“Killnet is just a marquee on the road.” A great interview with Sean Townsend, a legend of Ukrainian hacking

Andriy became known to a wider audience in 2014 when he created the hacker group RUH8. It hacked into the information systems of Russian military units, intelligence, regional governments, and the upper house of the Russian parliament.

Later, Andriy, together with other Ukrainian hacktivists, united in the «Ukrainian Cyber ​​Alliance». And here it was not without police visits. In 2020, law enforcement officers came to Andriy and his colleagues from the alliance with searches, because they believed that they were involved in the hacking of the IT system of the Odessa airport. This was never proven.

We recorded a long interview with Andriy Baranovich. He recalled how he began his journey in the cyber world, how he found a way to steal passwords and bypass two-factor authentication in Privat24, told how he hacked the accounts of important people in the «LPR», what targets he worked on together with our military. He also shared his thoughts on whether real cyber troops have already appeared in Ukraine and what needs to be done to establish them.

And a lot more about the hacks and vulnerabilities of Aeroflot, Kyivstar, and Diya. About what happened to the founder of the famous cyber forum xxs. And also — which messenger and which backup is the most reliable.

— Tell me about yourself. Where did you start? Why did you decide that hacking was your thing?

— Computers interested me even before school. I didn’t have to decide anything, like many of my peers, I immediately realized that with this device I was limited only by my own imagination. The only problem was that in the country of ice cream and advanced socialism that had won, there were even fewer computers than there was sex, even in cities with a population of millions such as Donetsk. Now, when everyone has a phone in their pocket and is connected to the network, it is already difficult to imagine a world in which phones were securely tied to PBXs with wires, and access to computers, mostly homemade ones like Radio, Sinclairs and Soviet freaks, had to be sought out.

Since there was no proper documentation before that, and no networks either, playing with the computer turned into hacking (in the original sense of the word). Then, when I was studying applied mathematics, in the mid-90s I got access to FIDO (an international non-profit computer network created in 1984 — Ed.). I was attracted to «useless» tasks — bypassing protection (legal software practically did not exist), demo design and computer viruses, which would later become my hobby for a very long time.

If you don’t include editing computer toy storages in your CV, then a major project is of course the VX Heavens portal (the Ministry of Internal Affairs seized its servers in 2012 — Ed.), dedicated to researching computer viruses. If we talk about network hacking, «like in the movies», then about fifteen years ago Privatbank started a bug bounty program, and I immediately found a way to steal passwords and bypass two-factor authentication in Privat24. By that time, I had already worked as a network administrator and programmer.

— By the way, why Sean Townsend? Did you ever tell me how this nickname came about?

— I needed a nickname with a passport, so I took the mail of the «Ministry» of Information of the «DPR» and chose a passport from the accreditations there. The real Sean is a technician on the film crew. I hope that the fact that I asked him for namesake doesn’t bother him.

— How did you get involved in the war with Russia?

— Simultaneously with the annexation of Crimea and the invasion of Donbas, hacker attacks immediately began. Kostya Korsun (cybersecurity expert — Ed.) then convened a closed meeting, which brought together information security specialists, business and all services that are somehow related to security. Because it was exclusively about defense, it was boring.

Then, in March, acquaintances from the SBU asked to look at the mailbox. We found the password for it by brute force and the owner turned out to be a certain Oleksiy Karyakin (a political figure of the so-called LPR). The reading turned out to be interesting, so the SBU immediately opened one of the first cases against the «chairman of the Supreme Council» under the article «high treason». At that time, there were several major hacks — the State Duma, the Astrakhan administration. In 2016, after the successful hack of the Orenburg government, Roma Burko from Informnapalm wrote to me and invited me to the Ukrainian Cyber ​​Alliance.

— The Ukrainian Cyber ​​Alliance — how many hackers/cyber experts are there? And what is the largest group of hackers in Russia that we are up against?

— The participants are changing, in 2019 Flacons Flame and Cyberhunta left, but recently UHG joined. The exact number of participants is a secret.

