How the Ukrainians discovered ‘Center 16’, the Russian espionage system
Its main task is to collect data from the online space, monitor the electronic communication of foreign countries, and carry out electronic cyber-attacks on foreign computer systems.
Russian aggression against Ukraine showed that Russian units are not “invincible” on the battlefield, that drones and unmanned aerial vehicles are the future of warfare, but also that the Kremlin has for years relied on cyber-attacks, electronic espionage and a program of mass dissemination of disinformation on the Internet.
‘Disinformation as a weapon’ is nothing new – the KGB had institutes for ‘falsification of history’ in the Soviet Union, in which hundreds of experts worked. The media in the former USSR was, in fact, an extended arm of the Kremlin and the KGB, and it seems that things are not much different in today’s Russia, Putin’s.
Ljubjanka’s biggest secret
The Federal Security Service (FSB), the successor of the KGB, still works in the same building (colloquially called Lubyanka) as its predecessor. The neo-baroque style building, started in 1897, was completed in the “golden age” of communist rule, from 1947 to 1953. Although the era of communism has officially ended, the “hammer and sickle” can still be found on the building. After the fall of the Berlin Wall, the building housed the Border Security Administration of the Russian Federation and the KGB Museum, where various devices used by agents around the world are exhibited. Today, the main operational service of the FSB works from a larger and more modern building in the neighborhood, at Kuznetski Most 24.
In early 2012, the FSB announced that it had discovered and arrested an unnamed Russian scientist who was working on ballistic missile engine designs. He was accused and later sentenced to ten years in prison because he delivered to a ‘western country’ (most likely the USA) the software that controls the power of the ballistic missile engine. The scientist did not know that the FSB had previously added a part to the software that, if activated outside the borders of Russia and the original computer system, would immediately ‘call home’, which was proof that the software had left the Plesetsky cosmodrome complex, where Russian space and rocket systems are being developed. Another scientist, Aleksandar Kuranov, was also arrested last year.
Known as one of the world’s foremost experts on plasma physics and propulsion systems, he has led the development of super advanced aircraft and hypersonic weapons for more than a decade. The FSB stated at the time that Kuranov “through contacts from Tunisia and France” provided Western countries with information on the development of the “Ayaks” system. It is also interesting that with this Russia admitted that this program really exists – since 2008, stories have been circulating in expert circles about the development of the “flying triangle” in Russia, a super-bomber that has the so-called pulse engine, can fly without a pilot, and is able to cross the entire territory of the USA in less than 45 minutes, which would mean that it flies at a speed of Mach 4.5 to 6. Also, it is believed that ‘Ayaks’ has a completely new ‘ magnetic-dynamic’ engine, which in theory should enable it to hover in the air, like a helicopter. In addition to all this, since 2000, Kuranov has been the president of the Russian-American Scientific Panel for Joint Research.
The FSB, however, did not discover all this by monitoring its scientists, or by their ‘classical’ wiretapping. The scientists were kept ‘under the watch’ of the service for more than a year (two and a half years in the case of Kuranov), and were often given documents in digital form, which were apparently authentic, but an additional ‘digital fingerprint’ was hidden in their electronic records. ‘ by which they could be tracked across the Internet. That really happened – four files, called ‘HF pulse characteristics of the aircraft’, were sent by Kuranov to an e-mail address in France only an hour after receiving them. At the time of Kuranov’s arrest, there was mention of a special department of the FSB called ‘Center 16’, which monitored his activities.
In the Russian military and intelligence system, units and offices very often have official names that contain numbers, so no one paid special attention to that at the time. When Ukrainian security forces found abandoned Russian military trucks ‘BAZ 6909’ in the vicinity of Kiev in mid-March of this year, it was clear that they had ‘received a premium’. Namely, this truck is the driving part of the ‘Krasukha 4’ (Russian: Poison Rose) system for electronic jamming and data collection in the field. And indeed, just a few kilometers away, on the asphalt road, there was the command and operational module of the system, partially damaged by a hit by a manual rocket launcher. In practice, this system works in the field like ‘AWACS’ (electronic surveillance aircraft within NATO), it is able to intercept radio communications, encrypted messages through the RLNS system (wireless Internet for the battlefield), and newer versions can also intercept satellite communications (either to military satellites, or to civilian systems such as Iridium).
Also, the system can interfere with other similar systems, be they on the ground or in the air. Two laptops with FSB markings were also found inside the vehicle. One was broken, while the other was intact, still in the bag under the control system panel. And it was on it that Ukrainian experts found a ‘data link’ (special software) with the FSB logo that they had never seen before – a stylized sword and shield, with a picture of the globe and the inscription ‘FSB Center 16’. The software soon stopped working – most likely designed to ‘self-destruct’ outside of a particular computer network or environment. Nevertheless, it was also the first material proof that ‘Center 16’ really exists.
