Russia’s largest hacking conference reflects isolated cyber ecosystem

Two teams of hackers try to attack and defend the systems of a model town at Positive Hack Days 10 in 2021. (REUTERS/Alexander Marrow)

In May of last year, around 8,700 leading hackers, developers, and cybersecurity firms in Russia converged on Moscow for one of the country’s largest hacker conferences: Positive Hack Days. Held annually since 2011, Positive Hack Days is in many ways reminiscent of American cybersecurity events such as Defcon or Blackhat, from its vendor-driven talks to its background music and social activities for participants.

Importantly, Positive Hack Days is organized by Russian cybersecurity company Positive Technologies—which the U.S. government sanctioned in April 2021 for supporting Russian government cyber operations. Reportedly, it discovers vulnerabilities in technology products, develops exploits for those vulnerabilities, and provides them to Russia’s Federal Security Service (FSB). It plays a key role in Russia’s national cyber threat response program (GosSOPKA), too. But Positive Technologies’ assistance to the Russian intelligence community doesn’t end there. It also hosts events that serve as recruitment hotbeds for Russia’s FSB and military intelligence agency (GRU), which ostensibly survey company talks, capture-the-flag competitions, and other hacking challenges to identify talent. Positive Hack Days appears to be one such gathering.

Last May’s conference offers a unique window into Russia’s cybersecurity community. At a time when the Putin regime is waging an illegal war on Ukraine and Western governments have slammed the Russian economy with sanctions, Russia’s technology industry is more isolated than ever. In the overall Russian technology sector, plenty of developers oppose the war or have left Russia entirely. The politically charged environment in Russia creates precarity for those that remain. Although the panels and discussions at Positive Hack Days focused on nationalism and the importance of Russia’s domestic technology sector, some participants articulated concerns associated with technological isolationism. However, many others expressed support for the Putin regime, particularly those who have capitalized on sanctions and tech isolation as an opportunity to expand their own cybersecurity products and services. Western governments cannot understand and prepare for the future of Russia’s cybersecurity sector, cyber talent base, and cyber capability development without analyzing the full range of perspectives and interests found at these gatherings, too.

Positive Technologies was founded in 2006, with just six employees in its Moscow office. The company was offering cybersecurity services at a time in which the Russian internet was still relatively open and the Kremlin, by and large, was still beginning to grapple with the security implications of the web and other digital technologies. Now, Positive Technologies boasts roughly 1,200 employees and plays a central role in Russia’s cybersecurity ecosystem.

When Positive Technologies launched the Positive Hack Days conference in 2011, just 500 people showed up. It has grown rapidly over the years—3,500 attendees in 2015; 8,700 in 2022—and now brings in many sponsors and partners from the Russian private-sector cybersecurity ecosystem. (Due to the Covid pandemic, the event was cancelled in 2020 and more sparsely attended in 2021.)  

Positive Hack Days and the Russian government

The Positive Hack Days conference has long been entangled with the Russian intelligence community. Before the U.S. government even sanctioned its organizing company, journalists at Radio Free Europe/Radio Liberty and The Daily Beast had reported on multiple GRU officers attending the conference.

Dmitry Sergeyevich Badin, an officer in the GRU unit that would go on to hack the Democratic National Committee, attended in 2014. That same year, one Alisa Andreevna Shevchenko delivered a keynote; her company Zorsecurity was later sanctioned by the U.S. for providing “technical research and development” to the GRU in service of its interference in the 2016 U.S. election. The list goes on, such as in 2017, when another attendee put his affiliation as Moscow State Technical University—and provided an identity that exactly matched a GRU hacker indicted by the United States for developing messaging campaigns and spearphishing techniques used to target officials from the En Marche! party in France, employees of the UK’s Defense Science and Technology Laboratory, members of the International Olympic Committee, and more. Although the attendance of GRU officers and affiliated individuals could merely be for self-educational purposes (which itself would be significant), they more likely show up to hunt for talent, as U.S. disclosures reveal.

The 2022 Positive Hack Days featured over 150 sessions, ranging from podcast-style interviews to presentations of technical security research. Many Russian cyber firms were in attendance, plus a host of independent security researchers and hackers. Most notably, however, the Kremlin also showed its support for cultivating the Russian cyber ecosystem.

