Analysing the first instance of hacktivism in the Russian invasion of Ukraine

The file mil.ru.zip contained nine files.

Four of those files were .asc files. When examined, these were found to be public encryption keys. Public keys are obtainable online by their very nature, public keys must be shared so that people can encrypt information with them that can be decrypted by the corresponding private key. If these particular keys are from a hacked Russian website as alleged, they are likely also available online.

The data.txt file contained information about open source libraries, so again if this was taken from a hack this is information that is available online.

The gov.ru & mil logins.txt contains emails and passwords, those will be examined.

Packages.gz contains VLC packages. VLC is widely used open source software, so again information available from the public domain.

The file passwd.txt doesn’t contain passwords as one might assume, it contains generic file paths, notably some containing English names. It is possible these file paths came from a hacked system, but given the generic nature of the file paths and that some of them had English names it is deemed unlikely they came from a system belonging to the Russian government.

Finally, vlc_0.8.6a-jb-videolan-1.tar.gz contained files such as open source libraries for VLC.

Why any of the files surrounding gov.ru & mil logins.txt were included in the leak is unknown as they don’t add to the authenticity of the leak.

gov.ru & mil logins.txt contained 117 emails with plaintext passwords. Given that this is alleged to be a leak of an official Russian government website, more emails would be expected.

There are also some notations through the file, stating that some emails and passwords were dumped as part of the cfire-mail.ru leak of 2014, a combined hack of three separate gaming related forums. That hack resulted in, among other details, usernames and hashed passwords being leaked.

This hack is an example of why work email addresses shouldn’t be used for registering personal accounts on websites.

Many of the weaker passwords were also cracked. According to Zdnet, “the most common four passwords were some combination of “123456789”, which in part made it easier to determine a significant portion of the leaked passwords.” This is reflected in the gov.ru & mil logins.txt list with multiple passwords being simple numeric combinations.

Most of the passwords in gov.ru & mil logins.txt are also short and lacking complexity. It would be expected that even if the specific government systems didn’t mandate strong passwords that in a security conscious cohort there should be some long passwords showing complexity. At first glance, gov.ru & mil logins.txt does look like a subset of a wider dataset, the weak passwords that were able to be cracked. This aligns with the cfire-mail.ru leak, but isn’t concrete proof the entire contents came from that prior leak.

It is notable that the emails in gov.ru & mil logins.txt don’t seem to follow any strong naming convention. Some appear to be partial first names and last names, some are just first names, some are numbers like 123, some are a full first name with an underscore and then two letters, some are government department names. If they had come from a single government department, while some emails may diverge it would be expected that an overall naming convention would be discernible.

Some, strangely, are also outright English names.

The emails in gov.ru & mil logins.txt are split into two lists, a larger gov.ru list and a smaller mil.ru. The passwords for the gov.ru list all use characters from the English alphabet or numbers. Some use outright English words. There appear to be no anglicised Russian words and there are no Cyrillic characters used. This is odd given the passwords are reported to have come from a government department that doesn’t speak English as a first language.

The mil.ru list has some Cyrillic character passwords, along with some English characters and words, which is more in line with the alleged source of the leak. Some passwords are notably anglicised versions of the name used in the email. This is again expected, but is bad password practice as it makes the password easier to guess.

It is impossible to identify the exact source of the information in the alleged leak. However, when assessing all of this information together, it is deemed unlikely that this first alleged leak came from a hacked Russian government website.

Given some emails are known to have appeared in earlier breaches that were not related to the Russian government, and the weak characteristics of the passwords appearing to be a subset of cracked passwords from a larger dataset, it is more likely that this password list has been cobbled together from multiple prior leaks with cracked passwords. Given the irregularities in the emails and passwords, some parts of the list may be fabricated, or at least altered.

There is an outside possibility that the contents of gov.ru & mil logins.txt came from a hacked Russian government website and the contents of the file are just the easily crackable passwords. But the question remains, if the intent of the leak was to cause damage, why not leak everything obtained and let others try and crack the remained difficult hashes?

As the war in Ukraine continues, people are advised to remain vigilant and critical of the information about the conflict they consume.

If the mil.ru.zip file contained no real government secrets, what was the actual point of releasing it? To answer this, we must look at how hacktivism operates within the broader scope of modern information warfare. Often, the public claim of a hack can be just as damaging to an organisation’s credibility as a genuine data breach.

This phenomenon represents a shift toward using hacktivism as a vehicle for disinformation. By creating the illusion of a successful compromise, threat actors can damage the target’s reputation and erode morale without ever needing to achieve a complex technical network intrusion. In these cases, the label of hacktivism acts as a force multiplier, turning a low-effort fake leak into a perceived major security failure.

By fabricating a leak, attackers aim to generate a “Cyber Fog of War,” a chaotic environment where fact and fiction become indistinguishable. This tactic weaponises the public’s perception of hacktivism to serve a dual strategic purpose:

• Erosion of Trust: A primary goal of political hacktivism is often to undermine authority. By staging a fake breach, attackers make the target government or organisation appear incompetent and unable to defend its own digital borders. This sows doubt among the public and allies, damaging the target’s reputation far more effectively than a quiet, technical intrusion could.
• Resource Exhaustion: This form of hacktivism acts as a decoy. It forces defenders, intelligence analysts, and journalists to scramble, wasting valuable hours verifying false claims. Every hour a security team spends debunking a fake file like mil.ru.zip is an hour not spent hunting for genuine advanced persistent threats or patching real vulnerabilities, leaving the organisation exposed to actual danger.

Combating modern hacktivism requires more than just technical analysis; it demands a structured framework for understanding disinformation. This is where the DISARM Framework becomes critical for defenders.

Just as the MITRE ATT&CK framework maps technical cyber threats, the DISARM framework maps the Tactics, Techniques, and Procedures (TTPs) used in disinformation campaigns. In the case of this alleged leak, the activity was likely not data exfiltration (a technical attack) but rather an influence operation masquerading as high-stakes hacktivism to shape public perception.

By using the DISARM framework, organisations can effectively counter these narrative-driven hacktivism campaigns by:

• Categorising Narratives: Identify the specific psychological techniques being used against you, distinguishing between a genuine breach and a reputation-damaging hoax.
• Anticipating Escalation: Predict the next steps in the disinformation chain, such as amplification by bot networks or coordinated social media posts, before they go viral.
• Responding with Precision: Craft communication strategies that neutralise the threat without accidentally amplifying the attacker’s message or lending credibility to their claims.

Applying this threat-informed approach allows defenders to respond to influence operations with the same rigor they apply to traditional cyber attacks, ensuring that a psychological operation does not become a reputational crisis.

The analysis of mil.ru.zip serves as a potent case study for the realities of modern hybrid warfare. While the technical evidence suggests this specific file was likely a fabrication, its existence highlights a critical lesson for defenders: verification is the first line of defence.

In an environment where hacktivism claims can travel faster than the truth, organisations must be prepared to combat both technical intrusions and disinformation. The line between a genuine cyberattack and a psychological operation is increasingly blurred.

To navigate this cyber fog of war, security teams must adopt a threat-informed defence strategy. As an inaugural partner of the DISARM Foundation, Arachne Digital is uniquely positioned to help organisations leverage this framework. We go beyond simple data feeds, integrating tactics alongside traditional technical threat intelligence.

This comprehensive approach ensures you can cut through the noise of hacktivism, prioritising only the threats that pose a genuine risk to your operations. Contact Arachne Digital to discuss how our actionable cyber threat intelligence can help you anticipate, identify, and neutralise these hybrid threats before they impact your business.