Top Manager of Kaspersky Laboratory and FSB Officer Arrested in ‘Treason Case,’ Kommersant Reports

January 25, 2017
Ruslan Stoyanov, cybersecurity expert from Kaspersky Laboratory, arrested in December 2016 in an investigation of treason.

LIVE UPDATES: A top manager of the Kaspersky Laboratory and an officer of the Federal Security Service’s (FSB) Center for Information were arrested and charged with treason, possibly for receiving payment from a middleman related to a foreign organization.

The previous issue is here.

Recent Analysis and Translations:

Live Updates: New Allegations Emerge That Russia Is Blackmailing Donald Trump
How Many Russians Are Fighting for ISIS? A Brief History of The Kremlin’s Arbitrary Numbers
State TV Video Shows Russian Special Forces Fighting on the Ground in Syria, Supposedly Killing ISIS
An In-Depth Examination Of Donald Trump’s Ties To Russia And Vladimir Putin


Kaspersky Lab Denies Arrested Russian Cybersecurity Expert Was ‘Top Manager’; Case Related to His Previous Work

Yuliya Krivosheina, director of Kaspersky Laboratory press service, said Ruslan Stoyanov, an employee arrested in December 2016 now under investigation for treason is not a “top manager” as claimed by Kommersant earlier today, based on their sources.

Stoyanov’s case is apparently related to an FSB officer also arrested at the time.

Krivosheina said: 

“This case does not concern the company’s activity, we don’t have details. Ruslan Stoyanov led the department to investigate cybercrimes, but that doesn’t mean that he was a member of top management. He has worked inthe company since 2013.”

Before that, Stoyanov worked in Department K, the Interior Ministry or police department that investigates cybercrimes.

She said that the case under which Stoyanov was arrested was unrelated to the activity of the Kaspersky Laboratory.
“It is related to the period of time when Ruslan Stoyanov was not an employee of the company.”

She said they had no other information.

Kaspersky, which has always maintained high cooperation with the Russian government and intelligence, is not going to risk that relationship — required for them to go on doing business at home and abroad — over one employee. 

If the case really is about something before 2013, it would not be related to the hacking of the US Democratic National Committee or the Trump dossier or anything or the sort, which came later; there is no evidence of such a connection. 

But we don’t know that the current investigation about money paid through an intermediary takes place in the time period of 2013, or whether it involves relationships Stoyanov had in the Interior Ministry’s Department K before he came to work for Kaspersky. 

Yugopolis noted that Kaspersky Laboratory’s department to investigate computer incidents had cooperated with the FSB and Interior Ministry since 2013 in analyzing cyber crimes. But the relationship of the Lab’s founder Eugene Kaspersky is said to go back much earlier than that.

— Catherine A. Fitzpatrick

Top Manager of Kaspersky Laboratory and FSB Officer Arrested in ‘Treason Case,’ Kommersant Reports
A top manager of the Kaspersky Laboratory and an officer of the Federal Security Service’s (FSB) Center for Information have been arrested and charged with treason, Mariya Komoychenko, a writer for Kommersant, a business daily reported today, January 25.
Ruslan Stoyanov, a top manager of the Kaspersky Laboratory which sells anti-virus software and other cybersecurity products at home and abroad, who headed Kaspersky’s department to investigate cybercrimes, worked closely with Russian law-enforcement. According to Kommersant‘s source, Stoyanov’s arrest may be linked to an investigation regarding a deputy of the FSB’s Center for Information Security. 
Kaspersky Lab told Kommersant that the case isn’t related to their company’s business, but experts note that the arrest could still affect relations between Internet business and the FSB.
Stoyanov, whose job is to investigate computer incidents, who has been involved in some very high-profile computer crime cases, has been at the FSB’s Lefortovo Detention Center since December 2016, a source close to the FSB told Kommersant. Kaspersky Lab confirmed the arrest, and confirmed that the FSB’s investigation involves “a private person” and not the company.
But at the same time, Sergei Mikhailov, head of a division at the Center for Information Security was arrested, a source confirmed for Kommersant. The public liaison office of the FSB did not reply to inquiries from Kommersant about this arrest. Mikhailov’s cell phone number has not been answering. An acquaintance of Mikhailov’s says his phone has not been picked up since December of last year. From social media accounts and online messaging systems, it can be seen that Stoyanov last logged on to his account on December 4, and Mikhailov on December 5, says Kommersant.

According to unofficial reports Kommersant has received about problems at the Center for Information Security (TsIB), Andrei Gerasimov, another division chief, could be leaving his job. Gerasimov, a protege of FSB Lt. Gen. Boris Moroshnikov, is also on the advisory board of the League for Internet Safety founded by Konstantin Malofeyev, a conservative businessman who has funded nationalist and Russian Orthodox causes as well as the Russia-backed separatists in Crimea and eastern Ukraine.

Sources told Kommersant that Gerasimov’s resignation may be connected to an investigation by the FSB’s Department of Internal Security regarding one of Gerasimov’s deputies. According to sources, among the issues being examined are the Center’s relationships with private companies which cooperated with the Center’s divisions to conduct forensic studies of cyber crimes.

