In late 2016, Ukrainian hacker groups released emails purportedly taken from the office of Kremlin official Vladislav Surkov, who oversees Ukraine policy for Russian President Vladimir Putin. The Surkov leaks confirm what many have long suspected: the Kremlin has orchestrated and funded the supposedly independent governments in the Donbas, and seeks to disrupt internal Ukrainian politics, making the task of rebuilding modern Ukraine impossible. Russia has consistently denied accusations from Kyiv and the West that it is providing the separatists with troops, weapons, and other material support or meddling in Ukrainian affairs. The emails from Surkov’s office betray the official Kremlin line, revealing the extent of Russian involvement in the seizure of Ukrainian territory, the creation of puppet “people’s republics,” and the funding to ensure their survival.
There have been three tranches of information from Surkov’s account: a PDF document detailing plans to destabilize Ukraine, a dump of 2,337 emails, and a final dump of 1,000 emails. While the plot to destabilize Ukraine with its detailed plan to use energy tariffs to foment revolution has garnered attention, its veracity is disputed. The trove of 2,337 emails, released by the group called "Ukrainian Cyber Alliance," including the hacker group Cyber Hunta and research collective InformNapalm, covers the period from September 2013 to November 2014, when Russia illegally annexed Crimea and deployed separatist proxies in eastern Ukraine to start a war. The final dump dates from September 2014 to September 2016. We have analyzed the overlooked second and third troves. Here’s what we found.
On May 16, 2014, a little-known Russian “political consultant” named Aleksandr Borodai was elected prime minister of the self-proclaimed Donetsk People’s Republic. At the time, many noted that Borodai was a friend and former employee of Russian billionaire Konstantin Malofeyev, the founder of Marshall Capital and, according to a separate set of leaked documents, a funder to far-right political organizations in Europe. While Malofeyev denied all connections to Borodai (“You can find a link between me and almost any Orthodox activist. But that doesn’t mean I’m paying them a salary or that we’re in the same business.”), the Surkov leaks show otherwise. Three days before the announcement of the government of the Donetsk People’s Republic, an employee from Malofeyev’s Marshall Capital emailed Surkov’s office a list of candidates for the separatist republic’s government. Some of these “candidates” had an asterisk by their name, signifying that they “are people who we have checked, and are especially recommended.”
A portion of the document sent from the office of Konstantin Malofeyev to Vladislav Surkov, aide to President Putin. Image via The Atlantic Council. Image clickable.
The Kremlin also had a hand in maintaining the puppet government. On June 16, 2014, one of the candidates with an asterisk by his name—the “elected” Chairman of the Supreme Soviet, Denis Pushilin—sent Surkov’s office a spreadsheet with expenses for a new press center in Donetsk. The budget included estimated salaries for an editor, journalist, and other monthly expenses, along with the cost of a router and other pieces of office equipment. The Kremlin not just manages their puppet republic in eastern Ukraine, it is micromanaging and propping it up.
Part of the expense list sent by the Donetsk People’s Republic official Denis Pushilin to Surkov, including the cost of a laptop, router, camera, and other pieces of office equipment. Image via The Atlantic Council. Image clickable.
But that’s not all. The Kremlin actively works to disrupt and slow down the reform process in Ukraine by promoting pro-Russian candidates and proposals. For example, Surkov has met with and assisted pro-Russian activists and leaders who live in Crimea, Dnipro, Kharkiv, Kyiv, and Slovyansk. The emails show that Surkov keeps lists of pro-Russian activists across the country that he can deploy when he needs a favor.
The leaks also show that Surkov actively monitors Ukraine’s reforms and works with editors to push a pro-Russian agenda in Ukrainian and Russian outlets. Surkov has significant influence on the media narrative in eastern Ukraine. For example, on August 25, 2014, he received an email asking for edits to a letter that was supposedly from local citizens living in eastern Ukraine; in it, they told of the horrors resulting from the Ukrainian military’s “Anti-Terrorist Operation” and its effect on women, the elderly, and children, supposedly from the perspective of a suffering civilian. The letter was published by Russian Reporter and RT a few days later with minor wording changes.
Comparison of the letter sent from the “public representatives of the Donbass” to the Ukrainian government, with the original version sent to Surkov (left) and the version that was later posted online (right), after suggested edits. Image via The Atlantic Council. Image clickable.
Predictably, Kremlin officials have refuted the authenticity of these emails. However, cyber experts have pronounced these leaked emails genuine based on the routing information and some individuals have confirmed the authenticity of individual documents. The hackers published a nearly one-gigabyte Outlook data file that included the inbox, outbox, drafts, deleted email, spam, and other folders from firstname.lastname@example.org ’s account. While it is easy to fake screenshots, PDF documents, and other files, faking email inboxes is difficult. Within the email files, every message in the second trove of emails contains the same header information — where it originated, which servers it moved through, and so on—which indicates the messages are likely genuine. Using basic digital forensics, which involves uncovering and examining electronic evidence located on digital storage, including computers, cell phones, and networks, we can verify specific details in the emails, suggesting that the leaks are authentic. A majority of the emails are copied and pasted information from news articles, brief summaries of current events in Abkhazia, Moldova, South Ossetia, and Ukraine, and emails related to business developments in Russia. This high ratio of “uninteresting to interesting” bolsters the authenticity of the leaks because nearly all genuine email account hacks have a similar profile. In other words, political officials’ inboxes look much like the average person’s work inbox: full of schedules and routine briefings, with only a handful of incriminating emails. Surkov’s inbox follows this pattern.
In his own words, the Surkov leaks show that the Kremlin directs and funds the ostensibly independent republics in eastern Ukraine and runs military operations there. Yet nearly all media in the West speak about the war in the Donbas as being run by Kremlin-backed separatists, but this isn’t a true characterization. Moscow is actively guiding and managing this breakaway state, down to paying invoices for office equipment. The leaks provides clear, irrefutable evidence that the Donetsk People’s Republic is not an independent actor; it is a creature of the Kremlin and should be treated as such. It’s time for the media and foreign governments to catch up and call it what it is: a Russian hybrid war.
By Aric Toler, Melinda Haring, The Atlantic Council
Aric Toler is the lead digital forensics researcher at the Atlantic Council’s Digital Forensics Research Lab and the East Europe lead for Bellingcat. Melinda Haring is the editor of the UkraineAlert blog.