Earlier this week the Ukrainian hacktivist group, CyberResistanceUA (CRUA), announced their latest attack. In a video posted on their Telegram channel, paired with an article from InformNapalm, they released information related to a media monitoring tool used by the Department of Information and Mass Communications (DIMC), dubbed Katyusha.
Another Hit For CyberResistanceUA
This is far from CRUA’s first time in the headlines this year. This past September CRUA gained notoriety with the leak of a hundred Cuban passports which had been obtained from, they claim, the hacked email inbox of a Russian military Officer in the Western Military District. Since then, the group has had several more interesting leaks which have appeared in their Telegram channel, but none have received the same level of attention; it had seemed they lost steam after the passport leak.
On November 27th they posted, arguably, the most interesting hack they have performed since then. In a ninety second video they demonstrate access to Katyusha, a mass collection and analysis tool for, primarily, Russian media.
Katyusha is the brainchild of M-13 founder Vladislav Dmitryevich Klyushin (Клюшин Владислав Дмитриевич). M-13 touts itself as a Russian software company which offers a variety of services that include penetration testing, APT emulation, social media scanning, and consulting services, boasting a clientele that includes Russia’s presidential administration and the Russian government. However, Klyushin was much more than Moscow’s hottest software engineer, on March 21st, 2021 he was arrested at the request of American officials in the Swiss city of Sion, where he arrived with his family on a private jet and was about to transfer to a helicopter to head to the ski resort in Zermatt.
In a statement to the press, Jodi Cohen, Special Agent in Charge of the FBI Boston Division qualified Klyushin as, “…a sophisticated hacker who engineered a global get-rich-quick scheme that defrauded unsuspecting American businesses of approximately $93 million. He hacked into U.S. computer networks, stole non-public information, and illegally traded on it,”. Klyushin was found guilty this past February for computer hacking, wire fraud, and securities fraud, and was sentenced by a US court to nine years in prison in September.
M-13’s connections to the Kremlin and its intelligence apparatus extend beyond merely contracts; American security officials fingered Ivan Sergeevich Ermakov, a co-defendant in Vladislav’s case and M-13 employee, as a former GRU operator and member of Fancy Bear (APT 28). In October 2018, Ermakov was charged by a federal grand jury in Pittsburgh in connection with his alleged role in hacking and related disinformation operations targeting international anti-doping agencies, sporting federations and anti-doping officials. Ermakov, notably, was the only employee of M-13 who received one of four Porsche convertibles with “M-13” on the license plate.
According to the U.S. Department of Justice, “Klyushin, Ermakov and Rumiantcev worked at M-13, a Moscow-based information technology company that Klyushin owned. M-13 offered penetration testing and “Advanced Persistent Threat (APT) emulation,” – both services that seek exploitable vulnerabilities in a computer system via hacking techniques, purportedly for defensive purposes.” Though Strike Source could not identify these offerings on M-13’s website. A total of four co-defendants were charged in for this insider trading scheme, though only Klyushin has been brought to justice.
Katyusha (Катюша) is the center of attention on M-13’s website, accompanied by several other tools, Arena (Aрена) Arsenal (Арсенал), Arsenal.SotsMedia (Арсенал.соцмедиа), and Strike (Страйк).
Arena can scarcely be considered an offering in 2023’s landscape, being essentially a news display product featuring “necessary and important” news in automatic screen changes and thematic blocks. Arena includes:
- All the most important things on one screen in the mode of automatic change of screens and thematic blocks
- Convenient and customizable interface
- Structure of information by time, topics, headings, named objects and types of media
- Assessment of the quality of information on the tone and coverage of the audience
- Ability to print selected information in one click
- Round-the-clock support on the content of monitoring and use of the system
Simply put, Arena provides users with a news aggregator allowing for simpler sorting of news items.
Once you’ve waded through the marketing fluff on Arsenal’s page, you’ll come to learn that it is vaguely described as a tool for the “Organization of systematic media monitoring on given topics”. Arsenal is an analysis and report-generating tool that requires a custom search query which, as they say, “meets the needs of technical users but is also accessible to a wide range of users who don’t have specialized knowledge.” Pre-installed Arsenal filters allow for automatic retrieval of information from as far back as 2012. Generated reports are designed to be user-friendly, complete with graphics and can be exported in a range of formats including .xlsx and .docx.
This tool is identical to Arsenal, just designed to analyze and present social media information rather than news and other general topics. The product description is quite literally almost copy and pasted from Arsenal. Interesting features include the ability to view top authors by a given topic, sentiment analysis, data cleaning tools, and visualization features. Below is the product description directly from the site so you can see what I mean about empty marketing language:
“Arsenal.Sotsmedia is a tool for analyzing the information field of social networks with monitoring and analytics functions. The query language is used to search for data, which meets the requirements of monitoring specialists, but is also available to a wide range of users who do not have special knowledge in this field. Monitoring results in Arsenal.Sotsmedia are generated in the form of reports and exported to user-friendly formats. Export of messages to .xlsx with full texts is available, as well as .docx.”
