The Navalny Leaks: Data, Probiv, and Russian Political Influence

Navalny Donors Allegedly ID’d

On August 20, on the top-tier Russian-language illicit XSS forum, a threat actor named “lenovo” shared a database that allegedly contains the names, birth dates and, in many cases, the employers and financial holdings of physical persons who have made donations to the Anti-Corruption Foundation (FBK), an organization led by jailed opposition leader Alexey Navalny since 2014. 

The database, which contains almost 50,000 rows of information, appears to have initially been posted on 4chan, an anonymous English-language image board website, on August 19 by an anonymous user. Later, on August 20, the leaked database was also publicized on Russian-language Telegram channels and Twitter, as well as on XSS. As of this publishing, Flashpoint analysts are not able to verify the data contained in the leaked database or the links between the individuals and their stated employers. Altogether, we think this illustrates the topsy-turvy system by which the Russian political system operates: the more these data leaks occur, the more unstable the system—regardless of verification or whom (or what) is targeted. 

Today, the Russian government is attempting to take back control over leaked data by criminalizing the publication of an ever-expanding range of data considered to be vital to Russia’s national security and by designating several leading investigative outlets and journalists as “foreign agents,” making it impossible for them to function in the country. The authorities are also increasingly using lax data security to their own advantage. Regular, well-publicized data leaks involving dissidents are making it more difficult for government-independent dissidents and civil organizations to organize and solicit donations, as people are becoming more wary of being caught up in a chain of exposure, identification, and real-world repercussions.

While neither the donor names and donation values are included in the leak, such information can potentially be used against members of the political and business elite, by other elite groups, or Russian security services.

This is the first time that information about FBK’s donors—several of whom are ostensibly connected to significant state-owned companies and oligarchs—has been publicized following the alleged breach. Flashpoint analysts have identified that several donors are listed as employees of big state-owned companies such as Rosneft, Gazprom and Gazprom’s holdings, as well as the foundations of influential businessmen like Vladimir Potanin and Mikhail Prokhorov, who, while not close Putin allies, also are not regarded as supporters of the opposition. There is no indication linking the businessmen to Navalny’s organizations either.

Navalny Data Leaks This Year

In April 2021, attackers breached the email database of the “Free Navalny” website, where supporters were invited to sign up to participate in planned protests. This database was subsequently enriched with information that the news site Meduza found may have originated from “Sprut,” a database aggregating various personal information that’s connected to the Presidential Administration’s Scientific Research Computing Center. 

In July, thousands of email addresses were leaked from Navalny’s Smart Voting platform in Moscow. 

In August, days before the aforementioned anonymous 4chan post, a bigger Smart Voting database, ostensibly containing 2.2 million entries, was leaked and shared on Telegram channels. The 4chan uploader—who pointed out that they were located in Lithuania—accused Leonid Volkov, Navalny’s campaign manager who presently oversees the operation of his organizations, of illegally collecting data on donors. The uploader added that Volkov has demonstrated poor operational security practices. The language used by the 4chan uploader echoes the language used in the emails received by the victims of the April leak in that both texts accuse Leonid Volkov of amateurish data protection practices and mocked him for failure to implement property security measures. 

Both the fact that the database was first published on 4chan and the reference to Lithuania aim to suggest the involvement of foreign hackers, but it is likely that the leak originated in Russia. 

The user who posted the database on the XSS forum, “lenovo,” had not been active on the forum since 2012, suggesting that the account was either taken over for this specific purpose or developed by a threat actor whose main activity is not cybercrime.

Fallout: Russia Cracks Down

FBK, which has produced several in-depth reports on corruption in elite Russian circles, including on Vladimir Putin’s properties—was central to Navalny’s efforts to grow his opposition movement—was designated as an “extremist organization” by Russian authorities in June. (As of this publishing, the website is currently blocked in Russia). People associated with Navalny’s organization are barred from standing for office in Russian elections and can be prosecuted. After a hiatus, FBK had restarted accepting donations on August 5.

The enrichment of the leaked data makes it possible to identify citizens supporting Navalny’s organizations. Following the April leak, many of the affected people reported receiving threatening emails and in Moscow, several were fired from jobs connected to the city authorities. In August at least a thousand Moscow residents whose email addresses were in the “Smart Voting” leak were reportedly harassed in their homes and advised to leave a complaint against Navalny’s organizations for “mishandling”
their data.

In recent years, the Russian government has attempted to increase its control over internet infrastructure and content posted online in order to extend its digital surveillance footprint and centralize data collection on the federal level. Its efforts have led to an accumulation of sensitive data collected by various state institutions and internet service providers, all while data security practices—both for those who collect and/or store the data—have not improved to a necessary level. This has resulted in the evolution of a black market of breached databases and lookup services based on them (called “probiv”), which fueled a boom in investigative journalism in Russia.
* * *

Flashpoint analysts assess with moderate to high confidence that the Russian government will continue to crack down on illicit marketplaces offering data considered to be sensitive, especially data regarding security services and the military. However, since the publication of datasets on opposition supporters benefits the authorities and there is evidence suggesting that elite groups also use probiv and similar services in intra-elite conflicts, analysts also assess with moderate confidence that this crackdown will remain selective and the market will be allowed to thrive.

Data and analysis for this article was discovered directly through analyst research in the Flashpoint platform. Request a demo or sign up for a free trial and see firsthand how Flashpoint cybersecurity technology can help your organization access critical information and insight into ransomware actors and their tactics, techniques, and procedures (TTPs).