We don’t confront other hackers, that happens very rarely. Cyber ​​is a specific domain where attackers almost never encounter each other.

— I remember that I had an interview with the former head of the cyber police in Kyiv, a month before the start of the large-scale operation. He said then that we should judge whether the war would start by the hacking activity of the Russians. And it did become active then. Perhaps you remember the attacks on state websites and registries in 2022, January-February. Did you wait for the war to start?

— We argued a lot about when exactly the invasion would begin, colleagues conservatively «bet» on spring, I thought that before preparing for war we would see a redistribution of large property. Sometimes acquaintances from intelligence joined in on such conversations. Naturally, the invasion, as predicted, began with a hacker attack on January 13-14. The State Special Communications Service counted up to seventy government institutions attacked. Hackers from Unit 29155 (a unit of the Russian military intelligence GRU — Ed.) staged a clownery, but it was quite obvious that the account had gone to the bottom.

— Events a little earlier — at the end of 2021, the desktop version of «Diya» was hacked, allegedly through a contractor’s software. Was this really the case? And could this operation have been a preparation for a large-scale war?

— In 2021, one of the volunteers sent me the link diia.gov.ua/.git/config (which allows you to copy the prod system), the vulnerability was quietly covered up then, but it says a lot about how the Ministry of Digital Affairs treats security. During the January attacks, the Diya portal was hacked like all the others (including the registers of the Ministry of Internal Affairs). Russian military intelligence then published the data, and I had the opportunity to make sure that it was real.

— In an interview with the HackYourMon channel , you said that for the European KA-SAT communications satellite, which the Russians put in place at the beginning of the war (and on which satellite communication was established in Ukraine at that time, there was no access to Starlink yet), you could say that you took revenge by putting in place a Russian satellite a year ago, which served the FSB/navy, and so on. How do you assess the damage to Russia from this attack? What did it affect?

— The lack of communication is always unpleasant, especially in hard-to-reach places where there is no other communication besides satellite. But we conducted this operation together with the military, and they insisted that the operation take place «under a foreign flag.» I think that what happened, in the end, should be told later by the Armed Forces of Ukraine.

— The attack on Aeroflot in July of this year. Hundreds of flights were delayed in Moscow. Who carried it out? What vulnerability could have caused the system to fail? Can it be repeated?

— The attack was carried out by Cyber ​​​​guerrillas from Belarus and Ukrainians from Silent Crow. Usually people think that if the system is large and important, then the attack must be extremely innovative and complex. This is not so. The level of security and the perceived «importance» are in no way connected. I do not know the details of the hack. An employee could have clicked on the wrong link and launched a stealer (​stealer, or hijacker — Ed.), somewhere there was an abandoned and leaky site, somewhere they did not cover the port, somewhere they lost the password.

— Administrator of one of the most influential darknet forums xss.is Tokha, who was allegedly arrested in Kyiv by Ukrainian and French special services in the summer: do you know what’s happening to him now? What about xss.is? Is it true that the forum’s mirrors are now run by our special services?

— I think that this should be asked to the SBU, but judging by the panic that began in the criminal underground, it is likely that it was «Tokha» who was arrested, and he is a legendary personality, in addition to XSS, he is the creator of Exploit — the oldest and most influential platform in the criminal underground. It is possible that the SBU and the French special services are trying to squeeze out even a drop of control over the forum, and this is what their silence is connected with.

— Cyber ​​troops in Ukraine: do we have them? Are there well-trained special forces that can attack Russian facilities and protect our IT infrastructure?

— Officially, we don’t have any cyber troops (despite the presidential decree). However, for some reason, the State Security Service and the Security Service of Ukraine quite openly talk about the cyberattacks they have carried out. Cyber ​​defense units have always existed, their effectiveness can be debated, but they don’t raise any questions.

— How can this be? A military+civilian coordination center? Is it a working scheme? Won’t there be chaos?

— To begin with, a new branch of the Armed Forces of Ukraine should appear. Because now there is no official consumer, and everything works on horizontal connections. There will be many problems there, but we need to start somewhere. With the official recognition that Ukraine is conducting offensive cyber operations and the formation of the appropriate troops (forces).

