Hacking collectives on both sides of the Ukraine-Russia information war have been instrumental in revealing key facts and documents that some would prefer to remain hidden. The latest leak by Ukrainian hackers purports to reveal new evidence of Russian soldiers’ presence in Ukraine.

On Friday, Ukrainian activist Evgeniy Dokukin and Ukrainian Cyber Forces, the hacktivist group he founded earlier this year, released 1.7GB of files taken from the Russian Interior Ministry. Later, Dokukin released an additional 34GB of data from the Interior Ministry servers, most of which has not yet been fully analyzed by journalists.

As with most leaks, most notably the September hack of the Liberal Democratic Party of Russia (LDPR), the majority of the leaked documents are overwhelmingly useless and dull. However, as in the case of the LDPR leak, evidence of Russian involvement in eastern Ukraine can be found buried underneath heaps of bureaucratic minutiae. While most of the files are inconsequential, the fact that they originate from the Rostov branch of the Interior Ministry is intriguing, as the Rostov region in Russia shares a border that spans hundreds of miles with eastern Ukraine.

Dokukin told RuNet Echo that he and the Ukrainian Cyber Forces hacked an e-mail account of the Russian Interior Ministry and two other servers, and that they also gained access to additional information that has not yet been publically released. Dokukin says he has personally not spent much time reviewing the documents taken from the Ministry server, but instead relies on journalists to parse through the gigabytes of information.

The Ministry Files

Even a quick look through the hundreds of documents makes it immediately clear that either all or nearly all of them are the real deal. A truly massive amount of manpower would have been necessary to fabricate the level of detail in the reports and lists in this leak, including metadata that seems genuine. For example, in a randomly selected document from the archive the document’s content and metadata all check out. Take, for instance, an “Overview of the state of the rule of law and public safety during public events held in the first quarter of 2014” from the General Directorate for the Protection of Public Order (GUOOOP). According to the metadata, the document was created on April 29, 2014 by Sergei Lukin, who, according to a number of news articles, is the Deputy Head of the same department. It is possible that a Ukrainian hacker spent months forging thousands of documents that perfectly match the style and content of Russian paperwork, along with matching metadata, but common sense and Occam’s razor would lead one to believe otherwise.

The most interesting document in the cache of files so far may be a police account written on August 26 describing the circumstances of an August 25 battle between Russian soldiers and the Ukrainian National Guard “10 km northwest of the small village of Prognoi.” The reason why the Interior Ministry—and not the Foreign Affairs Ministry—wrote this account is because four of the Russian soldiers sustained injuries and were evacuated to a Rostov garrison hospital. With independent verification, this police account could serve as proof of the Russian government’s knowledge of its military units operating in, or at the border of, a foreign country and firing upon its soldiers. This verification is not terribly hard to find.

On August 26, Andriy Lysenko, the spokesperson of the Ukrainian National Security and Defense Council, gave a briefing detailing an attack on Ukrainian border guards in the area of Krasnaya Talovka, which lies almost exactly 10 kilometers northwest of the small village of Prognoi. The Ukrainian account of this battle matches the account given by the Russian Interior Ministry.

Ukrainian account:

25 августа на участке “Красная Таловка” Луганской области была выявлена диверсионно-разведывательная группа, которая пересекла границу с территории России. В 15:00 хорошо замаскированный пограничный наряд автоматным огнем остановил продвижение диверсантов. Для подкрепления к месту боя прибыли дополнительные оперативно-боевые группы пограничников. Ожесточенный бой с российскими наемниками длился 2,5 часа. Диверсионная группа поддерживалась огнем из Российской Федерации – из минометов, 2 БТР и 2 БМП. Кроме того, украинских пограничников обстреляли неуправляемыми реактивными снарядами 2 боевых вертолета Ми-24 Вооруженных сил РФ. Во время боя погибли 4 пограничники, 3 ранены. Благодаря действиям героев прорыв через границу не состоялся. Противник понес значительные потери. Раненых и убитых диверсантов с поля боя в России эвакуировали на БМП под прикрытием огня БТРов и вертолетов.

