Within hours of opposition leader Alexey Navalny’s death in February in a Russian prison, a group of anti-Kremlin hackers went looking for revenge.
Using their access to a computer network tied to Russia’s prison system, the hackers plastered a photo of Navalny on the hacked prison contractor’s website, according to interviews with the hackers, screenshots and data reviewed by CNN.
“Long live Alexey Navalny!” read a message on the hacked website, accompanied by a photo of Navalny and his wife Yulia at a political rally.
In a stunning breach of security, they also appear to have stolen a database containing information on hundreds of thousands of Russian prisoners and their relatives and contacts, including, the hackers claim, data held on prisoners in the Arctic penal colony where Navalny died on February 16.
The hackers, who say they are a mix of nationalities, including Russian expatriates and Ukrainians, are sharing that data, including phone numbers and email addresses of prisoners and their relatives “in the hope that somebody can contact them and help understand what happened to Navalny,” a hacker claiming to be involved in the breach told CNN.
In addition, the hackers used their access to the Russian prison system’s online commissary, where family members buy food for inmates, to change the prices of things like noodles and canned beef to one ruble, which is roughly $0.01, according to screenshots and videos of purchases from the online store posted by the hackers.
Normally, those goods cost over $1.
It took several hours for the administrator of the online prison shop to notice that Russians were buying food for pennies, according to the hacker involved. And it would be three days before IT staff at the prison shop were able to fully shut down the hacker-provided discounts, according to the hacker’s account.
“We were watching the [access logs to the online store] and it just kept scrolling faster and faster with more and more customers making purchases,” the hacker said in an online chat while providing data to CNN corroborating that they were involved in the hack.
The hackers claim that the database contains information on about 800,000 prisoners and their relatives and contacts. A CNN review of the data found some duplicate entries in the database but that it still contains information on hundreds of thousands of people. CNN was able to match multiple prisoner names in screenshots shared by the hackers with people that, according to public records, are currently in Russian prison.
The online prison shop that the hackers appear to have breached is owned by the Russian state and officially known as JSC Kaluzhskoe, according to Russian business records reviewed by CNN. JSC Kaluzhskoe serves 34 regions in Russia.
CNN has requested comment from JSC Kaluzhskoe, Russia’s Federal Penitentiary Service (known as FSIN) and the individual website administrators that the hackers claim to have outsmarted.
On February 19, the day after the hackers defaced the website and replaced it with Navalny’s photo, JSC Kaluzhskoe posted on Russian social media platform VK that it had experienced a “technical failure” that led to the “prices for food and basic necessities” being “reflected incorrectly.”
Tom Hegel, a cybersecurity expert with experience analyzing data dumps, said the leaked data showed all signs of being authentic and that it had originated from the hacked prison shop.
The hackers “clearly had full blown access to get it all,” Hegel, who is principal threat researcher at US cybersecurity firm SentinelOne. “The amount of images captured and data provided is quite thorough.”
New chapter in hacktivism
The hacking group sent notes to administrators of the online prison shop, warning them not to take the pro-Navalny messages off the website. When the web administrators refused, the hackers retaliated by destroying one of the administrators’ computer servers, the hacker claimed.
Navalny, a charismatic political leader who railed against Russian government corruption, died in mysterious circumstances on February 16 at a prison in Yamalo-Nenets region, 1,200 miles northeast of Moscow. The US holds Russian President Vladimir Putin responsible for Navalny’s death, US President Joe Biden has said.
Politically motivated hacking, or “hacktivism,” has been rampant in the more than two years since Russia’s full-scale invasion of Ukraine. In the days following the invasion, a Ukrainian man took revenge by leaking a trove of internal data from a Russian ransomware gang showing the group’s alleged connections with Russian intelligence.
Pro-Ukraine hackers of various stripes have joined the fray, claiming responsibility for attacks on a Russian internet provider, for example, and websites that were broadcasting a high-profile Putin speech last year.
The war in Ukraine “has undoubtedly begun a new chapter in the use of hacktivism, unprecedented in its current scale,” said Hegel, the SentinelOne researcher. “Hacktivism has emerged as a powerful tool for diverse groups to express their perspectives, rally behind their nations, target perceived adversaries, and attempt to influence the trajectory of the war.”
The hack of the online prison shop came with a message from self-described Russian expatriates.
“We, IT specialists, left today’s Russia,” read a message in Russian on one of the prison shop websites, according to a screenshot of the website on February 18 reviewed by CNN. “We love our country and will return when it is free from the Putin regime. And we’ll go till the end on this path.”