— Whose contribution to cyberwar is greater: hacktivists or state-controlled units?

— I don’t like the word «hacktivist,» hacktivists are usually involved in domestic politics, not war. I think that regardless of whether the military or civilians are involved in hacking, it’s high time for the state to somehow, if not lead, then at least coordinate all this activity.

— In the HackYourMom interview, there was this question, but I’ll formulate it again: who will win the cyberwar: Russia or us?

— This is not a competition. If you are not yet in Kolyma with a shovel, then we have not lost the war. Hacking is the same tool of war as artillery, drones or electronic intelligence. Will our artillery win over the Russian one? The very formulation of the question is pointless. You can ask whether it copes with the tasks, and what needs to be done to cope better, but not about «who will win.»

— Data leaks from messengers are a common practice. Which messenger is the most secure?

— Protected from whom? And who are we protecting? All messengers have vulnerabilities, and no messenger will protect you from your own mistakes when you click on anything. Signal is popular now, but neither Signal nor more exotic options will protect you from spear phishing (a fraudulent campaign in which a hacker or someone else with bad intentions obtains the contact information of a person with privileged access — Ed.) or other mistakes.

— What messengers do you use?

— Mostly Signal. And TG (no particularly important correspondence). Sometimes I just have to use Wire, Threema, Matrix, Keybase, Jabber, Tox simply because the people I need are there.

— How long does it take a hacker to launch a targeted attack on a resource? And how long can he remain undetected in the system?

— It’s a matter of luck, and the attack doesn’t necessarily have to be targeted, it can be sectoral, often we still end up hacking the factory, or the contractor who makes software for the factory, or even not this factory, but another one of the same profile. But if we’ve already gotten inside, we can stay there for years. We can come back if necessary.

— If a hacker attack is aimed at the data of a company/government agency, and the backup of this data is also erased, is it possible to somehow restore the data? Are there so-called immutable backups — are they a panacea? Should they be used?

— People have simply forgotten how to make backups. If you have a backup copy stored in a vault and on tape, and both online on the same network, it means that you only have a «hot» backup. It can only protect against technical failures. You can recover from cold backups, or try to configure everything and restore from scratch.

— Let’s imagine that the backup cannot be changed, changes are only possible, let’s say, in a year. Do you think that is reliable?

— And if the cloud provider is taken down, then what? A cold backup is a very «simple» thing. A stack of hard drives or tapes that are not connected to anything. And it lies in a safe. Preferably in two copies in two different places. Making such backups regularly, ensuring their security (physical), and so that the media never appears online is very, very difficult. It requires hellish discipline.

— Immutable backups can be «turned off» — then they are physically inaccessible in the system, and the attacker cannot find out about them. And with a safe, questions immediately arise about the physical security of such storage. So, maybe immutable backups are more reliable?

— It depends on how it’s implemented. Maybe it will help, maybe it won’t. If it’s a software implementation, you can hack it, if it’s hardware, you can use the window when the storage is open for writing and write garbage there. In fact, I’ve never encountered it. So it’s more of an exotic thing.

That’s just what I’m saying. Is it possible to make a normal backup and recover from it after an attack? It is definitely possible, and there are many options. «Cold» offline backups are a classic solution, but not the only one. And this is not so much a technical issue as a question of politics and discipline. And practice shows that in 95% of cases, both are absent.

If we come to the admin forum and raise this topic, they will discuss thousands of solutions to the problem for weeks (and they are even right that some of their solutions, if implemented completely and consistently, will help), but I very rarely see companies that would say «we were hacked/encrypted, but we will recover in due time.»

— Do the Russians have a list of businesses/government agencies they are going to break up in the near future? In other words, is there a plan or is everything chaotic?

— Without a doubt, they have priorities and a kind of logic in how they choose their targets. Sometimes they can even arrange a «response» (as was the case with insurance companies, for example), but there is no overall strategy.

