A Look at Russian Hacking

M O S C O W, Nov. 20, 2000 -- While the international space station brings newrenown to Russia, the nation is gaining a darker sort of noticefrom other explorers — hackers who launch into cyberspace.

Russia’s reputation as home to some of the world’s most giftedand devious hackers was underscored last month when Microsoft Corp.disclosed that passwords used to access its coveted source code hadbeen sent from the company network to an e-mail address in St.Petersburg.

It is by no means clear whether a Russian was behind thebreak-in — that e-mail account could have been managed remotely.But that doesn’t stop Russian hackers — “khakeri,” or“vzlomshchiki (house-breakers)” — from puffing out their chestsat such exploits.

Bragging Rights?

In a recent poll on a hacker-oriented Web site, 82 percent saidRussia had the world’s best hackers; only 5 percent said Americanswere better.

But the bravado is laced with frustration.

Hackers are motivated as much by a lack of opportunity ineconomically struggling Russia as by criminal leanings, peopleinside and outside the hacker community say.

Sergei Pokrovsky, editor of the magazine Khaker, said thathackers in his circle have skills that could bring them richsalaries in the West, but they expect to earn only about $300 amonth working for Russian companies.

Russian higher education traditionally has been strong inmathematics, a skill at the core of hacking, but the Russian marketoffers few employment opportunities to such knowledgeable people,said Mikko Hypponen, manager of anti-virus research at the Finnishcompany F-Secure.

“They have too much time on their hands,” said Hypponen, whosecompany highly values the Russian computer experts it employs.

Russians have been behind several high-profile — and sometimeshighly lucrative — hacking cases. There was the cyberthief known as‘Maxus’ who stole credit-card numbers from Internet retailer CDUniverse earlier this year and demanded a $100,000 ransom. Whendenied the money, he posted 25,000 of the numbers on a Web site.Maxus was never caught.

Mathematician Vladimir Levin was caught and in 1998 wassentenced to three years in prison in Florida for a stunninginvasion of the Citibank system in which he pilfered $12 million bytransferring digital dollars out of the bank’s accounts.

Russians are also believed to be behind the 1998 theft of GlobalPositioning System software, used for missile-targeting, from U.S.military computers.

Victims as Well as Perps

Russian companies occasionally fall victim to hackers, too. Lastyear, hackers got into the computers of Gazprom, the Russiannatural gas monopoly that also supplies much of Europe and tookbrief control of the central supply switchboard; officials wouldn’tsay whether there were service disruptions.

Incidents of avarice and meddling in critical computer systemshave raised concern that some hackers who hail from Russia areaffiliated with its extensive organized-crime groups.

Pokrovsky, for one, rejects such speculation.

“Nonsense, complete nonsense,” he said. “For example, Ipersonally know Maxus and he isn’t in any crime group. He’s a verygood specialist who understands systems very well.”

The psychology of hackers can be as elusive as their identities,however. Of course some say their actions are just an offshoot ofexuberance, that they are chiefly benign interlopers.

Take the hacker known online as NcRoot. He says his first nameis Alexander and that he’s a 17-year-old student interested in Website design.

“Sure, there may be people who do this for the sake of moneyand who have small salaries,” he wrote in response to e-mailedquestions, saying he believed most Russian hackers do it for thechallenge of exposing security flaws.

“Fix in your mind, we just want to help you,” a hacker groupwrote to the Webmaster of an online music site they hacked intothis year. NcRoot was among the hackers.

Trying to Assess Economic Damage

While it’s impossible to estimate the economic damage Russianhackers may inflict through theft and mischief, indicators suggestthe sums are enormous. Many of the Internet’s so-called “warez”sites, in which pirated computer software is made available, areset up by Russians.

A study by the Business Software Alliance, an internationalindustry trade group, said that in 1999, pirates cost softwaremakers $165 million in legitimate revenues. The study said 89percent of business software distributed in Russia that year waspirated.

Law enforcement efforts have been weak.

The Interior Ministry division specializing in computer crimessaid this year that 200 arrests were made in the first three monthsof the year, up from just 80 in all of 1998. But that rise couldreflect increased police effectiveness rather than a growth incrimes.

“It means we are getting better and better,” said AnatolyPlatonov, spokesman for the Interior Ministry’s “Division R,”which handles computer crimes.

Platonov did not provide many specifics, however, such as howmany people work for the computer-crimes division.

Cyber Cops Lacking Resources?

There is a wide belief that Russian law-enforcement is beingleft in the dust by hackers.

“This is first of all because of a lack of resources. Therearen’t enough qualified police,” said Denis Zenkin of the Russiancomputer security company Kaspersky Labs.

Those police who are active nonetheless get some grudgingrecognition from the hacker community.

“These are professional guys,” Pokrovsky wrote in Khaker lastyear. “I fundamentally changed my opinion of them after I knockedinto them face to face.”

Computer experts generally agree that weak laws are to a largedegree to blame as well.

Pokrovsky, meanwhile, worries not so about hackers committingcrimes as being co-opted by institutions that can impede individualliberties. He is convinced that some hackers work with Russianintelligence agencies.

Hypponen said Russian hackers need to be concerned aboutnegative stereotypes.

Although his company has recruited workers from the Russiantalent pool, “some customers are uneasy about having developmentdone by Russians,” he said.