Today, a Ukrainian hacker group called “Cyber Hunta” released a cache of emails linked to the Kremlin’s “grey cardinal” — Vladislav Surkov. This political operative is well known in the West as the creator of Russia’s “sovereign democracy” and has been the point-man for Russia’s management, and sometimes direct control, of the so-called states of South Ossetia, Abkhazia, and the self-declared Donetsk and Luhansk People’s Republics.

The hacked inbox was for prm_surkova@gov.ru, which was handled by his secretaries or assistants, including a “Masha” (Mariya) and “Yevgenia” (last names unclear). The majority of the emails are briefings from Surkov’s assistants, such as Aleksandr Pavlov. Some of these briefings include:

— “Information about the current internal political developments in the Republic of Abkhazia, Republic of South Ossetia, Ukraine, and the Republic of Moldova”

— “Ukraine: a calendar of announced events”

— Weekly briefing: “current picture of the situation in Ukraine”

— Weekly briefing: “Abkhazia and South Ossetia: events of the day, that have caught public attention”

However, there are also some bits of revealing information hidden under piles of minutiae, including a list of casualties in the Donbass sent from a high-ranking separatist official, expense reports for a government office in Donetsk, and requests for edits on documents that later be published under the guise of independent individuals.

Authenticity

After the release of the emails, and a previous publication of a PDF file and screenshots of the inbox, there were reasons to doubt the authenticity of the hack. The Ukrainian Security Service (SBU) stated that the hacks were authentic, but this is hardly a reliable indication. However, with the publication of a nearly-1gb Outlook data file (.PST) (including the inbox, outbox, drafts, deleted email, spam, etc.), it is fairly clear that the emails are authentic. It is quite easy to fake screenshots, PDF documents, and other files, but faking email inboxes is quite difficult. Within the email files (.MSG files, in this instance) is header information, which shows us the “history” of each email — where it originated, which servers it moved through, and so on. An email selected at random, sent from A.A. Durdyeva to Surkov and a few other email addresses, contains the following header information:

Return-path: <Durdyeva_AA@gov.ru>

Envelope-to: prm_surkova@gov.ru

Delivery-date: Fri, 30 May 2014 10:03:55 +0400

Received: from [95.173.128.181] (helo=DurdyevaAAPC)

by ipaccess.gov.ru with esmtp (Exim 4.80.1 (FreeBSD))

(envelope-from <Durdyeva_AA@gov.ru>)

id 1WqFv0–0004qY-LI; Fri, 30 May 2014 10:03:54 +0400

From: =?koi8-r?B?5NXSxNnF18Eg4S7hLg==?= <Durdyeva_AA@gov.ru>

To: <prm_surkova@gov.ru>

Cc: <prm_govoruna@gov.ru>,

=?koi8-r?B?J+3Bzc/Oz9cg7cnIwcnMJw==?= <mamonov2004@yandex.ru>,

<abbatnoehl@gmail.com>,

“‘Pavel Laptev’” <paulmira@mail.ru>

Subject: =?koi8-r?B?z8Laz9LZ?=

Date: Fri, 30 May 2014 10:03:54 +0400

Message-ID: <000601cf7bcc$eff3f080$cfdbd180$@gov.ru>

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary=” — — =_NextPart_000_0007_01CF7BEE.770605B0"

X-Mailer: Microsoft Outlook 14.0

Thread-Index: Ac97zLXyNKravgPbQx2NbBoD8rjV/A==

Content-Language: ru

X-Virus-Scanned: Antivirus engine

Every message in the .PST database released by “Cyber Hunta” — 2,337 in total — contains the same type of header information. It is possible that these headers were forged (though it would be fairly difficult to do it convincingly with every email), thus we should also authenticate the data by cross-referencing data points. Often, we can tell when leaked data is fake based on there only being screenshots available, or the majority of the information in the hacks is explosive without boring day-to-day emails. Nearly all genuine hacks have an extremely high “uninteresting : interesting” ratio. In other words, political officials’ inboxes look much like the average person’s work inbox: full of boring information, schedules, routine briefings, and with only a handful of incriminating or scandalous emails.

We can verify nearly every bit of information in Surkov’s inbox. For example, on July 23, 2014, Surkov received an invitation to an art exhibit in Moscow called “The New International,” at the Garage Museum of Contemporary Art.

Screenshot of the invitation received by Surkov on July 23, 2014 to an art exhibit.

Email inviting Surkov (and one other guest) to an art exhibit for July 31, 2014.

This exhibit really did take place, and the email seems authentic, judging by the email header and included information.

Photograph from Vogue.ru at the art exhibit “The New International” at the Garage museum, as detailed in the invitation to Surkov.

This is only one detail of thousands within the email archive, but it shows that even inconsequential details with no geopolitical significance can be corroborated with real events with basic digital forensics. A more conclusive confirmation of the hack’s authenticity will likely appear in the coming days, but initial indications point to the emails — or, at least, the vast majority of them — being real.

Findings

Nearly every email in the leak is insignificant, and thus far no one has found a “grand slam” email that would rock the Kremlin to its core. This alone helps lend credibility to the email’s authenticity. The majority emails are copy/pasted information from news articles, brief summaries of the current situations in South Ossetia, Abkhazia, Moldova, and Ukraine, and emails related to business development in Russia. However, there are some extremely interesting pieces of information if you are willing to suffer through hundreds of weekly briefings.

Casualty list from Denis Pushilin

On June 14, 2014, Denis Pushilin — former Chairman of the People’s Soviet of the (self-declared) Donetsk People’s Republic — sent an email to Surkov and others that included a document listing casualties from May 26 — June 6, 2014.