The investigation is said to have been opened on suspicion of Art. 275 of the Russian Criminal Code, which is “state treason,” managers and co-owners of three IT companies said, which was confirmed by a source close to the FSB, a federal official, and also the head of a telecommunications company.
Two of the sources specified that the investigation is checking information about money supposedly received from a Center officer from a foreign organization through a middleman who was an employee of a Russian information security company.
Kommersant says there is a risk that the situation at the TsIB will reflect on the cybersecurity and electronic commerce markets in Russia, whose players may have to arrange their relations with the government anew. Two sources who know Mikhailov claim that he is one of the key officers of the TsIB who “essentially manages all the Internet business in the country.”
“This person, in my view, largely informally, defines the policy of the entire sector of cyber security and Internet commerce,” says Pavel Vrublyovsky, founder of Chronopay, a long-time acquaintance of Mikhailov’s. The impact of these arrests and the investigatin on the market can only be determined after official statements from the FSB.
Mikhailov was also involved in civic groups related to information security, including the Russian Association of Electronic Communications (RAEC), sometimes critical of government Internet policy. Irina Levova, coordinator of the information security cluster and director for strategic projects of the Institute for Internet Research said that at the group’s last meeting on December 12, Mikhailov, who always attended, was missing.  She called him a “very competent” specialist who “helps achieve mutual understanding between the Internet companies and intelligence agencies.”

Eugene Kaspersky, founder of the world-renowned company, has been described by Western media as having close relations with Russian intelligence. Kaspersky Lab was the first to publicly identify the Stuxnet virus launched by the US against Iran. Kommersant says that Kaspersky has worked closely since 2013 with the FSB and Interior Ministry on analysis of cyber crimes and has provided expert witness in cyber crime cases. Many Russia-watchers would say his cooperation began long before 2013 because he was educated at a KGB-sponsored cryptography school and then worked for Russian military intelligence (the GRU). Bloomberg has reported that Kaspersky scrutinizes Russia’s bugs less than other countries, a claim Kaspersky himself has strenuosly denied.

Before 2006, Stoyanov worked in the Moscow Interior Ministry’s Department K, which stands for “cyber crime,” in the division of “special technical activities”. Other employees of his department at Kaspersky are also from Department K, as well as the Investigative Committee.

Andrei Soldatov, a cybersecurity specialist and editor of commented for Kommersant:

“Ruslan Stoyanov is known as a man who is able to organize informal contacts. I think that after this incident, the Kaspersky Laboratory  will think about the need to distance itself from the law-enforcement agencies and build more formal relations with the FSB”.
Soldatov believes the FSB will be forced to cooperate with Kaspersky anyway because they have the “best expertise” on cybercrimes.
Of course, this case could involve strictly internal issues and nothing more than business turf wars with lucrative foreign contracts and/or Russian government contracts. There has been a lot of spy mania in Russia lately not only with the “foreign agents” law which has been used to harass NGOs that receive foreign grants; there have been a number of trials of Russians for espionage or treason. These aren’t at the levels of the Soviet era but they’ve definitely increased.

When we see both a Kaspersky employee and an FSB officer arrested right at the same time, and the mention of “Department K” in the Interior Ministry, we have to wonder if these arrests have anything remotely to do with the hack of US political institutions or the Trump dossier.

Of course, the two men were arrested in December, and the dossier with all its details was released in January, although the contents of the dossier were known long before that to both journalists and intelligence agents. 

Would a man like Stoyanov, who is described to “essentially manage all the Internet business in the country” have a good idea which government offices, or private companies, or skilled hackers, might be involved in the complex operation of the hack of the DNC and other American targets?

Such an operation would be kept very closely secret, but if any element of it failed, or became controversial, and then people disagreed and some were removed, that’s when talk could start.

That’s among the central premises of the Trump dossier: that Sergei Ivanov, President Vladimir Putin’s close associate, former KGB officer and former chief of staff, disagreed with the heavy-handed nature of the hacking and influence operation, and was concerned about blowback — so the story goes. And others prevailed with Putin to keep the operation going, so Ivanov was fired or “his resignation accepted.” (The one problem with that theory is that despite leaving his high-power job as chief of staff, Ivanov stayed on the Security Council. He also appears to have been still needed, and was also clearly dispatched to the Financial Times to give an interview about how the Kremlin really was not so close to Trump or so enthusiastic — distancing themselves from their man two weeks before the election.)

The Trump dossier claims Russian computer programmers are coerced into working for the state’s goals through blackmail, and there is some evidence of this through testimony of emigres. The dossier also mentions one successful FSB operation, where a Russian IT operator in a state enterprise was able to target a foreigner director of the company, and through him reach others. The FSB is portrayed in the dossier as having gathered kompromat [compromising materials] on both Trump and Hillary Clinton, although other high offices in the presidential administration, the parliament, the Interior Ministry [the police] are also referenced. 

