LIVE UPDATES: Novaya Gazeta has learned of a third arrest in the hackers’ treason case in which a Kaspersky Laboratory employee and an FSB agent have already been arrested. He is Maj. Dmitry Dokuchayev, a senior operative at the 2nd department of the operations division at the Center for Information Security.
The previous issue is here.
Recent Analysis and Translations:
Live Updates: New Allegations Emerge That Russia Is Blackmailing Donald Trump
How Many Russians Are Fighting for ISIS? A Brief History of The Kremlinâs Arbitrary Numbers
State TV Video Shows Russian Special Forces Fighting on the Ground in Syria, Supposedly Killing ISIS
An In-Depth Examination Of Donald Trumpâs Ties To Russia And Vladimir Putin
As we have reported, Ruslan Stoyanov an employee of the Russian private company Kaspersky Laboratory, which makes anti-virus and other security software and performs forensic studies of hacks, was arrested for treason as has been confirmed in a terse press release from Kaspersky. Kaspersky says the arrest is unrelated to their business and involves the investigation of a case that predated Stoyanov’s employment. Before he came to Kaspersky, Stoyanov worked for Department K at the Interior Ministry, the police division responsible for investigating hacks.
A second arrest was of Sergei Mikhailov, an officer of the Federal Security Service’s Center for Information Security (TsIB) whose mandate isn’t just preventing the hacking of government and business but hacking those it needs to hack in the interests of government and big business.
In Soviet Russia, the hacking investigators hack you. All of the people involved in investigating and preventing hacks can just as readily turn to being the hackers who others then try to investigate.
Some or all of these people may or may not be involved in Shaltai-Boltai, which is a hacking group that may or may not have some authenticity to it, i.e. motivated not by pay or government instructions, which has selectively hacked some government officials but not others, i.e. Prime Minister Dmitry Medvedev, responsible for what remains of the Russian economy, and Kremlin aide Vladislav Surkov, responsible for the separatists in the Donbass, among other jobs in Russia’s “near abroad.”
A source familiar with this situation told RosBalt that Anikeyev was detained by FSB officers in late October 2016 when he arrived at the airport in St. Petersburg from Ukraine.
The operation was the result of long work. A complex operative trap was sprung with the aim to lure Lewis from Ukraine, from which he had not intended to return.
The FSB brought Anikeyev for booking to Moscow, where he was charged with Art. 272 (unauthorized access of computer information).
At first, the FSB counter-intelligence people were interested in the leak of Surkov’s email — by that time it was known it was in the hands of Shaltai-Boltai. Since this was a question of electronic mail with the “gov” domain, the FSO [Federal Protection Service, which guards top leaders and the Kremlin grounds] became very alarmed. This email leak was published on a Ukrainian site by a ban of hackers who called themselves “the CyberJunta.”
We could note that already-existing Ukrainian hackers who worked on exposing Russia’s war in Ukraine hadn’t heard of these hackers, and also suspected that they may be a front for some kind of active measure by Russian intelligence.
“Anikeyev immediately began cooperation with the investigation and provided extensive testimony, in which the name of Mikhailov was repeatedly mentioned as a person connected with the Shaltai-Boltai team.”
In December 2016, Mikhailov and Dokuchayev, said to be his “right-hand man,” and also a TsIB officer, were arrested; a judge issued an order for their arrest.
“In early 2016, in Mikhailov’s division at the TsIB, there was an order to ‘work with’ Shaltai-Boltai, which had published the government officials’ emails. Dokuchayev was the intermediary chosen for this ‘work’. The TsiB managed to figure out who were the members of Shaltai-Boltai — they all took names from the story of Alice in Wonderland — Lewis [Lewis Carrol, the author of that story]; Alice, the March Hare, etc. Lewis was the one who organized the web site and the team. There were searches last summer, although formally, other reasons besides the hacker’s case were found for them.”
