The hacking of the computer network of the General Radio Frequency Center (GRFC), carried out by the Belarusian hacker group Cyberpartisans, resulted in the largest document leak in the history of Roskomnadzor (the GRFC is its division). The documents obtained by hackers show how the Russian media regulator has transformed from a supervisory body into a censorship agency and what it plans to do next
This is a translation of a material by The Agency. You can read the original here
For Natalia Snopkova, a specialist of the Media Monitoring Department of the GRFC, the morning of December 17, 2020 began with an important message. She wrote to her colleagues: «In accordance with the previously established agreement, please provide information on the possibility of restricting access or applying other regulations to The Project and Open Media by 13:00 (Moscow time) on December 17.»
Two hours later Alexei Kulaev, head of one of the departments of the GRFC, suggested a possible solution. His letter stated that the media in question were allegedly disseminating prohibited information by mentioning suicide techniques. In the case of The Project, Kulaev found such violations of the law in two of its pieces: a guide to Lefortovo Prison titled «Prison of Nations» and an article titled «Toxic Atmosphere«. Kulaev did not provide any details as to how exactly, in his opinion, the law was violated in these pieces. However, we can suppose what exactly the officials were going to pick on.
The «Prison of Nations» article mentions the suicide of Interior Ministry General Boris Kolesnikov, who in 2014 was accused of organizing a criminal association. When he was taken to the Investigative Committee for questioning, he jumped out of a window on the sixth floor and died. This fragment could be interpreted as a description of a suicide method. There was a hitch, though. This article by The Project was based on the official statement of the Investigative Committee, which claimed that Kolesnikov had jumped from a balcony, and this statement was spread by state agencies and other media outlets.
It is unclear how that discussion ended: in the hacked archive, the email chain interrupts after Kulaev’s letter. A few months later, however, officials returned to the subject of blocking. In an email chain dated March 26, 2021, Roskomnadzor and GRFC officials discussed the possibility of blocking six different websites. In addition to The Project and Open Media, the list included Meduza, iStories, The Insider, and Alexei Navalny’s Anti-Corruption Foundation (ACF). Once again, they discussed the possibility of restricting access to these websites for disseminating information about suicide techniques. In the case of The Project, the same two pieces were cited as the reason. It was only in the case of the ACF that the officials could not find anything to pick on.
In the end, the website of The Project got blocked only on 28 October 2021, but not at all for mentions of suicide. The official reason for the blocking was «distribution of materials from an organization recognized as undesirable in Russia» (The Project received this status on July 15, 2021). However, the leaked emails make it clear that the blocking was not a punishment for any specific violation, but rather the regulator executing an order to restrict access to an unwanted media outlet. So, practically, this was an act of censorship.
Two Terabyte Leak
The correspondence between Roskomnadzor employees on the subject The Project is only a fraction of the agency’s internal documents that the Belarusian hacker group Cyberpartisans gained access to. In total, hackers downloaded over two terabytes of data, which they reported in November: «We have hacked the GRFC’s internal network, downloaded all documents and email correspondence of their employees and all data from their surveillance systems, and encrypted their workstations». The GRFC, which monitors violations of the law on the Internet and is responsible for blockings and the operation of the «sovereign Runet,» admitted the cyber attack, but described the situation as «manageable». In late December, the Cyberpartisans granted access to the leaked data to several teams of investigative journalists at once. Among them was the editorial board of The Agency.
The documents disclosed by the hackers lift the veil of secrecy surrounding the work of the agency for years. Roskomnadzor has become one of the main pillars of the incumbent government alongside propaganda. In December 2022, the European Union imposed sanctions on Roskomnadzor for censorship and restricting access to information.
The Russian government identified the regulator’s main tasks as controlling compliance with media and telecommunications laws, managing the Russian segment of the Internet, monitoring the web for violations of the law, and protecting children from «harmful» information. However, leaked internal documents of Roskomnadzor show that the real tasks of this agency seriously diverge from the declared ones: it searches for information about Putin’s health, protects the interests of Yevgeny Prigozhin, founder of the Wagner PMC, and the wife of Presidential Spokesman Dmitry Peskov, and even intends to create its own bot farm.
The most important thing, however, is that this leak reveals the true extent of censorship on the Russian segment of the Internet. According to internal documents of Roskomnadzor, during the first 9.5 months of the war in Ukraine, the Russian authorities had deleted 150 thousand posts on social networks. In total, the agency had found 169 thousand instances of «misinformation» and 40 thousand calls for protests, which, according to the authorities, violate the law. This is stated in the document titled «The results of the work to counter attempts to destabilize Russian society in the context of the special military operation on the territory of Ukraine».
