Herm1t Interview – From VX Heaven to the war gates!

Alessio Stefan : 4 November 2024 07:30

This is the story of Herm1t, founder of VX-Heaven, hacker – currently active in protecting Ukraine from 2014 –  and founder of RUH8 in fall 2015, told by means of an interview that sought to focus on its history, values and goals, while also trying to understand what are the most important elements that distinguish the ongoing cyber war between Russia and Ukraine.

In our interview with Smelly, founder of VX-Underground, we explored a world committed to openly sharing as much malware-related data as possible. By amassing samples, papers, and articles into a centralised library, VX-Underground builds upon the legacy of VX-Heaven, founded in the late 90s and managed by Herm1t as a platform that provided free access to malware for research purposes. 

However, in 2012 VX-Heaven suffered a shutdown and seizure of its servers by Ukrainian law enforcement, sparking a full-blown insurrection among the site’s users. On facebook, for example, a fundraising campaign was carried out to finance herm1t’s legal fees. That campaign was titled “Saving Private Herm1t ” and was joined by many security researchers globally.

According to what Herm1t tells us, VX-Heaven’s fate was not only driven by an unwarranted fear about the malware world but rather a consequence of his refusal to cooperate with the (then new) Ukrainian counter intelligence authority called DKIB SBU. In 2013 VX-Heaven managed to come back online and the site has being working until 2018. In the meantime 2014 was the context for another event poised to mark Herm1t’s career, the war in Donbass. 

To counter Russian-originated attacks, Herm1t became active in the cyber war between the two countries and together with other components, independently decided to help their state, Ukraine, by successfully executing law enforcement attacks such as compromising and leaking Aleksey Karyakin’s (head of so called “peoples council” of the Lugansk People’s Republic) emails. After just over a year of activity, in 2015 Herm1t founded the group RUH8, for which he called himself a “press secretary” (each member had titles from the corporate world as satire to that environment).

In spring 2016, the Ukrainian Cyber Alliance (UCA) was born where several groups including Trinity, FlaconsFlame, and later RUH8 with the sole purpose of actively challenging Russian cyber activities. The list of their operations is easily found on their Wikipedia page. One of the most recent attacks, 2023, was aimed at completely dismantling Trigona ransomware-as-a-service (RaaS). In this case UCA managed to penetrate and have total control over the entire RaaS infrastructure and through a leak obtained wallet addresses, malware source code, internal database records, and much more.

Today, Herm1t makes it clear to us that RUH8 is dealing “with an external enemy who wants to literally invade” their country, “carry out genocide, through extrajudicial executions, torture, and forced deportations to crush the will for freedom.” RUH8 members are in effect “cyberwar partisans,” however, “because war and politics are inextricably linked,” one of their actions has become a classic example of hacktivism: they called it “Fuck Responsible Disclosure”.

We thank Herm1t for his pioneering work in malware research, his values, and his time for this interview.

Interview – Letter from Kyiv

RHC:  Lets’ start with your personal story: how did you get to in the computer’s world? What was your first computer and how did your curiosity for the world for information security arise?

Herm1t: The way I got acquainted with computers is fairly typical for kids of the ’80s. My father told me about personal computers when I was five, and they were very different from the mainframes of the ’70s that he had encountered in university. The very idea that a program could be changed, tested again and again, amazed me deeply. Damn kids. They’re all alike. The only problem was that this was happening in the Soviet Union, where computers were almost inaccessible. I had to hunt for access wherever I could, and it wasn’t until years later that I got my first computer—a Soviet clone of the Apple II, Agat. And when the Soviet Union collapsed, and my parents started their own business, I got a powerful (for the time) 486DX2 in 1994. Internet access was prohibitively expensive, so the primary means of communication was the FIDO network and BBS, which shaped the character of the post-Soviet hacker scene for years—offline-focused on reverse engineering and crackling software protection (after all, there was no legal way to buy it even if you had the money), demo design, and so on.

RHC: Smelly (VX Underground) mentioned you as the creator of VX Heaven project: can you tell us what was the idea behind in the years “before Google”? You are a true pioneer!  (By the way, congratulations for your work!) 