So after the last summer attack, Shaltai-Boltai found itself with a new boss, or, a “curator,” as the Russian intelligence term has it. The source believes that boss of a now-turned hacking group was Mikhailov. So the targets of Lewis’ team changed, as well as the methods of their work. Previously, Lewis’ people picked out their targets in places where mobile phones were used. They used fake cells (if it was a question of the mobile Internet) or used a spoofed Wi-Fi (if a person was connected to a wi-fi). The downloaded content them would be sent to a member of Lewis’ team who lived in Estonia. He would comb through it and pick out what needed to be put on the open Internet and what could be sold for Bitcoins. Several people who lived in Thailand were part of the financial side of Shaltai-Boltai.
“Mikhailov is a magnificent specialist. The best in his field. You can say that the TsIB is all Mikhailov. But he overplayed his hand.”
What that means is that he went too far when he took over a group that before that, had merely made fun of Medvedev by hacking his Twitter to make him look ridiculous, or made a buck by hacking some officials with interesting financial information, now they were stepping on bigger toes by showing that Surkov really ran the separatist leaders, as those in the field already suspected three years ago.
There is a theory that Surkov falls in and out of favor and that at the time of this hack he was back in favor running Ukraine and this was a big setback fro him.
Rosbalt has one source on this, and Novaya Gazeta and Tsargard each have one source, so there is not a lot to go on here.
There is no indictment; no mothers or wives sounding the alarm; no human rights groups; no lawyers; no co-workers, even, leaking the information with concern to the press. This is unusual even for Russia, where even highly-sensitive political cases do get covered at least in some fashion.
While it can’t be ruled out, given what we know, it’s a stretch to make the leap to a mission profile for this turned FSB-run hacker group to involve either hacking for Putin to help Trump, or leaking to the Americans the fact that other hackers had hacked for Putin.
Maybe for money or because they are good civic internationalists, they wanted to make sure the world knew about the hack of the DNC or other hacks, such as the election systems of Arizona and Illinois that they felt “went too far”. But since these are the same people who five minutes before that were hacking for their directors at the FSB, we can’t be sure of their agenda in any event. The hack of Surkov doesn’t tell us anything we didn’t know, it misleadingly implies only he runs the Ukraine account which is false (when military intelligence and many other offices have leadership roles) and it also creates a false impression that there are valiant opposition hackers in Russia who behave like valiant opposition hackers in other countries. These are hackers who were recruited to work for the FSB; they were either happily recruited or reluctantly pressured into cooperation with the FSB through blackmail. They aren’t freedom fighters.
— Catherine A. Fitzpatrick
The following is a translation from the Russian of the article “Is Major Forb the Head of Shaltai Boltai” by Irek Murtazin published January 27 in Novaya Gazeta, an independent online news site. Shaltai-Boltai is a character in Russian folklore similar to “Humpty Dumpty,” and is the name of a hackers’ group that has gained notoriety for hacking the accounts of a number of prominent Russian officials, notably Prime Minister Dmitry Medvedev’s Twitter, where they put out expressions of regret about annexing the Crimea.
The Internal Security Service of the Federal Security Service is confident that the FSB officer Dokuchayev detained on suspicion of state treason is connected to a hacker’s group that attacked political figures in Russia.
We have learned of the name of another figure in the criminal case about state treason at the FSB. He is a senior operative at the 2nd department of the operations division at the Center for Information Security (TsIB), Major Dmitry Dokuchayev of the Russian FSB. He, just like the officer of the same division, Sergei Mikhailov, and Ruslan Stoyanov, an employee of the Kaspersky Laboratory, was arrested back in December of last year.
I first heard of Dokuchayev in 2012, when I conducted research concerning the criminal case of the founder and general director of the payments processing company Chronopay, Pavel Vrublyovsky.
At that time I learned that Dokuchayev back in 2005, at that time with the rank of senior lieutenant of the FSB, ran the column Hack in the Russian-language magazine Hacker. To be sure, he hid behind the nick-name “Forb”.
