The Main Intelligence Department of the Ministry of Defense of Ukraine (GURMO) hacked and leaked documents it claimed it stole from the Russian Beloyarsk Nuclear Power Station this week. The act is believed to be the first time a hack-and-leak operation weaponized the leak of intellectual property to harm a nation.
GURMO has leaked a broad set of documents to writer Jeffery Carr, author of the book “Inside Cyber Warfare” and creator of the Suits and Spooks conference, to disseminate through his new Substack newsletter. Later in the week, Carr sent out a second article of documents, this time of the Russian space program.
Beloyarsk’s trade secrets may be valuable. It is home to the only two fast-breed nuclear reactors in commercial operation, the BN-600 and BN-800. The Beloyarsk technology is so fuel-efficient that it creates no nuclear waste, with countries such as Japan and France investing considerably to replicate it.
“It’s taking a multi-billion dollar project that Russia has been building and made it open-source,” said Eric Byres, chief technology officer at the industrial control systems cyberdefense firm aDolus Technology.
Beloyarsk is run by the Rosenergoatom, the Russian state nuclear utility. Damaging their ability to do business is both an economic strike and an embarrassment for the broader nation.
While this is likely the first such use of intellectual property to damage a nation, especially during a combat situation, hack-and-leak operations are not an entirely new tool for nation-states. Leaks are often used as a sub-war way to needle adversaries, like when North Korea leaked documents from Sony Entertainment in its retaliation for the Kim Jung-un assassination comedy “The Interview,” and Russia leaking emails from high-ranking Democrats in the run-up to the 2016 election.
Carr told SC Media that GURMO wanted, in part, to demonstrate its capabilities.
“They want Putin to know that all of your resources are not keeping us out. And while we have not done anything to cause harm, it’s within our ability to do that,” Carr said.
“They are laughing at how easy it was for them. They have not hit anything that would stop them from achieving their objectives,” he added.
After the 2016 election and various hack-and-leak ventures that followed it, many newsrooms reconsidered how they approached documents leaked by governments for geopolitical gain. Carr, who said he has vetted documents with experts to establish authenticity, said he believes he is being ethical, due to the circumstances of the war, particularly the documented targeting of civilians.
“If the world were [at] peace, I don’t know that I would … feel the same way. In fact, I’m sure that I would not feel the same way,” he said.
Carr said he is readying more document leaks for his newsletter.
The release of the Beloyarsk documents dent Russia in a variety of ways. Immediately it tells Russia that intelligence has access to various pieces of infrastructure. It embarrasses a country that likes to boast about its scientific might. The leak of intellectual property — either from Beloarsk or the threat of future leaks — may damage potential future sales for the facility.
Any economic damage to sales might not be felt immediately.
“It won’t make any difference today, but and I’m sure Mitsubishi is watching this with enthusiasm so that they can start offering fast-breeder reactors to their Middle Eastern clients,” said Byres.
Since the beginning of the Russian invasion, Ukraine has set up a volunteer team of hackers to conduct offensive operations. Yet the leaks to Carr were done in a government ministry’s name.
That is notable in a world where countries often use proxies and shell personas to hide involvement in offensive hacking. Russia has previously used ransomware operators, Anonymous and a Romanian hacktivist persona in high-profile operations the U.S. attributed to Moscow.
“We see other actors in the world doing that, and saying, ‘I don’t want a part of that, let’s pass it off.’ And I think strategically, strategically, it’s a big signal to me that Ukraine, it’s a ministry of defense [saying] that, ‘No, this is ours,'” said Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks. “That’s really interesting for the future of what we’re seeing in terms of the crowdsourcing and fluidity of the [Ukranian volunteer hacker group, the] IT Army. They could have given the IT Army that task, but instead they took a direct role in it.”
Carr told SC that the hackers involved with the attack “have been doing this a long time,” in part because their experience wasn’t entirely governmental. “That part of the world, if you understand how to hack into a system, you’ve probably been working in a gray area,” he said.
Hack-and-leak IP operations may offer one other substantial benefit, noted Jablanski: It sends a strong signal to critical infrastructure without actually harming people by damaging critical infrastructure, and without the relative difficulty of bridging the IT/OT divide.
“Stealing and publishing IP is just less risky than a cyber-physical effect,” she said.