Maria Zakharova, the infamous spokesperson for Russia’s Ministry of Foreign Affairs once dubbed Russia’s “troll-in-chief” for her lies and what-about-ism, headlined a discussion on “Creating a Multipolar World.” The conversation was laden with nationalistic talking points about tech isolation: “The internet is being segmented,” Zakharova told the moderator, and “this is not being done by individual states that want to maintain their political, economic, or financial agenda, but we see it on the part of those who created the internet space as a commons.” Ignoring the Russian government’s numerous steps to control the internet at home and undermine the open internet globally, Zakharova stated that “it is the countries and the corporations that regionally were talking about the need for a global approach who are pursuing that policy of exclusion.” She continued bluntly: “we need to stop protecting the Western platforms and websites and hosting platforms. … Western monopolies act outside the rules. … They act aggressively towards our country and towards our people.”

Russia’s Minister of Digital Development, Communications, and Mass Media, Maksut Shadayev, also spoke. He previously attended Positive Hack Days a few years earlier. Much of the discussion would ring familiar to Western audiences: explaining the importance of cybersecurity to businesses, talking about how cybersecurity touches everyday life, such as through data leaks, and describing the ministry’s work to manage public services and convince businesses to invest more in cybersecurity. “I don’t sleep peacefully,” Shadayev said. “Every time I’m thinking, ‘what else can be done?’” The minister then argued for incentives to keep developers in Russia, which the Kremlin has rapidly expanded since February (such as exempting some IT workers from military conscription and IT companies from income taxes). “Our IT people, they should have stimulus to stay here,” Shadayev said. Otherwise, he continued, they’ll find a “good place under the sun” in a foreign country.

For a conference that began with just a few hundred attendees, Positive Hack Days was now graced by multiple, high-level figures in the Russian government working on geopolitics and technology portfolios. Western government officials regularly attend industry conferences in their own countries, too. In fact, it would be uncommon to sit through a major American cybersecurity conference without someone from the U.S. government participating in a panel or giving a talk. That said, the Russian government’s emphasis at Positive Hack Days on technological isolationism struck a more nationalistic tone than previous conferences—where many foreigners would participate and, in at least one case, were even invited to give a keynote address. It also does not appear Zakharova had attended before. Whether they agreed with the government’s line or not, Positive Hack Days participants witnessed a phenomenon increasingly frequent in Russia: top-down Kremlin messaging at venues that historically enjoyed a greater degree of separation from state control.

Nationalist rhetoric meets techno-isolationism

Other conference talks and discussions at Positive Hack Days underscored how some Russian hackers are consuming nationalistic rhetoric—and are using Western sanctions and Russian tech isolation as an opportunity to expand their cybersecurity products and services. Simultaneously, there appear to be some individuals in Russia’s cybersecurity sector thinking about issues like domestic growth and overseas market expansion at a time when Russia is under heavy sanctions and is facing distrust in many parts of the world. It serves as a reminder that those in Russia’s cybersecurity community may have a range of perspectives on the current war, even if it is incredibly difficult, if not effectively impossible, for many of them to explicitly voice their concerns.

In a panel on technological independence through “import substitution,” featuring representatives from Russian technology firms, the participants discussed how tech isolation and the resulting need for domestic technology is “an irreversible process.” These conversations are by no means new in Russia, but the repeated coverage of technological isolationism and import substitution issues underscores a ratcheting-up of this rhetoric in Russia’s cybersecurity community. One participant noted that “suddenly, you see companies that were developing some huge products for one, two customers, but now, they are going national, they are going big-time, and it’s one of the, probably, benefits of the current situation.” Another speaker was even blunter about the Russian government’s push to eradicate foreign technology, including a recent decree from Putin that seems to have sparked both a siege mentality and a newly competitive atmosphere in some parts of the cybersecurity industry. The panel participant, the CEO of a Russian cybersecurity and information technology company, said:

“It’s irreversible, and it’s ambitious. Because we all now enter a new field of opportunities. There is demand from the market, there is regulation, there is support from the state, there is cyber war—I want to say, thank god there is cyber war, but, well, there is cyber war. Everything we are doing now is not going to be tested on a virtual mockup at The Standoff; it’s going to be tested in real-life settings. And if we can demonstrate the infosec maturity of Russian solutions, then it’s a big opportunity.”

