There’s Something Very Weird Happening Inside Russia’s Cybersecurity World

The arrest of several of Russia’s top cybersecurity figures has led to speculation that there’s a shake-up inside the country’s national security service related to hacks surrounding the US election.

SAN FRANCISCO — A series of surprising arrests of some of Russia’s top cybersecurity figures has left international cybersecurity officials and analysts wondering whether Russia is cleaning house of suspected spies or going through an internal shakeup of the FSB, Russia’s national security service.

At some point in December, Ruslan Stoyanov, a well-respected researcher with the Moscow-based Kaspersky Lab, and Sergei Mikhailov, head of the FSB’s Center for Information Security, were arrested by Russian police as part of what Russia’s Kommersant newspaper described as a probe into possible treason. No date of arrest has been made public, though Kommersant reported that Stoyanov last logged into his private social media account on Dec. 4, and Mikhailov on Dec. 5. The Moscow-based Novaya Gazeta newspaper cited sources as saying Mikhailov was arrested during a meeting with other FSB officers in Moscow, and was taken from the room with a sack over his head.

On Tuesday, Russia's Interfax news agency reported that the two men were being arrested on charges of treason, for allegedly passing information to the CIA. The report, which cited an unnamed source familiar with the case, said the men had independently conspired with foreign intelligence agencies. At least four other men, Interfax said, had been arrested as part of the same roundup, and up to eight are under scrutiny and may appear as witnesses.

The men were charged "with treason in favor of the United States," Ivan Pavlov, the lawyer for one of the defendants, told CNN.

The identities of the other men involved remain less clear. Last week, REN-TV, a privately owned TV channel in Russia, said a second FSB officer had also been arrested in December. They identified the man as Major Dmitry Dokuchayev, and reported that he had served under Mikhailov in the the Center for Information Security.

Russia's RBC newspaper named Dokuchaev as "Forb" a well-known Russian hacker who, in a 2004 interview with the Russian Vedomosti newspaper, revealed that he was a hacker for hire, earning anywhere between $5,000-$30,000 in a single month. RBC claimed that as Forb, Dokuchaev had launched attacks on US government infrastructure, and that he had ultimately been recruited by the FSB who agreed not to prosecute him for his cyber crimes in exchange for his agreeing to work for the Russian government.

Kommersant also reported that on January 13, the director of the Center for Information Security, Andrei Gerasimov, was fired. He was described as having close ties to cybersecurity companies, including Kaspersky Lab.

Kaspersky Lab confirmed that Stoyanov was under investigation for activity during a period predating his employment at the company and added, in a public statement, “We do not possess details of the investigation. The work of Kaspersky Lab's Computer Incidents Investigation Team is unaffected by these developments."

Stoyanov’s LinkedIn page lists his previous employer as the Ministry of the Interior’s Cyber Crime Unit.

Four intelligence officers working in various branches of the US government told BuzzFeed News this week that they had no insight into the arrests of Stoyanov and Mikhailov, with one explaining, “it’s above my paygrade.”

“There are a small handful of people who would know if one or both of these men was a US asset or in any way involved in any intelligence operation, and I’m not one of them,” said the US intelligence officer, who asked not to be named due to the sensitivity of the story. “Obviously, this could also be an internal struggle within the FSB, in which case we would have little daylight into what was happening.”

The case against Stoyanov and Mikhailov has been filed in a secret military tribunal under Article 275 of the country’s constitution, which allows the government to investigate individuals they suspect of spying for a foreign state.

Whether or not their cases have anything to do with the Russia’s involvement in the hacks targeting the US 2016 elections remains unclear. Fancy Bear, the group named by US cybersecurity companies as being behind the hacking and leaking of damaging emails from top Democratic National Committee officials, has been tied back to the GRU, Russia’s main foreign intelligence agency. Cozy Bear, a group also believed to have been within the DNC’s system, has been linked to the FSB.

While most news reports do not directly tie the arrested men to the DNC hack, the Moscow Times reported that Mikhailov’s arrest was due to suspicions that he tipped US officials off to the Russian server rental company “King Servers,” which the Arlington-based ThreatConnect cybersecurity company identified last September as a “nexus” used by Russian hackers in attacks against the US.

In Russia, rumors about the arrested men are running rampant. Russia’s Tzargrad news site — which is run by noted far-right intellectual Aleksandr Dugin — published a story claiming that Mikhailov could secretly be the FSB handler for a notorious Russian hacking group called Shaltay-Boltay (or Humpty Dumpty), and that the group was secretly backed by the CIA. The article, which was shared widely within Russian social media, was suddenly taken off the site, though an archived version is still being shared.

CORRECTION

Tzargrad referred to Mikhailov as a possible "handler" for a Russian hacking group. A previous version of this article, through a mistranslation, referred to him as the leader of the group.

Skip to footer