Herm1t: Somewhere in the mid-’90s, I was reading an ezine dedicated to the demo scene, and in the “Letters from Readers” section, I found a mention of a virus-writing group called SGWW. I immediately downloaded all the issues of Infected Voice that I could find and subscribed to the virus-related newsgroups on FIDO. 

The virus scene was aggressive and positioned itself as a counterculture, more like punks than honour students. I wrote a few viruses for MS-DOS, experimenting with different techniques one at a time, but I didn’t participate much in discussions. Instead, I continued collecting virus samples, zines, and articles. By the late ’90s, I had started working as a system administrator for a provider, giving me unlimited access to the Internet. That’s when I decided to organize my collection as a website, and that’s how VX Heaven was born. I had no interest in hacking networks—when you have access to dozens, then hundreds, and eventually thousands of devices, there’s no need to look for anything else. But, of course, there were security incidents, and I had to figure out how different vulnerabilities worked and how to prevent them. 

All the machines at the node ran Linux and FreeBSD, so I started writing viruses for the new platforms, finding new infection methods, and occasionally publishing my results. This went on for years until the end of 2011 when the Ukrainian Security Service (SBU) cyber counterintelligence came to visit. I tried to convince them that my site was a library, not a cybercriminal lair, and they pretended to believe me, even suggesting I help them investigate a few cases related to carders. I analyzed several samples, and since I had gotten debugging versions of the bots, I quickly found the command infrastructure of the botnets.

At that time, the Ukrainian authorities shut down the pirate resource Infostore, and since it was the peak of Anonymous, the public responded with massive DDoS attacks on government websites. I participated too, using the provider’s large channels (by those standards), and the next day, familiar officers brought screenshots of the government site load graphs, asking for advice on how to find the attack organizers. I shrugged and said I couldn’t help. Apparently, this irritated them, and they eventually opened a criminal case against me for “spreading malicious software.” I had to turn to the public, and several scientists working in the field stood up for me, while the hacker community raised money so I could pay for legal services. The publicity, persistence of the lawyer, and the intervention of influential companies led to the case quietly being closed, and it never went to court.
Since they took away my favourite toy, I decided to pursue something else, experimenting with different hacking methods on third-world country websites, like Russia. Then a colleague showed me an announcement from the largest bank in the country that they were launching a bug bounty program. After reviewing the bank’s public infrastructure, I found an IDOR, which allowed downloading transaction receipts through simple enumeration. The bank paid the maximum reward. “Probably just luck,” I thought, tried again, and found a reflected XSS right on the login page of the online banking system, which could be used to intercept a user’s password and bypass two-factor authentication. The bank paid the maximum reward again. It wasn’t just luck.

RHC: Can you tell us something about your transition moment from VX Heaven (Virus eXchange) to defender of Ukrainian digital space, as a partisan of your country?

Herm1t: I got bored in my hometown of Donetsk and responded to an offer from a complete stranger, some Tim Karpinsky, on LinkedIn, joining a small security startup in Kyiv (better to write Kyiv, not Kiev, as Ukrainians might be very offended). Moving to Kyiv was one of the best decisions I’ve ever made because a year later, the Revolution of Dignity happened, and Russia began its invasion of Ukraine.

After moving to Kyiv, I revived VX Heaven, just on principle. This time, it was hosted on bulletproof servers, although the SBU didn’t stop trying to recruit me and my colleagues. But we politely listened to their offers and just as politely suggested they move along. Which for a while they did. I can’t talk much about my work at that time—some of it is covered by non-disclosure agreements, and some happened under circumstances I’m not yet ready to discuss. The scene had changed dramatically, and LovinGod, the long-standing leader of SGWW, who had sparked my initial journey into information security, even called my project a “portable coffin for the virus scene.” I’m not offended—maybe it is. But thousands of people over the decades found the idea of viruses infectious, and I think it’s crucial to preserve the results of their work. I’m happy that VX Underground continues to do the same, maintaining continuity and memory.

