Making Sense of Russia's Cyber Treason Scandal

6 MINS READFeb 9, 2017 | 09:15 GMT
Making Sense of Russia's Cyber Treason Scandal
(OLEG KLIMOV/Getty Images)
The headquarters of Russia's Federal Security Service (FSB) in Moscow. The Russian security agency's cybersecurity arm is at the center of a scandal that apparently has been the subject of a Kremlin-directed disinformation campaign.

The scandal surrounding a shadowy Russian computer intelligence unit has captivated the Russian public over the past few months. The story of a series of high-profile arrests continues to evolve in scope and complexity, implicating members of the Federal Security Service (FSB) and prominent hacking groups. Now, possible connections have emerged to the alleged hacking campaign targeting the United States during the presidential election. Mystery remains over the exact purpose of the crackdown on the cyber unit and why it is happening now, leading to intense speculation in the Russian media. The guarded nature of Russian organs of state means that the story playing out in the public eye is indicative of more dangerous struggles taking place deep inside the Kremlin.

In January, the Kremlin-linked media outlet Kommersant suggested that the heads of Russia's Information Security Center (TsIB) were under investigation and would soon leave their posts. The TsIB is a shadowy unit that manages computer security investigations for the Interior Ministry and the FSB. It is thought to be Russia's largest inspectorate when it comes to domestic and foreign cyber capabilities, including hacking. It oversees security matters related to credit theft, financial information, personal data, social networks and reportedly election data — or as some have claimed in the Russian media, "election rigging." Beyond its investigative role, it is presumed that the TsIB is fully capable of planning and directing cyber operations. A week after the initial Kommersant report surfaced, Andrei Gerasimov, the longtime TsIB director, resigned.
Not long after Gerasimov's resignation at the end of January, reports emerged from numerous Kremlin-linked media outlets in what appeared to be a coordinated flood of information and disinformation about the arrests of senior TsIB officers. One of the cyber unit's operational directors, Sergei Mikhailov, was arrested toward the end of last year along with his deputy, Dmitri Dokuchaev, and charged with treason. Also arrested around the same time was Ruslan Stoyanov, the chief investigator for Kaspersky Lab, which is the primary cybersecurity contractor for the TsIB.
There is much conjecture, but Mikhailov was apparently forcibly removed from a meeting with fellow FSB officers — escorted out with a bag over his head, so the story goes — and arrested. This is thought to have taken place some time around Dec. 5. His deputy, a well-respected computer hacker recruited by the FSB, was reportedly last seen in November. Kaspersky Lab's Stoyanov was a career cybersecurity professional, previously working for the Indrik computer crime investigation firm and the Interior Ministry's computer crime unit. Novaya Gazeta, a Kremlin-linked media outlet, reported that two other unnamed FSB computer security officers were also detained.

Theories, Accusations and Rumors

Since the initial reports surfaced, Russian media have been flooded with conflicting theories about the arrests; about Mikhailov, Dokuchaev and Stoyanov; and about the accusations levied against them. Because the charges are treason, the case is considered "classified" by the state, meaning no official explanation or evidence will be released. An ultranationalist news network called Tsargrad TV reported that Mikhailov had tipped U.S. intelligence to the King Servers firm, which the FBI has accused of being the nexus of FSB hacking and intelligence operations in the United States. (It should be noted that Tsargrad TV tends toward sensationalism and has been used as a conduit for propaganda in the past.) The media outlet also claimed that the Russian officer's cooperation is what enabled the United States to publicly accuse Moscow of sponsoring election-related hacking with "high confidence."

The stories implicating Mikhailov gained credence when Russian businessman Pavel Vrublevsky made similar accusations. He asserted that Mikhailov leaked details of Russian hacking capabilities to U.S. intelligence agencies. Vrublevsky, however, had previously been the target of hacking accusations leveled by Mikhailov and his team, so it is possible that he has a personal ax to grind. To further complicate matters, a business partner of Vrublevsky, Vladimir Fomenko, runs King Servers, which the United States shut down in the wake of the hacking scandal.

Novaya Gazeta's sources contradicted the claim that the accused officers colluded with foreign intelligence assets, saying there was no evidence they were involved in the U.S. case. Instead, the media outlet tied the arrests to prominent Russian hacking circle Shaltai Boltai (Humpty Dumpty), which is linked to a series of high-profile network intrusions, including ones targeting senior Russian officials. More recently, the group was implicated in leaking emails after the hack of an account run by presidential aide Vladislav Surkov that exposed his oversight of Russian activities in eastern Ukraine.

In a 2015 interview, the leader of Shaltai Boltai, code-named "Lewis," said his group was driven purely by money, not ideology. He said if a client was willing to pay, then Humpty Dumpty would take the job. Lewis also said he didn't know the identities of all the group's clients because many kept them guarded. Three days after the original story about the FSB arrests broke, Kremlin-linked media outlet Rosbalt reported that Shaltai Boltai's leader — whom they named as Vladimir Anikeev — had been arrested in October on charges of unlawful access to computer information. The report said Anikeev confessed to working with Mikhailov and Dokuchaev. On Feb. 1, two of Anikeev's associates, Alexander Filinov and Konstantin Terlijakov, were also charged with being members of Shaltai Boltai. A lawyer for Anikeev said the charges against his client were not connected with the FSB arrests or U.S. hacking accusations.

Over the past few weeks, Tsargrad TV has developed the story, releasing further details and making connections that are explosive if true. The television station claimed that the CIA had sponsored Anonymous International to engage Shaltai Boltai to work with Mikhailov and his team. The story appears unlikely, however, because the CIA has previously been a target of Anonymous International. The convoluted report claims the CIA wanted Mikhailov and his team to infiltrate one of Russia's largest financial institutions, Sberbank, to collect data on Russians that the CIA could use to manipulate public opinion ahead of the upcoming Russian national elections.

More Questions Than Answers

As more details emerge, the true picture of what is happening grows murkier. It is evident that a campaign to confuse the situation is in effect, with conflicting news stories seeding the confusion. Most new information comes from Kremlin-related media outlets, meaning that influential figures in the Russian government are likely trying to redirect the story. It remains unclear why the initial details of the arrests were even made public. The accusation that such prominent FSB members could be linked to the U.S. hacking scandal would be tantamount to an admission of guilt after months of continual denials from Moscow that Russia had any part in the scandal.

The connection being made between the FSB officers and Shaltai Boltai is questionable. Russian investigative journalist and cybersecurity expert Andrei Soldatov said the effort to tie Mikhailov to Shaltai Boltai was more likely an attempt at a hasty cover-up. Soldatov told the British newspaper The Guardian that Mikhailov and Stoyanov were "real experts in one thing, the Russian digital underground, not the kind of stuff that Shaltai Boltai leaked." The narrative linking Shaltai Boltai to the FSB officers came just three days after the initial stories suggesting the FSB officers were the sources of leaks to U.S. intelligence.
The most puzzling aspect of this curious episode is how and why the Kremlin allowed this story and the speculation around it to be featured in the Russian media for weeks. The Kremlin traditionally likes to exercise control over its appendages, particularly the security services. Moreover, the Russian administration's fears of reprisal hacks have increased, not only in response to accusations by the United States and other governments but also as its own election cycle approaches. So perhaps the real story is about the magnitude of the struggle taking place inside the Kremlin that has allowed such a noisy and messy spillover to extrude beyond its dense walls.

Article Search

Copyright © Stratfor Enterprises, LLC. All rights reserved.

Stratfor Worldview


To empower members to confidently understand and navigate a continuously changing and complex global environment.