The scale of the cleanup of the Runet could have been larger, but not all platforms are following Roskomnadzor’s requirements unconditionally. In this document, the regulator complains that YouTube and Telegram ignore some of their requests: «We have noticed the refusal by the YouTube and Telegram platforms to remove prohibited information». According to Roskomnadzor, more than 28,600 pieces of prohibited content with an audience of 61.4 million users remain available on the video service. In particular, YouTube did not remove calls for anti-war protests (including those made by the supporters of Alexei Navalny), data about killed, wounded, and captive Russian soldiers, as well as videos about the killings of civilians in Ukraine and bombings of Ukrainian cities. In the document, Roskomnadzor calls all of this «misinformation».
The officials report that there is «a number of major channels on Telegram that systematically spread misleading information, as well as information aimed at discrediting the actions of the Russian Armed Forces,». The regulator has counted about 52.4 thousand of such materials on the messenger published in channels with a total audience of 38.7 million users.
If you add up the data on the audience of the content that Roskomnadzor wants to block on Telegram and YouTube, you get a gigantic figure of 100 million users. This is the audience that Roskomnadzor wants to deny access to the information it considers prohibited and «misleading».
The same report contains a list of media blocked in Russia. These include 72 Russian media outlets, 23 foreign media, and more than 630 Ukrainian online resources. Roskomnadzor also blocked access to 262 websites of Ukrainian TV and radio stations in the DPR, LPR, and Kherson and Zaporizhzhia oblasts. A total of 3.5 thousand resources with ad banners and criticism of the war were blocked, with a combined audience of 485.8 million visits per month. Finally, Roskomnadzor forwarded materials «regarding 182 federal and regional opinion leaders, as well as the channels and social network pages of various communities,» to the police.
Who Does Roskomnadzor Monitor?
Roskomnadzor has been monitoring protest sentiments on social networks on a regular basis since at least 2019. Officials assess the discontent with the authorities based on the posts of well-known journalists, bloggers, and analysts, including Alexander Plyushchev, Ruslan Leviev, and Mark Feigin. But instead of being thanked for their work in conveying the protest agenda to Roskomnadzor, these journalists and bloggers get labeled as «foreign agents» one after another.
Every report compiled by the GRFC staff consists of two parts: federal and regional. The reports cite posts both critical and supportive of the authorities. For each post, the officials give a rough estimate of the audience of all posts on its topic. The calculation methodology is not explained, but it follows from the reports that the number of readers or viewers is estimated not by a single post, but by a set of posts united by a single topic; a news story includes from 2-3 to 8-10 posts. The usual audience ranges from 4-5 million to 10 million or more people for federal stories, and from a few tens of thousands to 1-1.5 million for regional stories.
Since the start of the war, federal reports almost constantly quote military correspondent Yuri Kotenok, Komsomolskaya Pravda journalist Dmitry Smirnov, Rybar Telegram channel, and Readovka and Tsargrad media outlets as pro-government sources. Opposition agenda is studied through the publications of lawyer and video-blogger Mark Feygin, journalists Alexander Nevzorov and Yuri Dud, YouTube channel «Navalny Live», Alexei Navalny’s associates Lyubov Sobol and Kira Yarmysh, founder of Conflict Intelligence Team Ruslan Leviev, and journalist Alexander Plushchev. The reports make many references to journalists Alexei Venediktov, Dmitry Kolezev, Kirill Shulika and Elizaveta Lazerson, as well as publicist Stanislav Belkovsky. All of them (except for the last three) were recognized as «foreign agents» in Russia in 2022, some were put on the wanted list, and Nevzorov was sentenced in absentia to 8 years in prison. Economists Sergei Guriev, Konstantin Sonin, and Vladimir Milov (also recognized as a «foreign agent» and wanted) are mentioned in the reviews as opposition sources.
Major independent media outlets, such as the BBC Russian Service, Meduza, Radio Liberty, The Insider, Alexey Pivovarov’s YouTube channel Redakciya and DOXA, are referred to as «anti-Russian» in the reports.
Former Ukrainian presidential office advisor Oleksiy Arestovich, advisor to the head of the presidential office Mikhail Podolyak and journalist Anatoliy Shariy are the most common Ukrainian sources appearing in Roskomnadzor’s reports.