This comment follows multiple statements from Positive Technologies leaders about their international expansion goals. When one of Positive’s managing directors, Denis Baranov, took over as CEO in July 2021, he named global market growth as one of his three priorities. Positive Technologies had already been on an upward trajectory in this regard, opening offices in the UK, South Korea, Czech Republic, Tunisia, India, and elsewhere in recent years; it even had a Boston office until the U.S. imposed sanctions on the firm. In June 2022, the CEO’s advisor said that Positive Technologies wants to expand into Southeast Asia, South America, the Middle East, and elsewhere—asserting that Russia, the U.S., Israel, and China house the major cybersecurity providers and that Western dominance creates demand for other cybersecurity solutions. For example, the advisor said, a Latin American company might hypothetically wish to split its cyber defenses between Western and Russian solutions to mitigate and spread out risk.

Even on a panel with less outwardly nationalistic rhetoric, a theme of Russian technological isolation persisted—this time, with an eye toward the potential impacts of the war on Russia’s cybersecurity sector. “Recent events became geopolitical,” said one Positive Technologies employee in a discussion focused on open-source software. “Some countries don’t like to use cyber software not from their own countries, not from their own locations.” Hence, he said, it is important for Russia to cultivate the open-source software community, because opening code can improve trust. “You are confident in yourself so much,” he told listeners, “but they may not believe you. So how can you prove it? You can open this code—make it open-source. And this is the only way, the only path, to go to wider geographies in order to make your products popular.”

The speeches and panels at Positive Hack Days featured a range of distinct perspectives within Russia’s cybersecurity sector on the Putin regime’s war. Yet all the while, discussion of technological nationalism and isolationism remained center-stage.

The bottom line

For policymakers, Positive Hack Days and related events offer an important glimpse into how Russia’s cybersecurity community is grappling with growing isolation, Western sanctions, and the looming economic difficulties of selling Russian software and hardware products in the current global market. The early evidence suggests that entrepreneurialism and experimentation are likely to thrive in a newly constrained environment where government and private-sector ties are tightening, even if that entrepreneurialism and experimentation does not catalyze market expansion abroad. Intelligence analysis, media coverage, and other analysis may miss these developments and trends, given that they focus more heavily on government cyber units at the expense of the broader community of developers, hackers, cybercriminals, and other actors that compose Russia’s vast, opaque cyber web.

Policymakers should also know that Russian cybersecurity professionals are clearly feeling the effects of sanctions. The aforementioned discussion on import substitution, for instance, touched on the challenges involved with producing domestic replacements for hardware and semiconductors compared to software. The reality of sanctions and isolation, too, was a frequent point of conversation—and few of the Positive Hack Days 2022 speakers appeared particularly optimistic that sanctions would be undone. In fact, multiple Positive Technologies employees asserted that even if they could do business with Western firms again, many Russian businesses would reject those foreign companies.

Yet policymakers must also recognize that Moscow is clearly supporting the cultivation of Russia’s cyber ecosystem. From the messaging of Russian media and state-run television to more tailored speeches and content targeted to cybersecurity experts and professionals, the government is barraging individuals in Russia’s cyber community with nationalistic rhetoric. Zakharova and digital minister Shadayev’s attendance is not to be understated, as it signaled some additional degree of government interest in the Positive Hack Days conference (beyond already ongoing intelligence recruitment). Based on the discussions and talks at last year’s conference, Russian hackers hold a variety of perspectives on that rhetoric and the war with Ukraine. Likewise, their actions and behavior appeared guided by a range of motivations, from self-preservation to self-serving business interests to genuine belief in the regime and its propaganda. However, what Positive Hack Days revealed above all is that, for Russia’s hacker community, a strong dose of state-pushed nationalism and techno-isolationism are here to stay.

Justin Sherman is the founder and CEO of Global Cyber Strategies, a senior fellow at Duke’s Sanford School of Public Policy, and a nonresident fellow at the Atlantic Council. He also consults on Russia’s cybersecurity ecosystem for the security research firm Margin Research.