The thoroughly corrupt and endlessly dreary Yanukovych regime bred apathy and a desire to stay as far away as possible from what passed for “politics” in this country. Everything changed after the revolution and the start of the war. The formation of a political Ukrainian nation began, along with the need to defend the country from the Russians, including in cyberspace. In 2014, Kostiantyn Korsun from the Ukrainian Information Security Group organized a meeting, and everyone showed up—hackers, intelligence, counterintelligence, the government communications service, and CERT—to discuss what we could do together to protect our country. I had always been interested in the offensive side of cyber operations, so we began retaliatory hacks—we hacked the State Duma of the Russian Federation, broke into regional government websites, posting provocative messages, and passed the hacked information to our intelligence services. This time, we had a common goal. 

After the Minsk agreements, the war dragged on, and OSINT investigators and hackers organized into groups and began to collaborate. Much of the information was published on InformNapalm. In the spring of 2016, we hacked the Orenburg government website and posted a message that “in light of the tragic events in the Republic of Kazakhstan,” a state of emergency was being declared in the region, and the governor was convening an anti-terrorism meeting. A few weeks later, terrorist attacks occurred in Aktobe, and Governor Berg really did have to convene the meeting we had “planned” for him. To effectively use media and hacking to influence events, you need a deep understanding of the context.

After that, Karpinsky and I were invited to join the Ukrainian Cyber Alliance, and since no one else laid claim to the role, I chose the position of spokesperson. I began with a major interview explaining who we are, what goals we were setting for ourselves, and how we intended to achieve them. Initially, I joked about my “position” in the group, as it strongly resembled the parody pseudo-corporate structures of early hacker groups. But soon, serious work began. I started meeting with journalists regularly, filming stories for news segments and documentaries. We became part of the national resistance against the aggressor and gained our own informational and political identity.

Beyond the lofty patriotic motivations, there’s another aspect to this kind of hacking: you can hack anything you wish, not only without pressure from the intelligence services but with their full approval. And we did. We hacked the email of Putin’s advisor Surkov, and since the hack happened during the U.S. elections, it received maximum international coverage. Many even thought it was a retaliatory action by American intelligence in response to election interference. We uncovered the names of the Russian occupation army, which was 90% composed of Russian mercenaries—recruited, armed, and sent from Russia to fight under Russian officers in Ukraine. The so-called “Donbass separatists” were just a lie to cover up the obvious truth.

All of our activities are not hacktivism in the usual sense of the word, because hacktivists generally aim to draw attention to internal issues within their own country (even if the main actions take place abroad, as with Anonymous and the Arab Spring). Their goal is to change public opinion and possibly pressure the government to provoke internal changes. We are dealing with an external enemy that literally wants to invade our country and carry out genocide—through extrajudicial killings, torture, and forced deportations to crush the will for freedom. This is not hacktivism, not patriotic hacking; we were literally cyber warfare partisans. However, since war and politics are inseparably linked, one of our actions did become a classic example of hacktivism. We called it “Fuck Responsible Disclosure”.

RHC: Cyberspace has changed a lot from the beginning: what are, in your opinion, the positive and negative elements today? Above all, the old ideals and ideas (such as openness, transparency and universal access) are dead, “Silent” or “Muted” in a world more and more complex to fix? Also, can you give us your vision on the protection of information space?

Herm1t: Two questions that usually interest hackers kept bothering me too—censorship on the Internet and how well our own infrastructure is protected from enemy hackers. In 2017, after the devastating NotPetya attack from Russia, Ukrainian leadership began to think about cybersecurity, but in its own inimitable way. 

First, under the guise of “protecting the information space,” the government wanted to introduce internet censorship modeled after Russia’s, with a list of banned websites. Bill 6688 was submitted to parliament, but after we mobilized society to protest, the bill was withdrawn. However, the blockings were still introduced later, not by law but by a presidential decree. 