Another aspect to the Trump dossier and its possible fall-out West and East is suggested in an interesting article by Yevgeny Krutikov, an admitted former spy himself, in the pro-Kremlin Vzglyad, featured in Johnson’s List by a blogger, Awful Avalanche.
This is an angle that has not been covered in the West, where media and officials have been preoccupied with whether or not the claims in the dossier are true, and the nature of the relations the dossier’s author, who was revealed to be the ex-spy Christopher Steele, had with the FBI. The media has been busy trying to check the allegations in the dossier, and some have pointed out that the story is more about the use of the dossier made by a group of American intelligence agencies investigating Trump’s associates and their connections to Russia.
But this Russia ex-spy — although no spy is ever a former spy as Vladimir Putin himself will tell you — is indignant about an issue that stands out for Russians. If the list of top figures mentioned in the dossier who are in the Russian government, oil and gas business and other sectors is true, then that means foreign espionage has been easily able to penetrate to the very top of Russian political and business leadership. It’s an insult then to Russian counter-intelligence which should have prevented or exposed such a thing — and also grounds for severe punishment in Russia. (And for all we know, what is happening now with the release of the dossier and its discreditation is Russian damage control.)

Krutikov lists all the supposed sources of the dossier and finds it improbable that any spy or spies in the West acting unofficially could have obtained that high and wide an access. That is indeed a point to marvel about in this dossier.

But since some of the aspects of the report fell apart upon close examination, or the people in the report vigorously denied their involvement and seemed to have alibis, Krutikov’s article is rather about how the Western intelligence agencies discredited themselves by buying this “fake.” His headline promises an article of remorse or anger about “discreditation” of the valiant Russian organs, but it’s really about discrediting Western spies.

Steele is a “decoy duck”, says Krutikov, and whether this was planned, leaked to the press, or invented by editors who had read too many spy stories wasn’t important. Says Krutikov:

“Such a figure [as Steele] does not look very convincing and is hardly dangerous But on the whole, there is no certainty that such a personage exists at all, at least in those existential categories that are ascribed to him. Moreover, it is hard to imagine, that this is one person, and not an abstract compilation of knowledge.”

To obtain access simultaneously to “five sources in the Russian government and the presidential administration” (the top sources mentioned in the Trump dossier), you would have to be at a minimum a deputy director for operational work in a Western spy shop, reasons Krutikov. And it would be nonsense to be retired in this case, as if you had left the service, you would no longer have access to the “most secret” material in MI6 or “top secret” in the CIA. Even if you could still maintain contact with an old agent, you wouldn’t have access to his file any more; this is basic intelligence folk wisdom.

So looking at the dossier, reasons Krutikov, we would have to imagine that all five sources were still accessible by the report’s compilers, even from the days of the USSR. “But that isn’t possible by dint of the fact that the Russian elite has changed since then at a minimum three times, practically from the foundation up.” 

Krutikov analyzes the five sources, and notes about source B, who was said to have kompromat on Hillary Clinton. This source is said to have contacted a certain “Department K” which as we know exists in the Interior Ministry. As Andrei Soldatov pointed out, the dossier mentions “Department K of the FSB,” but that’s a mix-up.

Department K in the FSB is involved in ‘supervising’ the banking and financing system,” notes Soldatov and its officers were recently involved in a scandal “that ended with an Interior Ministry official jumping out of a window during interrogation.”
It’s the Department K in the Interior Ministry, not the FSB, that does the cyber investigations, he explains.
So isn’t the connection between the individuals related to Department K in the Trump dossier (even identified incorrectly), and the Department K where Stoyanov and others at Kaspersky once worked rather tenuous? Of course it is.
But Krutikov’s musings, which include a frank assessment of Western intelligence agencies’ work “at the worst level it has been in a quarter of a century” and a knock on Western spies as amateurish, still contained a concern lurking underneath that the dossier — if true –– could mean only one thing: somebody inside Russian intelligence was turned, and helping an effort to expose Trump — and Putin’s operation to promote him.

Again, if true, the high-level nature of the sources and the alleged nature of the information — involving the very candidates of the US election, one of whom became president — mean that Russian defense was penetrated. Maybe it wasn’t, but if it were, we would expect to see heads roll.

We’d also expect to see lesser figures hung out to dry, in keeping with every scandal in Russia. There have been arrests of some Russian hackers in the West, and we don’t know if they are related to the DNC hack or not. And the arrests announced today may not be the droids we are looking for. But if true, there will be arrests in Russia — for treason — and we need to be on the look-out for them.

Even if the dossier is fake, unless Russian intelligence is fully behind it themselves, they can’t be sure that in fact Steele’s fact-finders really did have some Russian sources and they need to worry that their people have been turned. Then Russian counter-intelligence would believe they were penetrated even if they weren’t — a whole other aspect of the dossier which would indicate its fabrication was done in the West.

Updated to add identifying information for Malofeyev, Kaspersky and Russian Association of Electronic Communications.

— Catherine A. Fitzpatrick