A secret even for Kremlin officials
Experts believe that less than 20 people in the Kremlin know about the real activities and operations of “Center 16”, including Alexander Putin himself, a couple of his advisers, and several key people in the Russian security system. Such a system is ‘part of the design’ – the less people know about such a department of the FSB and its responsibilities, the less chance there is for information to leak outside of Russia, and for the country to be held responsible on the international diplomatic stage. This center is not even in the official ‘division of work’ within the FSB – counter-terrorism, counter-intelligence, foreign information, border control and export control.
“Center 16” was created in 2010 by merging experts and parts for electronic operations from the FSB and the Foreign Intelligence Service (SVR). Its main task is to collect data from the online space, monitor the electronic communications of foreign countries (primarily NATO members), and carry out electronic cyber-attacks on foreign computer systems. In a couple of Kremlin documents, the center is called the “Department for the Collection of Electronic Data from Foreign Sources”. Several documents of Russian units, seized by Ukrainian forces, refer to this center as ‘Special Unit 71330’. Outside of these documents, it is very difficult to get details about the cyber-attacks carried out by ‘Center 16’.
This would, first of all, significantly compromise Russia’s diplomatic position, since Russia strongly denies any electronic cyber activity outside its borders.
In mid-August of last year, the US FBI published an indictment that for a long time was top secret within the US justice system. Officially issued by a federal court in Kansas, the indictment refers to three Russian citizens: Pavel Akulov, Marat Tijokov and Mikhail Gavrilov. They are charged with hundreds of computer attacks, theft of data and destruction of computer equipment within the US.
The indictment also charges them with cyber-attacks on 382 companies in 135 countries around the world, including Canada, France, Germany, Spain and Sweden, as well as Croatia, Hungary and Albania. They are also blamed for cyber-attacks on at least two (unnamed) nuclear power plants and one large oil refinery. Most likely, energy management systems (SCADA-E), which actually manage the nuclear reactors or oil processing pumps themselves, were attacked.
Security experts in the USA and Great Britain believe that the said lieutenant colonel Pavel Akulov is most likely the main commander within ‘Center 16’, while Mikhail Gavrilov is the main creator of software and techniques for cyber-attacks. For years, the name of Mikhail Gavrilov has been associated with another Russian service – the GRU. Together with one of the GRU cyber operations commanders, Sergey Detistov, he participated in the creation of one of the most dangerous computer viruses today, ‘NonPetya’, which attacked several electricity transmission systems around the world, as well as the oil transport system ‘Colonial’ in the middle of last year. Detistov himself is also on the red list of the USA, and is among the fifty most wanted people in the world. The third member of ‘Center 16’, Marat Tijokov, is known in the cyber world as ‘Kn1ghtZer0’, and experts believe that he is actually the leader of the hacker group ‘Energetic Bear’, and that he is also the famous hacker ‘Dragonfly’. If the name ‘ Energetic Bear’ sounds familiar, that’s because the Russian services have several other similar groups of ‘hacker bears’, of which the most famous is certainly ‘Fancy Bear’.
The US agency NSA states that ‘Center 16’ has been carrying out cyber-attacks since at least 2010, but its members are known to have carried out similar activities since 2008. Since the beginning of the Russian aggression against Ukraine, the main activities of this group have been attacks on the critical infrastructure of states and its control systems (CNI, Critical National Infrastructure). The US Cyber Security Agency (CISA) states in its latest official report that ‘Center 16’ is responsible for a broad campaign of cyber-attacks on infrastructure within the US. Since the beginning of this year, a part of this unit called ‘Koala’ has attempted several attacks on the computer infrastructure of local authorities (SLTTN, State Local Tribal Territorial Network).
Both the White House and the US Department of Justice are concerned about the security of citizens’ data, especially before the elections for Congress and the Senate in the fall of this year. The American agencies CIA, DHS and CISA warn of a “possibility greater than 80 percent” that Russian cyber units will try to influence and disrupt the election process itself in several ways. Most likely, it will be voter identity theft (identity theft), in addition to the already seen campaigns of spreading disinformation on social networks and portals. That’s how the American justice program ‘Rewards for Justice’ recently offered up to ten million dollars for any information that would lead to the arrest or extradition of one of the Russian hackers on the red warrant. Although this is unlikely in practice, if Detistov or Akulov were extradited to the US, they would face at least several consecutive life sentences, as well as tens of millions of dollars in fines. The Russian Ministry of Foreign Affairs has not yet commented on these red warrants issued for its citizens.