At the same time, the “Cybersecurity Strategy” was adopted, and the officials we talked to began saying, “See, everything is changing, now that we have the strategy, security will improve.” As everyone knows, hackers don’t give a fuck about your budgets, strategies, compliance, and other paperwork. Our first “victim” was CERT, who “lost” their email password right on their website in a backup of one of the scripts. After that, vulnerable targets poured in like an avalanche—ministry websites, water and electricity supplies, state agencies, and even nuclear power plants. But we never fully exploited the hacks to remain within the law, only pointing out vulnerabilities and potential consequences.

Each new “target” sparked a scandal, and officials went through all the stages, from denial to acceptance. As always and everywhere, they said, “These are not our systems, they’re old systems, but soon there will be new ones. Yes, they’re vulnerable, but nothing leaked, and nothing happened. Yes, it could have happened, but we are already working on fixing it.” When documents of civil service applicants leaked, the National Security Council was convened, and the head of the agency was fired. 

And of course, by publicly shaming high-ranking officials, we made many enemies. Often, the owner of a vulnerable system threatened to file a police report. In the case of the Kherson government, Katya Handziuk (who was later brutally murdered for her civic stance) persuaded them not to. Energoatom tried to complain to the SBU, but since it was about a nuclear power plant, the SBU threatened them back with a criminal investigation for negligence. Tragically, around the same time, a nuclear safety engineer at the Zaporizhzhia NPP committed suicide. We clearly annoyed someone so much that in 2018, cyber police raided my house. Higher political leadership intervened, and charges were never brought. To avoid giving law enforcement a reason, we had to shut down the VX Heaven website. 

President Poroshenko’s term ended, and Zelensky won the election, causing a split in the Ukrainian Cyber Alliance. The Falcons Flame and CyberHunta groups announced they were ceasing operations and leaving. Meanwhile, law enforcement made another attempt to rein in the defiant activists. In the fall of 2019, an unknown prankster displayed the message “Fuck you, Greta!” on a screen at Odesa airport, and the SBU decided it was our doing. 

They tapped our phones, and in February 2020, they conducted raids on group members. They wore so much armor and carried so many weapons that it could have been enough to capture highly dangerous terrorists. Instead of humbly seeking protection, we enlisted the support of opposition parties “Democratic Axe” and “European Solidarity,” first holding our own press conference and then another one right at the parliamentary press venue. Protests took place right inside the courthouse. No charges were brought, but it took years for lawyers to achieve justice, and only a few weeks ago, a court ruled that we had nothing to do with the incident at Odesa airport. 

Although we announced at the press conference that we were ceasing cooperation with the authorities, our communication with certain agencies continued. We maintained contact with the intelligence, the Ministry of Defense, and the Service of Special Communications and Information Protection. In fact, we even signed a cooperation agreement with the latter, as by that time we had officially registered our organization as an NGO. This cooperation included discussions about security and policies to improve the safety of government systems. 

However, new laws, regulatory restrictions, miracle security devices, fines, conferences, and roundtables don’t actually help. What does help is being prepared for the possibility that your system will be targeted and having a plan for when computers simply went off, so that you can turn them back on again. Moreover, Ukraine has a rather specific threat landscape. There’s certainly no shortage of cybercrime here, but most “Russian” hackers (in quotes because many of them aren’t actually Russian) follow the rule of “not working in the CIS” to avoid clashing with local law enforcement. They are driven purely by money and stay as far away from politics as possible because it hurts business. Meanwhile, Russian intelligence agencies have been extremely active since 2014, not only engaging in espionage but also seeking to cause the greatest possible damage. The beginning of the war in 2014 marked a division within the post-Soviet blackhat community, which continues to this day. However, greed and apolitical stances remain unchanged.

RHC: Can you give us your vision of hybrid warfare and how information technology will play an increasingly important role for countries in term of defense and offense?

Herm1t: You mentioned the term “hybrid warfare,” which I dislike just as much as the term “hacktivists,” because it simply doesn’t reflect reality. Without a doubt, the war Russia has been waging since 2014 is far removed from Clausewitz’s theory of war, but there’s nothing particularly new about fighting with mercenaries or carrying out sabotage (even with the “cyber” prefix). This war may be “hybrid” for other countries, but for Ukraine, it’s just war. 

