Emma Best is used to dealing with leaked files from American organizations.
Best’s organization, Distributed Denial of Secrets, is best known for curating, publishing and promoting giant caches of files from a variety of sources, including U.S. police departments, the conservative social media platform Gab and the far-right Oathkeepers, a prominent group involved in the Jan. 6 riot.
But since Russia’s invasion of Ukraine, Best and her colleagues have been inundated with files that hacktivists say they’ve stolen from Russian banks, energy companies, government agencies and media companies. For weeks, the group has scrambled to translate, verify, format and upload files that they can assess are legitimate and new, with the caveat that they usually haven’t gone through every single file to assess if it hasn’t been altered or planted with malicious software.
“Frankly, we’ve never seen this much data out of Russia before,” Best said. “Russia has never really been a target like this before” by hacktivists.
The consequences may not be fully known for years as experts sift through the files.
“The hackers went for Russian state companies where they could inflict the most pain for the Kremlin,” said Agnia Grigas, a Russia and energy industry expert at the Atlantic Council, a think tank.
NBC News has not verified the contents of the leaks, many of which contain dozens of gigabytes worth of data. None of the organizations, including the state-controlled energy companies Transneft and Rosatom, government censor Roskomnadzor, the Central Bank of Russia, and state-owned media giant VGTRK, responded to email inquiries requesting comment. But there’s little doubt among people who study Russia and cybersecurity that they’re largely authentic.
The leaks are part of a larger ecosystem of amateurs trying to help Ukraine’s war efforts with their own keyboards. While Russia has conducted cyberattacks against Ukrainian internet service providers and tried to wipe Ukrainian government systems, the conflict hasn’t produced the kind of high-profile cyberattacks that some analysts had predicted.
That’s left room for a thriving online ecosystem of new and veteran hackers whose accomplishments are difficult to measure in the context of the broader conflict. Some of the hacktivists spam Russians’ phones with texts about the war. Others spend their days briefly knocking Russian websites and services offline.
It’s not clear, however, just who is behind these hack-and-leak operations. Just about every hacktivist uses a pseudonym online, and hacking communities tend to be informally organized if at all.
But Best said their motivations tend to be clear.
“Right now, leakers, hacktivists and the rest of the general public are screaming in response to the injustice of Russia’s invasion of Ukraine and the inhumanity of the war crimes committed by the invaders,” she said.
While Distributed Denial of Secrets might be the single best public repository of all the Russian files purportedly leaked since the start of the invasion, it’s only one of many places online to find alleged leaks from Russia.
Dozens of activist and hacktivist accounts on Twitter and Telegram post Russian files, some of which are repackaged from earlier leaks. Best has rejected multiple submissions of supposed leaks from Russia that didn’t pass her group’s verification process, she said.
Ukrainian authorities have also leaked remarkable sets of supposedly sensitive information. They’ve published the personal information of 620 Russian intelligence officers and lists of military personnel they accuse of war crimes. Someone gave the Ukrainian news site Pravda a list of alleged Russian soldiers and their personal information, which it published in full. Even the detailed workings of one of the most destructive ransomware gangs in history has been spilled onto the internet, after a Ukrainian hacker grew fed up with the Russians who ran it.
“There’s an intense desire to do something,” Best said, “but also to understand.”
Cybersecurity experts often urge caution in drawing conclusions from hacked and leaked documents from shadowy figures, as there’s some precedent for them to contain individually modified files to plant a false narrative. There’s also no way to guarantee the files are the full content of what an organization had. When WikiLeaks published its “Syrian Files” in 2012, for example, it conspicuously left out a major transfer with a Russian bank, something that went unnoticed for four years.
While a leak can seriously hurt businesses in normal circumstances, those in Russia probably currently have bigger concerns, said Michael Daniel, the president of the Cyber Threat Alliance, a cybersecurity industry trade group.
“Lord only knows how Russia’s going to handle that right now,” Daniel said. “That’s probably not their primary concern, although it could be. But in a normal country and organization it would be.”
Open-source researchers who pore through reams of information from Russia said it could take years before such leaks could reveal important information.
“I’ve gone through a few of them but honestly haven’t had time to [do a] really super deep dive,” said Aric Toler, a researcher at BellingCat, an investigative journalism group that has exposed several major Russian intelligence operations.
“This happens a lot, to where there is all this hype for mega flows of info than hardly anyone actually goes through it,” he said. “They really require specialist interest and expertise.”
Stefan Soesanto, a senior cyberdefense researcher at the Center for Security Studies, a Swiss think tank, said it was mistaken to think Russian officials or executives would somehow be shamed or deterred by having their files made public.
“To me it is unclear how these data leaks are supposed to affect the course of the war in Ukraine,” Soesanto said. They would likely have more of an effect on those organizations if they were deploying ransomware or destructive malware to their networks, he said, though that could require additional technical sophistication to pull off.
“The question that I would be interested in is to know why these groups are dumping all this largely worthless data instead of running wipers or ransomware campaigns,” he said. “Guess 99 percent simply don’t have the network access and privileges they want people to think they have.”