“Strike” is a Telegram bot for monitoring social media networks, specifically Twitter and Telegram. It’s important to note that it’s Twitter monitoring capabilities were probably axed following the changes made to the cost of its API earlier this year. The tool aims to help customers centralize a feed with all mentions about a certain person or topic without needing to follow multiple channels and authors.
After selecting a person or brand. The first “mention” notifications should start arriving in 2-3 minutes, and will only display the key fragment – that is, the part of the message containing the social media mention. The concise format is designed to save time so that the recipient can receive, analyze, and react to the message as quickly as possible.
Monitoring settings can be tweaked to allow for more keywords and stop words to be added in order to make the content more relevant. Duplicate social media mentions are automatically filtered out.
Product characteristics on the website include:
- Monitoring of the two most dynamic social networks – Twitter and Telegram
- Notifications within 2-3 minutes of the message
- Selecting a fragment with a mention
- Indication of references to the original
- Filtering duplicates
- Ability to set stop words
- Adding accounts for on-demand monitoring
M-13’s Other Business
Strike Source identified several other websites hosted on the same server as the M-13 domain. In reviewing each, four piqued the most interest, “thewarmy.com”, “defendingrussia.ru”, “kremlin24.info”, and “gov24.info”.
It appears that M-13 operations were not limited to monitoring propaganda, they may have played a role in creating some themselves in the past. TheWarmy presents itself as an English news site focused on Russian military matters. Several articles, all published in 2016 within several days of each other, focused on the Russian air force can be seen on their homepage.
DefendingRussia, similarly styled to TheWarmy, is also a vehicle for Russian military propaganda, although their website indicates more recent activities, with most recent posts going back to 2022.
The server also presents two login pages on the sites kremlin24.info and gov24.info. The first, seen on the left is for the Press Service for the President of the Russian Federation (Пресс-служба Президента Российской Федерации) and the Government Press Service for the Russian Federation (Пресс-служба Правительства Российской Федерации). Also seen under each login form is a copyright mark for M-13.
It is likely that these are the login pages used by each department to access their respective Katyusha instances.
The Department of Information and Mass Communications (Департамент информации и массовых коммуникаций) falls under the purview of the Ministry of Defence (Министерство обороны Российской Федерации) (MoD) and specifically, Igor Yevgenyevich Konashenkov (Игорь Евгеньевич Конашенков).
Konashenkov has made himself known for his outrageous statements as it pertains to the war, often claiming that “there are no losses”, day after day as the battle progressed.
In 2016, the MoD’s DIMC transitioned from a tool known as Mediology to Katyusha as its main media monitoring tool. In 2021, an additional two years of licensing was acquired by the Ministry of Digital Development, Communications, and Mass Media of the Russian Federation. The contract allocated 295,062,600 rubles to be given to M-13 for data processing services.
In the modern-world of mass monitoring, Katyusha is unremarkable for its media analysis and aggregation capabilities. Although it collects Western media stories, these are often not prioritized and a query must be done to find them. In turn, this indicates that the tool is primarily used to monitor public opinion and sentiments echoed in Russian news outlets, allowing operators to assess domestic coverage of the Russian government and its actions.
M-13 describes Katyusha as having the ability to conduct 24/7 media monitoring, operating a database covering over 40,000 sources including Russian federal and regional media and key foreign media outlets. Also described are options to sort information by time, topics, headings, named objects and types of media,assessment of information based on sentiment and audience coverage. Katyusha gives users the ability to monitor key Russian print media outlets, while also offering social media coverage and provides an overview of information events for selected time periods while detecting coordinated information attacks.
With the key role that social media has played in the war in Ukraine, there is little surprise that one of the modules monitors popular Telegram channels; sorted into two categories, Positive (Позитив) and Negative (Hегатив); the categories are determined based on the type of coverage.
Special attention is also paid to VK, the popular Russian clone of Facebook, YouTube, Facebook, and Instagram, though data for the last two was reported to be insignificant.
But don’t worry, not all of their attention is focused on “new media”, popular Russian print media is also fed into the system on a daily basis and made readily available for the operators to review.
Arguably the most important feature for mass analysis would be Statistics (Статистика), which allows a “birds-eye” view of all media Katyusha ingests.
The conclusion drawn by InformNapalm was that Katyusha is, simply put, “window-dressing” for the DIMC, massaging the news reports that are presented to higher-ups. Katyusha favors the media which favors Russia and duly identifies any dissenting opinions which can be dealt with however they so chose.
M-13’s offerings are lackluster, to say the least, and far less than what would be hoped for from an organization with ties to the GRU. In comparison to what was seen with NTC Vulkan, M-13’s capabilities make it seem as though the software side of its business was merely a front for its hacking and fraud operations which behind the scenes were used to enrich Klyushin and his co-defendants to the tune of tens of millions.
While the rest of the world continues to evolve, some things remain the same in Russia’s political and intelligence spheres. The Kremlin knows what it wants to hear, and contradictory opinions are not that; a statement which has remained true for decades.
Tools like Katyusha serve as an echo-chamber for the Kremlin, dissenters are identified and duly dealt with. The revelations from this leak are not what one would consider groundbreaking; they are, arguably, disappointing. The capabilities for data collection and assessment within the Russian government are far less than what we all imagined.