And for Russia too, in general, because when they couldn’t conquer the country through military-political means, they reverted to brute force. Nevertheless, the role of technology will only continue to grow. Just look at what’s happening right now. More and more countries are trying to create cyber units. Some are working on doctrines, strategies, and tactics, while others, like Russia, North Korea, and Iran, are simply taking advantage of whatever opportunities they can find. Their attacks are opportunistic, often uncoordinated with political leadership, and deniable. But sometimes they are successful (at least technically), even if they fail to achieve a military goal. A good example is the attack from January 13-14, 2022, when the GRU hacked dozens of Ukrainian government institutions with the goal of intimidating the political elite and convincing them that resistance was futile. After that attack, it became clear that time is running out.

Just before the invasion, Tim and I were preparing a hack that could have been the pinnacle of our hacking careers. We were reviewing proposed amendments to Ukraine’s Criminal Code regarding cybercrime. The irony of the situation didn’t escape us. “Who would’ve thought,” my colleague said, “two hackers are suggesting amendments to national legislation!” “Just wait,” I replied, “what if that legislation becomes Russian?” On the morning of February 24, Ukrainians were awakened by explosions. After talking to some military and intelligence contacts, we relocated to a safer part of the country—Lviv.

All previous disagreements were immediately forgotten. People who previously didn’t even want to talk to us began offering their help. The cyber police returned the equipment they had confiscated, a mobile operator opened unlimited high-speed communication channels, and volunteers raised money and provided the necessary equipment. As always in such situations, you don’t rise to the level of your expectations; you fall to the level of your training. 

RHC: UCA managed to penetrate and wipe Trigona Ransomware servers: can you describe to us what you have found and how this ransomware group was organised? Why did you choose to target this specific group? Second: How can you then successfully counteract a ransomware group?  

Herm1t: Our first hacks didn’t differ much from what we now consider “hacktivist” actions—simple defacements and leaked databases. But we didn’t plan to stop and acted methodically. Then came public exploits, building infrastructure, developing our own tools, working with other groups and the military. Experience comes with time.

That’s why something like “Trigona” becomes an incredibly easy target. It was a standard raid using a public exploit in Confluence. But unlike blackhats, who immediately try to monetize their loot by installing miners, we focused on extracting all available information, gaining administrative privileges, kicking out other hackers, and establishing persistance. Ransomware operators didn’t stand a chance of finding all the traps we had set, just like our other targets. For instance, it took C.A.S. and us about two hours to destroy the public broadcasting infrastructure in occupied Luhansk (it was Luhansk’s branch, not VGTRK, which was hacked by another group). One hour to elevate privileges and find all available subsystems, and another hour to wipe everything out.

Right now, we are monitoring a large number of targets simultaneously. Some manage to escape, but we often manage to reclaim them later. At any given moment, we have targets from any sector of the Russian economy or government. If we decide the time is right, we destroy them. When a journalist from RFERL recently asked me, “Who is winning the cyberwar?” I replied that it’s not a competition. We rarely clash with our opponents, though sometimes we manage to disrupt their operations. The scale of our targets will continue to grow, not so much due to technical capabilities, but thanks to “boring” things like organizational structure, recruitment, training, intelligence sharing and so on.

RHC: How did you choose your nickname? What about the phrase “Virus don’t harm, Ignorance does” in the VX-Heaven homepage?

Herm1t: The nicknames “herm1t” and “Sean Townsend” were chosen almost at random. I used the first one on BBS in the mid-90s, and when I was getting user accounts at work, the senior administrator used that same name. I didn’t have time to come up with something else. As for the second, I had stolen documents under that name to pass verification on social media. It’s not a rare name, so I didn’t feel like I was causing any harm to the real person by using it as a nom de guerre.

The motto of VX Heaven simply states that any technical knowledge is morally neutral. The same techniques can be used by ransomware hackers for profit, by Russians for their war of aggression, and by us to cause them the kind of damage that will prevent them from attacking anyone again.

RHC: Herm1t, thanks a lot for your time! We highly appreciate your contribution to the community. We wish you the best to you, your group and peace for your country. Your words are precious for the current and future hackers.