The analysis of eight monitoring reports, made in March, April, May, June, October and November 2022, carried out by The Agency, showed that by the fall the number of critical comments in the regional part of the report increased by 2-3 times as compared to the spring and summer levels. The March 28 report contained 21 negative statements about authorities; on April 9, Roskomnadzor counted 15 such posts and comments. The October 27 report contained 45 critical statements, and the November 1 report contained 44. It is not clear from the documents whether the increase in the number of critical publications in the reports is related to the growth of discontent in the country or caused by a change in the methodology of the reports.
By the fall, the subject matter of the reports had also changed. In the spring and summer, 25-30 percent of negative comments contained criticism of insufficient support for Ukrainian refugees in Russia and lack of aid to the Donbass. In October and November, the share of such statements fell sharply and the main subject of criticism shifted to the mobilization — both the draft itself and the quality of training of the reservists. In the October 27 review, 32 out of 45 negative comments were devoted to this topic, and on November 1, it was 27 out of 44.
Dossiers on Journalists and Media
Roskomnadzor not only closely monitors the publications of independent journalists and media, it also keeps secret dossiers on them. The Agency managed to find references to 30 people and 20 media outlets in the database of internal documents of Roskomnadzor published by the Cyberpartisans.
Most of the profiles were compiled in 2022, and only a few in 2021. Roskomnadzor is only interested in independent media, journalists working for them and economists, political scientists, scientists and public figures cooperating with them.
The dossier for each journalist consists of a brief biography, a list of their publications and links to their personal accounts on social networks. The dossiers on media outlets contain data on their owners, creators and employees, links to their articles, an overview of their social media activity, as well as a list of projects related to these outlets. In addition, in each document, one can find information about whether the author or media outlet used materials by «foreign agents» or whether it was cited by «foreign agents».
The Agency was able to find the dossiers on 17 journalists: Roman Badanin, Maxim Glikin, Maria Zholobova, Taisia Bekbulatova, Ilya Rozhdestvensky, Yulia Yarosh, Kirill Kharatyan, Boris Safronov, Philip Sterkin, Alexander Gubsky, Michael Nacke, Nino Rosebashvili, Kirill Martynov, Grigory Shvedov, Alexei Venediktov, Lilia Yapparova and Arthur Asafyev.
The Roskomnadzor database also contains dossiers on Activatica founder Yevgeniya Chirikova and her husband Mikhail Matveev; Dissernet founders Andrei Zayakin and Mikhail Gelfand; human rights activist and historian Andrei Lukashevsky; political scientist Dmitri Oreshkin, cartoonist Sergei Yolkin; public figures Mikhail Khodorkovsky, Yevgeny Roizman and Denis Karagodin; businessman and blogger Alfred Koch; economist Konstantin Sonin; and Dmitri Permyakov, an appellee and assistant to politician Lev Shlosberg.
The independent media outlets that have dossiers on them include Meduza, The Project, The Agency, iStories, Sluzhba Podderzhki, Mozhem Obyasnit, ChTD, Sirena, YouTube channel Khodorkovsky LIVE, Repost, Sota, Novaya Gazeta — Europe, Kholod, VTimes, The Bell, First Anti-Corruption Media, Kavkazsky Uzel, Republic, as well as Echo Moskvy and Open Media, which have been shut down.
Two journalists and a lawyer who were recognized as «foreign agents» told The Agency that these are the certificates the Ministry of Justice presents to the courts, where «foreign agents» appeal their status. Some journalists, public figures and media outlets from the Roskomnadzor database were included in the «foreign agents» register after 2021 and became subjects of criminal cases.
Guarding Putin’s Health
Roskomnadzor also has another object for close attention. The regulator monitors posts about Vladimir Putin’s health on a daily basis, and puts all found publications into tables.
Among the internal Roskomnadzor documents released by the hackers were several dozen Excel spreadsheets with the same title «The critical health status of Russian President Vladimir Putin». The documents were created between April and October 2022. Each table contains posts about the president’s health made on a specific day. Each review includes from 50 to 1,400 posts and comments on social networks with links to them. Most of the posts were made OK.ru, VK.com and Telegram. Some of the messages included in the monitoring are not related to the health of the head of state. Instead, these are paraphrases of his statements on the topic of medicine or news about Putin handing out awards to doctors.