— What are the risks of hacking for companies that place data in global clouds versus local clouds, local data centers, and their own servers?

— It depends on the administrators, the cloud has the only advantage that the provider’s administrators are responsible for backups.

So you can’t rely on anyone here. Because the next target could be a cloud provider.

— What is the probability that a random Ukrainian company is in a risk zone, in a zone of interest to Russian hackers?

— We are all a target for the aggressor. Regardless of the size and profile of the company, it will be a target, it is as exhausting a reality as the daily shelling and airstrikes.

— Your version of the hacking of Ukrzaliznytsia’s IT infrastructure this year is interesting. When it was impossible to even buy tickets for almost a week. My insiders say that during the investigation of the incident, employees were not allowed to touch their own computers. Who is behind the attack? What was hacked? What was stolen/deleted? And the same with Kyivstar — what happened two years ago when the entire network went down for a week? Was there a traitor inside the company who leaked access?

— I simply don’t know about UZ, one of the GRU units took responsibility for Kyivstar. I think they stole everything that was valuable. And these are call logs, personal information, and the ability to track geolocation, it’s even strange that they decided to eventually bring down the network, and not download information from there. And as I said, the size and importance of the company, and its security are unrelated things. A kindergarten may be better protected than a national operator.

— What are the most popular programming languages ​​used by hackers?

— If you look at the products (open or those sold on the black market), everything will look the same as for regular developers C++, C, Java, PHP, Python, a little less often Rust, Go, and even assembler is still found. The choice of language is not so important.

— How has the emergence of AI affected the activities of hackers/anti-hackers?

— When it comes to AI, there is much more hype than real application scenarios right now. The tool is promising, but so far it is a solution in search of a task.

— For example, there was news that OpenAI blocked ChatGPT accounts used by Russian, Iranian, and Chinese hackers. Can AI, as a simple tool, add scale and mass attacks?

— I don’t know of any case where AI has added scale or mass. AI can solve either very simple tasks that an experienced hacker would solve faster and better without AI, or those tasks that are not directly related to hacking (I won’t tell you which ones).

It is in hacking and protection, in the work done by hackers on the one hand, and admins and security experts on the other, that AI is practically useless.

— Is it true or a fake that Russian hackers recently allegedly hacked the data storage of our General Staff and stole 1.7 million records of dead soldiers?

— If this is about Killnet and «1.7 million losses», then this is naturally a lie. And Killnet is not capable of hacking anything in principle (which does not mean that there were no hacks, but they could have been in a different place and with different results).

This is not information, but a common Russian lie that even the Russian IBshnaya public does not believe in. Killnet is just a tent on the road, but for some reason that I do not fully understand, they have powerful media support.

— I almost forgot to ask: is it possible to earn money and live normally from the kind of activity you are engaged in? And does the earnings correspond to the level of comfort and the level of nervous tension in some situations (you were searched in 2020)? Maybe a regular full-time position as a security guard in a large company is a much easier way? What’s the point?

— Looking at what exactly to do. If you earn money on the black market, you can earn money. Either money or time. Earnings, as everywhere else, will depend on personal talents. It’s easier to work in a «white» job.

— What kind of work can you get paid for? Do you mostly work for donations?

— At different times, I worked as a sysadmin, programmer, and security guard. I have enough experience, I have legal sources of income, and I’m not worried about this.

— Because it’s a bit difficult to imagine a contract with a white hacker. Does that happen?

— Why not? The word hacker can really scare you, but «information security specialist» is the norm.

— Do you have your own business or work for hire? Maybe you have stocks, bitcoins, real estate?

— I wouldn’t like to delve into this issue, so that activities related to war and politics don’t overlap too much with filling the refrigerator.

— But overall, there is enough money, right?

— Yes, while there is enough, we collected donations several times, and they were spent on iron. Of course, with reports and checks.

— For some reason, I always thought that financing such operations was not easy.

— It’s very difficult and expensive if a person from the street wants to create a hacker artel. If you know how and what works, then everything is much cheaper, but it takes a lot of time.