Atlantic Council's DFRLab on SurkovLeaks: 'Emails are authentic'
The Atlantic Council's Digital Forensic Research Lab (DFRLab) has concluded that emails reportedly linked to the Kremlin's "grey cardinal" Vladislav Surkov, which were "dumped" by a Ukrainian hacker group on Tuesday, October 25, are authentic.
"After the release of the emails, and a previous publication of a PDF file and screenshots of the inbox, there were reasons to doubt the authenticity of the hack. The Ukrainian Security Service (SBU) stated that the hacks were authentic, but this is hardly a reliable indication," DFRLab wrote in a material titled "Breaking Down the Surkov Leaks," published on Tuesday.
"However, with the publication of a nearly-1gb Outlook database file (.PST), it is fairly clear that the emails are authentic. It is quite easy to fake screenshots, PDF documents, and other files, but faking email inboxes is quite difficult. Within the email files (.MSG files, in this instance) is header information, which shows us the 'history' of each email — where it originated, which servers it moved through, and so on," the material says.
"Every message in the .PST database released by 'Cyber Hunta' — 2,337 in total — contains the same type of header information. It is possible that these headers were forged (though it would be fairly difficult to do it convincingly with every email), thus we should also authenticate the data by cross-referencing data points. Often, we can tell when leaked data is fake based on there only being screenshots available, or the majority of the information in the hacks is explosive without boring day-to-day emails. Nearly all genuine hacks have an extremely high 'uninteresting : interesting' ratio. In other words, political officials' inboxes look much like the average person's work inbox: full of boring information, schedules, routine briefings, and with only a handful of incriminating or scandalous emails," DFRLab said.
"We can verify nearly every bit of information in Surkov's inbox," it concluded.
The emails contain commercial information like Russian owners' stakes in Donbas-based plants and factories, scans of the passports of Surkov and his family members with Schengen visas, insights into the Russian Federation's media interests with lists of loyal journalists, bloggers, and public figures in Ukraine, as well as casualty lists of the self-proclaimed Donetsk People's Republic (DPR), a DPR expense list and a list of nominees for a DPR government.
"On May 13, 2014, Surkov was sent a PDF from a worker at the Marshall Group. This organization was founded by Konstantin Malofeev, a quite rich and even more notorious Russian ultra-nationalist who has been accused by the United States and European Union of being a key financer and supporter of pro-Russian separatists in eastern Ukraine. The attached PDF contained a list of candidates for the government of the Donetsk People's Republic, including the Speaker of the People's Soviet ([Denis] Pushilin), Ministry of Defense (Igor 'Strelkov' Girkin), and other key officials. At the bottom of the document, a note says that the individuals with asterisks next to their name were 'checked by us' and are 'especially recommended.' These individuals included Aleksandr Zakharchenko, who is mentioned as under consideration for the role of Prime Minister. Eventually, this came true, and Zakharchenko was 'elected' to the job," DFRLab wrote.
The SurkovLeaks emails shared with the public are dated 2013 through 2014, while those for the period of 2015-2016 have been sent to the SBU for examination and further analysis, according to InformNapalm, an international OSINT community.