The Atlanta Journal-Constitution
Russian arrests raise intrigue on hacking
Lurid details that might be from foes fill Russian media.
MOSCOW — In the days since it emerged that four men had been arrested on treason charges linked to cyberintelligence and Russia’s domestic security agency, conspiracy theories and speculation about the case have swept through Moscow.
Was it some fallout from the alleged Russian hacking of the U.S. presidential election? Were they part of a hunt for a possible mole who tipped off American intelligence agencies? Was it a power struggle within Russia’s security services?
Specifics of the case are murky, and no Russian government officials have commented publicly. Russian media have been filled with lurid, often contradictory, details that most assume are leaked by warring factions of intelligence officers.
Linking the arrests to the U.S. vote would mean joining the dots between a series of shadowy actors in the Russian internet world.
In one of the few formal acknowledgments of the case, Ivan Pavlov, a Russian defense lawyer specializing in treason cases, confirmed that at least four arrests on linked treason charges had taken place. He declined to elaborate.
U.S. intelligence agencies alleged in early January that President Vladimir Putin ordered a campaign to influence the U.S. presidential election in favor of Donald Trump, with actions that included using a group called Fancy Bear to hack email accounts of individuals on the Democratic National Committee.
In an unclassified version of their report, the agencies did not disclose how the U.S. learned what it said it knows, and Russia has denied the accusations.
“I have long assumed there has to be some human resource for U.S. intelligence,” said Mark Galeotti, an expert on the Russian security services and a senior researcher at the Institute of International Relations in Prague.
The first arrest emerged last week with the news of the detention of Ruslan Stoyanov, an executive at Kaspersky Lab, a cybersecurity firm.
Stoyanov apparently traveled widely as the head of the company’s computer incidents investigations. According to his LinkedIn profile, he was employed by the Russian Interior Ministry’s cybercrime unit in the early 2000s and hired by Kaspersky in 2012. Kaspersky has said the charges against Stoyanov relate to a time before he joined the company.
Multiple Russian media outlets have reported the detention of three officers working for the cybercrime division of the FSB, Russia’s domestic security agency, at around the same time as Stoyanov’s arrest in December.
Two of the men have been named in Russian media as Col. Sergei Mikhailov, deputy head of the FSB’s Information Security Center, the TsIB, and a subordinate, Maj. Dmitry Dokuchayev. Pavlov said a fourth defendant in the case was his client, but he refused to reveal his name.
TsIB is an “experienced cyberespionage outfit” that has expanded rapidly in recent years, according to Galeotti. “Their job is to hoover up everything they can.”
Reporting by Russia’s opposition newspaper Novaya Gazeta and U.S. cybersecurity journalist Brian Krebs suggested compromising material on the FSB officers may have been a revenge operation by 26-year-old Vladimir Fomenko, revealed by U.S. cyber firm ThreatConnect last year as the owner of servers used in hacks on election systems in Arizona and Illinois, and a Russian businessman, Pavel Vrublevsky, who was jailed for a year in 2013 for organizing cyberattacks on a competitor.
Krebs said in a blog entry Saturday that Mikhailov may have passed details of Russian cyber criminals over many years to U.S. law enforcement officers and U.S. journalists, including a cache of information on Vrublevsky he himself received.
Vrublevsky said Monday he was only slightly acquainted with Fomenko. He declined to comment on the FSB officer arrests but said they were “the guys who put me behind bars.” Fomenko did not respond to a request for comment.
In a further twist, the Interfax news agency reported Tuesday that Mikhailov and Dokuchayev are accused of passing information to the CIA. The report cited a source Interfax did not identify, making it difficult to verify its accuracy. A spokesman for the CIA declined to comment on the actions of Russian law enforcement.
Mikhailov’s arrest apparently was designed to have maximum effect on fellow officers. He was detained at a gathering of FSB officials when he had a bag placed over his head and was marched out of the room, according to Novaya Gazeta and the nationalist Tsargrad network.
Another theory circulating apparently seeks to draw attention away from the U.S. hack.
News outlets Life News and Rosbalt, which has close links to the security services, reported that the FSB officers fed sensitive information to hacking group Shaltai Boltai, or Humpty Dumpty, which used it in a complex profit-making enterprise to blackmail dozens of Russian political figures.
A Moscow court confirmed Monday the arrest of Vladimir Anikeyev, reported to be one of the leaders of Shaltai Boltai, on hacking charges.
The arrests appear to add more weight to allegations against the Russian intelligence services that they recruited from the country’s vibrant hacking community to boost their offensive cyber capabilities.
As president, Barack Obama imposed sanctions on renowned hackers Yevgeny Bogachyov and Alexei Belan for their alleged role in cooperating with the GRU, Russian military intelligence, to target the DNC.
Andrei Soldatov, who has studied the Russian security services and the internet for years, said the Moscow arrests clearly pointed to intelligence officers and criminal hackers working together to hack the Democrats.