Roskomnadzor, Russia’s main regulator of telecommunications and mass media, has long been opaque to outsiders. A recently New York Times However, the report has shed light on the agency’s expansion into censorship and social repression. Roskomnadzor has evolved from an agency primarily devoted to regulating telecom companies along the lines of the US Federal Communications Commission to a critical part of Russia’s state surveillance apparatus. The report from the Times details Roskomnadzor’s attempts to catalog social media posts based on their political leanings, reports of prominent figures on social media, and even campaigns of intimidation against “anti-government” individuals. The report relies almost entirely on approximately 160,000 files leaked by pro-Ukrainian hackers early in the Russian invasion of Ukraine. It shows how Roskomnadzor has become a major tool of social repression in Russia, as well as the effectiveness of pro-Ukrainian hack-and-leak campaigns early in the war.
Hack-and-leak operations, in which operators steal data from vulnerable organizations and make it publicly available, have become increasingly common over the past decade. Perhaps the most famous campaign was the leaking of Democratic National Committee emails and documents by state-sponsored Russian hackers ahead of the 2016 presidential election.
That Times The report is one of the most thorough public uses of leaked data to provide further insight into Russian government operations. The documents used to create it are a small portion of the terabytes of data stolen by pro-Ukrainian hackers from the Russian divisions of several multinational mining, manufacturing, and oil and gas companies in the early months of the war. The implications for Russian government organizations are now clear in the wake of Times report, and outsiders’ knowledge of how these organizations work will only grow in the years to come as researchers sift through the massive amount of leaked data.
The pace of Ukraine’s hack-and-leak campaign has slowed in recent months, likely because attackers have already hit many of Ukraine’s most vulnerable systems and the IT Army, an irregular hacking force run by Ukrainian government officials via Telegram and Other social media and other coordination mechanisms have shifted to more disruptive attacks, including distributed denial-of-service attacks and wiper malware. Leaks by Ukrainians have declined since the war began, but they are still occurring, as illustrated by the Oct. 17 leak of over a million files from Technoserv, a major Russian consulting firm with close ties to the Russian government, including personal data of employees, designs for IT systems, contracts with partners and internal databases.
While the hack-and-leak operations may have subsided, they could still play a key role in another major geopolitical arena – the Taiwan Strait.
Cyber parallels between Ukraine and Taiwan
A hack-and-leak campaign could be a possible consequence of a Chinese attack on Taiwan. In the event of a Chinese invasion of Taiwan, several factors would likely be present that enabled the Ukrainian hack-and-leak campaign. The Ukrainian campaign has relied on overwhelming public support from the West, which has allowed groups such as Ukraine’s IT Army and Anonymous, among others, to intervene against what members see as government repression watch to organize near-permanent attacks. From the outset, Ukrainian government officials had a keen understanding of how to mobilize these volunteers, and have used Telegram and other coordination tools to steer attackers to valuable targets in Russia. Ukrainians also benefited from the fact that many Russian organizations, like many organizations in other countries, had left critical systems insecure in order to give attackers access.
These and other conditions would likely apply to any civilian campaign against China following an invasion of Taiwan. Whether Taiwan would be able to garner sufficient public support is an open question and will likely depend on both the timing and manner of a hypothetical Chinese invasion. Likewise, any Taiwanese attempt to turn international support into a hack-and-leak campaign would depend on both the strength of Taiwanese institutions and coordination mechanisms. The Great Firewall, a set of policies and systems designed to regulate the flow of information to and from China over the Internet, could also impact any campaign. While the previous three factors would likely shift in the short term and be influenced by events in the immediate run-up to a conflict, the Chinese cybersecurity environment offers a relatively static area of analysis.
Assuming there is a public backlash to an invasion and the Taiwanese authorities are able to organize it like the Ukrainians, how would Chinese cybersecurity fare? The likely answer: not good.
There are several indications that China’s cybersecurity industry would struggle to respond to a simple, large-scale campaign such as that led by Ukraine against Russia. China is a hotbed of cybercriminal activity, although it has made some strides in driving cybercriminals out of the country and reforming the country’s privacy and cybersecurity laws in recent years. Major Chinese Advanced Persistent Threats (APTs), including APT 41 and Webworm, which carry out many Chinese cyberattacks against foreign targets, are also criminal hackers targeting companies in China. Aside from APTs, who are the most skilled and best-equipped cyber attackers, China is also home to a large cybercrime community, whose members operate in private criminal forums and often trade access to Chinese companies’ networks and data stolen from those networks. These lower-level forum-based hackers are similar to the types of hackers who might be expected to participate in a hacktivism campaign. The current vulnerability of Chinese companies is not expected to improve in the coming years.
However, businesses are not the only areas vulnerable to cyberattacks. The government itself has fallen victim to several major hacks in recent years. Earlier this year, a hacker stole 23 terabytes of data from the Shanghai National Police and put it up for sale on a cybercrime forum. The data included names, addresses, phone numbers, birthplaces, national ID numbers and criminal case details of over a billion people, nearly 70 percent of China’s population. Although this leak was unusually extreme, Chinese government documents appear to have been leaked several times a month on the same forum. While the Chinese government has taken steps to improve cybersecurity in the country, it remains to be seen whether these changes will be implemented in practice. There are currently significant vulnerabilities in Chinese government systems, which is of particular concern given the vast amounts of personal data the Chinese government collects about its citizens. The skills of cyber criminals who share this government data are likely to be roughly comparable to those of hackers who might be expected to take part in an irregular cyber campaign.
Any potential hacktivist campaign in China would follow the existing contours of cybersecurity in the country. Past attacks on businesses and the government provide insight into the state of cybersecurity in China, areas of potential vulnerabilities, and the impact different categories of attackers would have. Additionally, the hack-and-leak campaign against Russia has shown how leaked documents can provide insight into a regime’s activities. A hack-and-leak campaign would have an even greater impact in China, given the size of the country and the government’s collection of vast amounts of personal data. Hack-and-leak operations have been shown to cause social instability, particularly after the Russian hack-and-leak campaigns during the 2016 US election, and any potential instability could force the Chinese regime to simultaneously target social instability attempted to take Taiwan.
Kyle Fendorf is a research associate for the Digital and Cyberspace Policy program at the Council on Foreign Relations.