On August 25 in the area of “Krasnaya Talovka” of the Luhansk oblast, a sabotage and reconnaissance group which crossed the border from Russia was detected. At 3:00pm, a well-disguised border detail used automatic weapons to stop the advance of the saboteurs. Additional operational combat groups of border guards arrived at the battle as reinforcements. The fierce battle with Russian mercenaries lasted for two-and-a-half hours. The diversionary group was supported with fire from mortars, two APCs, and two IFVs from the Russian Federation. Additionally, Ukrainian border guards were fired upon by unguided rockets from two Mi-24 combat helicopters of the Russian armed forces. During the battle, four border guards died and three were wounded. Thanks to the actions of the heroes, a breakthrough across the border did not occur. The enemy suffered significant losses. The wounded and killed saboteurs were evacuated from the battlefield in Russia with an IFV under the cover of fire from APCs and helicopters.

Leaked Russian document:

25.08.2014 около 15.50 при выполнении служебных обязанностей произошел факт получения ранений в ходе боестолкновения с войсками Нацгвардии р. Украина в 10 км северо-западнее х. Прогной Тарасовского р-на рядовыми к/с в/ч №51182 Полстянкиным М. В., Волгиным О. Ю., Алексеевым Ю. А., Герасименко А. А., проходящими службу в в/ч 51182 н. п. Миллерово. В 18.52 25.08.2014 вертолетом Ми-8 ВС РФ раненые эвакуированы в Ростовский гарнизонный военный госпиталь.

On August 25, 2014 around 3:50pm, M.V. Polstyankin, O.Yu. Volgin, Yu.A. Alekseev, and A.A. Gerasimenko, serving in contracted Unit 51182 of the Millerovo locality, suffered injuries in the performance of official duties during a clash with the forces of the National Guard of Ukraine 10km north-west of the small village of Prognoi of the Tarasovsky region. At 6:52pm on August 25, 2014, the wounded were evacuated to the Rostov garrison hospital via a Mi-8 helicopter of the Russian armed forces.

There are additional details from the leaked document that can be independently verified, especially through a Gruz 200 investigation of Mikhail Polstyankin, a Russian soldier who perished during the battle near Krasnaya Talovka. Gruz (Cargo) 200, referencing the code name of the transport for Russian military casualties, is an advocacy group that has documented Russian military casualties in the Ukrainian conflict. Presenting four pieces of evidence, including a Facebook post of a family friend on August 28 reporting the death of a Mikhail Polstyakin on August 25, Gruz 200 makes a convincing case that corroborates the account found in the leaked Interior Ministry document.

This leak is almost certainly genuine and provides a rare glimpse into the inner workings of the Russian Interior Ministry, though limited to the Rostov branch. There are other interesting details in this set of documents, such as Russia’s concern about weapons being trafficked from Ukraine, but the August 26 report documenting four injuries—one of which led to a death—of Russian soldiers confirms what nearly everyone has already suspected: Russia has used its official, enlisted military personnel to engage in combat with Ukrainian soldiers.

Ukrainian Cyber Forces

Dokukin has not exactly been secretive about his part in the ongoing cyber warfare. He frequently gives interviews and boasts of his group’s successes online. Other than his hack of the Russian Interior Ministry servers, Dokukin provided RuNet Echo with a list of ongoing operations of the “Ukrainian Cyber Forces,” including the blocking of accounts belonging to pro-Russian separatists on electronic payment systems, such as Yandex Money Wallet, and performing DDoS (distributed-denial-of-service) attacks on pro-separatist websites, such as novorosnews.ru and novorossia.co.

When asked about how he and the Ukrainian Cyber Forces differ from pro-Russian hacking groups, such as CyberBerkut, Dokukin says that the Russian hackers work under the Russian FSB (Federal Security Service), while his group, he claims, acts independently and is conducting a “Cyber ATO” (anti-terrorist operation) against the “terrorist and Russian aggressors” on the Internet. Furthermore, Dokukin sees Ukrainian Cyber Forces’ work as patriotic, as he believes that what they do “protect[s] Ukraine from their [Russia’s] invasion.”

It's cyber war. And we fight against web sites, e-mails, accounts of terrorists in social networks and their videos and channels on YouTube. But some of our operations [are] related to off-line, like those in June-August with SMS-spamming and call-spamming on terrorists’ phones, and especially blocking funding accounts of terrorists, which decrease possibilities of terrorists in real war.

Dokukin and Ukrainian Cyber Forces say that the goal of the Interior Ministry hack was to “find information about [the] Russian war against Ukraine.” Although a wealth of information is now available online for checking and verification, it is unclear how the Ukrainian law enforcement and security services might use this leaked ‘evidence.’ Russian officials, meanwhile, continue to deny the presence of Russian troops in Ukraine or their involvement in the conflict.