The number of posts in the reports strongly depends on the news agenda. The discussion of the president’s illnesses usually intensifies after reports on this topic by major media outlets or popular bloggers. For example, on April 27, 9 of 153 posts in the report were devoted to the fact that Putin «limped and grimaced» at a meeting with UN Secretary General António Guterres. The Sun wrote about it after the meeting.
The May 22, 2022 report includes 594 posts. Almost all are posts about Putin having cancer. Most are links to an interview given by political scientist Valery Solovey, who claimed that the president was suffering from cancer. Putin’s cancer is virtually the only topic of the June 1 monitoring, which consists of 1,360 posts. About half of them are links to videos on the YouTube channel «Deceived Russian», on which the topic is discussed.
Roskomnadzor’s October reports include posts about Putin suffering from schizophrenia. In the reports from October 9 and 15, there were three and five posts respectively about the president suffering from dementia.
In the fall, Roskomnadzor monitored another topic in a similar way: mobilization. Among the documents published by the Belarusian hackers is a table titled «Mobilization Monitoring Report». The table contains almost 1,700 posts and comments written on October 15 and 16, 2022, mostly on VK.com and Telegram. Next to each post is the nickname of its authore, but it is not specified whether the nickname matches their real name or not.
Most of the posts in the October 15-16 report contained criticism of the mobilization and its implementation. There are very few posts by loyalists, most of them are either similar posts about the two-hour crucession held on October 15 in the town of Nesterov in the Kaliningrad Obast in support of conscription of reservists (the posts say that Russia is at war «with the satanic force»), or similar posts saying that «we cannot leave our Motherland in danger».
The main topics of the critics of mobilization were the roundups of men fit for military service and the increase in the number of weddings after the announcement of the draft. In addition, the murder of 11 people at a shooting range in the Belgorod Oblast (this tragedy happened on the very day of the report) and other mobilization-related incidents, such as deaths of reservists and mass fights of draftees, were also discussed. The monitoring also included dozens of posts about men trying to get exempted from the draft by enrolling at the Synergy University and about the difficulties faced by citizens leaving Russia.
Helping Navka, Prigozhin and “Goblin”
Roskomnadzor sent hundreds of letters to foreign social networks demanding that they cancel the blocking of Russian accounts and posts. The agency stood up not only for officials or government agencies, but also for individuals close to the government. Among the leaked documents, The Agency found a list of accounts that Roskomnadzor was in correspondence with Facebook, Google and Twitter about in 2020-2022. The list includes a total of 245 names and titles.
Among the individuals that the agency has come to the rescue is figure skater and spouse of presidential press secretary Tatyana Navka. In January 2021, Instagram restricted access to her stories criticizing the rallies in support of Alexei Navalny. Roskomnadzor filed a complaint with Facebook despite having very little chance of getting the content unblocked, since Instagram stories disappear 24 hours after publication. The social network responded to officials that the reason for the punitive measures was «potentially inappropriate content.»
In 2021, Roskomnadzor demanded from the social networks to unblock the accounts of the founder of the Wagner PMC Yevgeny Prigozhin and writer Zakhar Prilepin. Prigozhin was blocked on Facebook and Twitter, while Prilepin was blocked on Instagram and Facebook. Only Facebook unblocked Prilepin’s page. In other cases, the accounts remained blocked. Roskomnadzor tried to remove restrictions from the Facebook page of Prigozhin-affiliated news agency RIA FAN, but did not succeed in doing so either. However, the regulator has only officially reported that it demanded that Facebook unblock the writer’s Instagram when he was running for the State Duma elections in 2021.
Roskomnadzor also unsuccessfully sought to unblock the YouTube channels of propagandist Tigran Keosayan, blogger Dmitry «Goblin» Puchkov and the Twitter account of comedian Semyon Slepakov. According to the document, only Twitter responded regarding Slepakov’s account, claiming «a violation of the rules of the service.» The media wrote that the comedian’s account was blocked in January 2021 after he posted a poem criticizing the protests in support of Alexei Navalny.
In 2020, Roskomnadzor managed to temporarily unblock the account of the Tsargrad TV channel on YouTube. However, it has now become inaccessible again.
Other non-state media outlets that Russian officials had vainly defended before social networks include the YouTube channel of RBC (now inaccessible) and the Facebook accounts of Lenta.Ru and Gazeta.Ru. On the day of Russia’s invasion of Ukraine, the social network began marking the posts of these two outlets as misleading and restricted them in its search results. On the same day, Roskomnadzor promptly demanded that the U.S. company lift the restrictions. The request was ignored, and in March, when Facebook got blocked in Russia, Lenta.Ru and Gazeta.Ru themselves stopped updating their pages there.
