficult to do it convincingly with every email), thus we should also authenticate the data by cross-referencing data points. Often, we can tell when leaked data is fake based on there only being screenshots available, or the majority of the information in the hacks is explosive without boring day-to-day emails. Nearly all genuine hacks have an extremely high “uninteresting : interesting” ratio. In other words, political officials’ inboxes look much like the average person’s work inbox: full of boring information, schedules, routine briefings, and with only a handful of incriminating or scandalous emails.

We can verify nearly every bit of information in Surkov’s inbox. For example, on July 23, 2014, Surkov received an invitation to an art exhibit in Moscow called “The New International,” at the Garage Museum of Contemporary Art.

Screenshot of the invitation received by Surkov on July 23, 2014 to an art exhibit.

Email inviting Surkov (and one other guest) to an art exhibit for July 31, 2014.

This exhibit really did take place, and the email seems authentic, judging by the email header and included information.

Photograph from Vogue.ru at the art exhibit “The New International” at the Garage museum, as detailed in the invitation to Surkov.

This is only one detail of thousands within the email archive, but it shows that even inconsequential details with no geopolitical significance can be corroborated with real events with basic digital forensics. A more conclusive confirmation of the hack’s authenticity will likely appear in the coming days, but initial indications point to the emails — or, at least, the vast majority of them — being real.

Findings

Nearly every email in the leak is insignificant, and thus far no one has found a “grand slam” email that would rock the Kremlin to its core. This alone helps lend credibility to the email’s authenticity. The majority emails are copy/pasted information from news articles, brief summaries of the current situations in South Ossetia, Abkhazia, Moldova, and Ukraine, and emails related to business development in Russia. However, there are some extremely interesting pieces of information if you are willing to suffer through hundreds of weekly briefings.

Casualty list from Denis Pushilin

On June 14, 2014, Denis Pushilin — former Chairman of the People’s Soviet of the (self-declared) Donetsk People’s Republic — sent an email to Surkov and others that included a document listing casualties from May 26 — June 6, 2014.

Screenshot of the document “Морг. Ополченцы+Гражданские.docx,” sent by Denis Pushilin to Vladislav Surkov on June 14, 2014.

Most of the people listed are locals, Chechens, or not outwardly connected to the Armed Forces of the Russian Federation. However, there is one peculiar row: an unnamed soldier who was listed as “VDV Pskovsky,” referring to the paratroopers based in Pskov.

However, it is unclear if this soldier was active in the Russian Armed Forces at the time of his death, or if he was a veteran. Two months later, funerals would be held in Pskov for numerous active Russian servicemen who died fighting in the Donbass.

A letter from “the public representatives of the Donbass”

On August 25, 2014, Surkov received an email from a Russian government official with the last name Govorun, originally sent from a Vitaly Leybin, concerning a letter addressed to the Ukrainian government from the “public representatives of the Donbass.” The title of the email was “corrections in the text.” This letter, supposedly from local citizens living in eastern Ukraine, tells of the horrors of the area resulting from the Ukrainian military’s activities, and calls for a cessation of the Ukrainian “Anti-Terrorist Operation” (ATO).

Email from August 25, 2014 to Surkov with an attached document holding the text of a letter from the “public representatives of the Donbass” to the Ukrainian government

This Vitaly Leybin is the head editor of the news magazine Russian Reporter. Almost the exact same letter was published on the Russian Reporter site a few days later, with a few minor changes. Below, the document sent to Surkov on August 25 is on the left, and the document posted on the Russian Reporter site is on the right.

Left: original sent to Surkov. Right: version posted on Russian Reporter

One week after Surkov received the document, it appeared on various Russian websites, including Russia Today. The letter was presented as a genuine outcry from local citizens, with no mention of how the letter was first passed through the highest organs of the Kremlin with requests for “corrections” in the document.

Source

A DNR expense list

On June 16, 2014, Denis Pushilin sent an email to Surkov, with no one else listed as a recipient. The email was titled “смета” (estimate, total expenses) and included a single spreadsheet, entitled Smeta_Min_Presscentr_Gazeta (002).xls. Within the spreadsheet is an expense list for what appears to be a new press center, newspaper, and the Ministry of Information in Donetsk. The spreadsheet has three tabs, which are seen below.

The first is a general expense list for a newspaper with three staff members (editor, journalist, webmaster), along with equipment costs (notebook, router, camera…), printing costs (70–75,000 copies of a newspaper), and so on.

Expense list from the first tab of the spreadsheet

The second tab is an expense list for staff at the Ministry of Information and MK (presumably the Ministry of Culture) in Donetsk.

Expense list for staff from the second tab of the spreadsheet

Lastly, the third tab shows staff costs for the press center in Donetsk, including three analysts, journalists, and web designers, among others.

Expense list for staff from the third tab of the spreadsheet

While the costs of the Ministry of Information, Press Center, and a newspaper in the DNR are interesting, the most important question is why Pushilin was sending the expense list to Surkov. While there is no reply to the message, there was clearly a reason why Pushilin sent the spreadsheet directly to Surkov, a high-ranking Kremlin official.

Puppet government

On May 13, 2014, Surkov was sent a PDF from a worker at the Marshall Group. This organization was founded by Konstantin Malofeev, a quite rich and even more notorious Russian ultra-nationalist who has been accused by the United States and European Union of being a key financer and supporter of pro-Russian separatists in eastern Ukraine.

The attached PDF contained a list of candidates for the government of the Donetsk People’s Republic, including the Speaker of the People’s Soviet (Pushilin), Ministry of Defense (Igor “Strelkov” Girkin), and other key officials. At the bottom of the document, a note says that the individuals with asterisks next to their name were “checked by us” and are “especially recommended.” These individuals included Aleksandr Zakharchenko, who is mentioned as under consideration for the role of Prime Minister. Eventually, this came true, and Zakharchenko was “elected” to the job. At the end of the document, the author (presumably Malofeev or someone working under him) says to ask for the opinion of “Vladimir Ivanovich” regarding Aleksandr Khodakovsky, the commander of the Vostok Battalion. It is currently unclear who this Vladimir Ivanovich is.

This document was sent to Surkov on May 13, 2014. Three days later, on May 16, the full government of the self-proclaimed Donetsk People’s Republic was announced. There is no direct proof that Malofeev and Surkov decided the representatives of the forming government, but all indications point to them having a guiding or approving role, as they reviewed a list of ministers days before they were officially announced.

The Surkov Leaks, as they have been called on Twitter since their release, show us a picture of the conflict in Eastern Ukraine that we have long suspected: the Kremlin had a guiding hand in orchestrating and funding the supposedly local and independent government.

Follow the latest Minsk II Violations via the @DFRLab’s #MinskMonitor.

For more in-depth analysis from our regional experts follow the AtlanticCouncil’s Dinu Patriciu Eurasia Center. Or subscribe to UkraineAlert.