Roskomnadzor tried to get social networks to restore the accounts of some officials and State Duma deputies, such as head of Chechnya Ramzan Kadyrov (Instagram), deputies Vitaly Milonov (TikTok), Yevgeny Popov and Leonid Slutsky (YouTube), governor of the Samara Oblast Dmitry Azarov (Instagram), head of Crimea Sergey Aksenov (YouTube) and former head of Roscosmos Dmitry Rogozin (Facebook). It managed to restore access to two accounts of State Duma deputies — Vitaly Milonov’s TikTok account and the Twitter account of TV presenter Yevgeny Popov.
It also follows from the document that Roskomnadzor demanded in vain from the social networks to cancel the blocking of accounts of a number of RT structures, Sputnik, RIA Novosti and Baltnews news agencies, Zvezda TV channel, the movie «Crimea. The Way Home,» as well as propagandists Anton Krasovsky and Vladimir Solovyov.
Censorship Plans
The Roskomnadzor leak also revealed some of the agency’s plans. This year, the service, together with GRFC, plans to launch a bot farm, which has been given the official name «Automated System ‘Clean Internet'». This is one of the few documented cases of bot farming for budget money.
Roskomnadzor and the GRFC approved the development plan and the summary of the project, which officials explicitly call «bot farm» in their documents, back in the middle of 2022. Roskomnadzor documents say that the bot farm should start operating in May 2023. The documents list GRFC employee Denis Kasimov as the customer, Deputy Head of Roskomnadzor Vadim Subbotin as the curator and head of one of the departments of GRFC Vladislav Kovalev as the supervisor.
The summary of the system explains that a bot farm is «a hardware-software system for automated creation and maintenance of social network accounts,» and a bot account is «a program that performs some actions automatically and/or on a predefined schedule, and has some resemblance to a real person in these actions.
Roskomnadzor and the GRFC explain: they need the bot farm in order to spend less time registering social network accounts, to promptly publish posts and comments, and to keep all of their accounts in one place. One of the main objectives of the «Clean Internet» system is «to fill created accounts with content to simulate user activity (photos, posts, personal data, and more).»
The farm has to work in such a way that the bots will successfully pass a check when joining closed groups and communities. The system will generate unique IP addresses for each bot account, as well as set limits on the number of friends, reposts, likes, and group joins for them. According to Roskomnadzor documents, the bots must behave in such a way that their lifespan in public communities is at least three months, and at least one month in closed ones.
In order for the bot farm to work successfully, Roskomnadzor and the GRFC are developing special programs required to monitor the activity of users of social networks and media articles. The Agency has learned from the documents published by the Cyberpartisans that one of these systems is called «Vepr». Its task is to quickly find what the GRFC called «informational tension points (ITPs)» on the Internet. The GRFC began developing the system in 2021, and there is no information in the documents available to The Agency about when the project should launch.
«Vepr» should detect the primary source of an information event, estimate the size of the audience and be able to make predictions about how the discussion of this topic on the Internet will develop further. The system should build «tension graphs» of POIs and show whether the heat of the discussion rises or falls. The «Vepr» operator must see on their computer screen which main sources form the «tension point», whether the discussion participants violate the law and whether they publish prohibited information. Ultimately, the GRFC should use this system to assess «the potential (of the ITP) to grow into a threat to information security» and transmit «data on the identified information to the authorized bodies».
Roskomnadzor’s archives contain a list of 101 topics: from «military misinformation» to financing of the AFU, from the use of VPNs to LGBT+ and from the activities of NGOs and foreign and independent media to «insults to the President».
Among Roskomnadzor’s other plans is to block the Samizdat app, which brings together Russia’s top investigators. The regulator’s memo regarding the app says: «It is proposed to send a request to the Prosecutor General’s Office of Russia to form a separate request to permanently block the Samizdat app.» The document does not specify for whom this memo was created.
The Samizdat app was launched by four media outlets — The Project, iStories, The Insider, Bellingcat, and Alexei Navalny’s team — so that readers from Russia could read investigations without a VPN (read more). All four participating media outlets have been declared «undesirable organizations» by Russian authorities, while Navalny’s Anti-Corruption Foundation has been declared an «extremist organization».
While preparing this piece, The Agency made an inquiry to Roskomnadzor, but received no response.
Нас нельзя запугать, но нам можно помочь
Поддержать «Агентство»