I was able to find out that Dokuchayev/Forb was a native of Ekaterinburg, where in 2005 he had graduated from a technical school, and had professionally worked in programming, administering web sites.
In IT circles, he gained fame after hacking several serious sites, including American ones. It was that time that he came to the attention of the FSB TsIB, which invited him to work for them.
In September 2016, the FBI accused the owner of the company King Servers, a Russian citizen named Vladimir Fomenko of a cyberattack on the electoral systems in the American states of Arizona and Illinois, which was allegedly conducted with 8 servers, 6 of which belonged to the company King Servers.
It was in fact at that time, according to our information, when the FSB’s Department of Internal Security began a probe regarding this leak of information, that Mikhailov and Dokuchayev were put under surveillance. They did not manage to confirm that involvement of Russians in the attack on servers in the US, but the FSB agents from the Department of Internal Security managed to get up close to the Shaltai-Boltai group of hackers, who were infamous for hacking the personal emails of Dmitry Medvedev, vice-premier Arkady Dvorkovich, bureaucrats at the presidential administration, the Department of Defense and Roskomnadzor [the agency for supervising the media which serves as a censor–The Interpeter].
The FSB suspected that Mikhailov was curating [the term the KGB and its successors use to describe agent handling] Shaltai-Baltai — and Dokuchayev was the direct perpetrator of the hacks and leaks.
In 2005, in the 77th issue of the magazine Hacker, Dokuchayev/Forb taught people who to become a hacker:
“It’s no secret that some 20 years ago, hackers were considered not evil-doers, breaking servers on commission, but talented programmers who had a keen understanding of their craft. In my understanding, the word ‘hacker’ is a multi-faceted developed person who knows the theory of network mistakes and successfully applies his knowledge in practice. Aside from this, the hacker must possess programming skills, know at a minimum two operational systems and of course, have major connections and influence with other hackers.”
It looks like Dmitry Dokuchayev followed his own instructions completely.
But he didn’t master his own advice on security.
Novaya Gazeta then ran a copy of the article in Hacker magazine, “How to Become a Hacker,” in which he provides sites to visit and books to read on how to hack.
At the end of his piece, he has 10 items of advice for the novice hacker:
1. Never talk to strangers about hacker issues. That may end badly.
2. Use only a convenient and tested software for various network operations.
3. Visit security forums. Don’t be shy about asking questions there and solving others’ problems.
4. Have five or six email accounts on foreign hosts. These will come in handy for anonymous correspondence.
5. Have in your arsenal two or three remote shell accounts. I have repeatedly described the use of shell-access.
6. If people have knocked on your door with a problem — this is a symbol that you have achieved respect. Definitely help the person solve their problem.
7. Do not spent 24 hours a day on the computer. Remember, aside from the Internet, there must be healthy sleep, personal life, and visiting classes in school.
8. Every month, buy Hacker and SpetsHacker [Special Hacker]. Also read all the issues since 1999. Many questions after that will fall away on their own.
9. Never take on a complicated and risky hack if you have not yet matured for this. No one ever looks pretty with a suspended sentence.
10. Don’t squat on somebody else’s Internet access. This is nothing but ordinary theft.
SAFETY IS MOST VALUABLE
If despite all these warnings, you’re out on a shaky hacker’s limb, definitely take concern for your own security. Even if you do nothing bad, you must have established the habit of defending yourself on the Net. Definitely use socks or proxy-servers which can be found on the Internet. Aside from that, be careful and become a paranoid : ) This will not hurt. Talk about hacker topics only with PGP or in SSL-IRC, fortunately there are such networks. Never expose your address, city or even name — this may be turned against you at any moment. And shiver from telephone calls, knocks on the door and sudden turn-offs of the light — that means they’ve come for you : ).
— Catherine A. Fitzpatrick
Shaltai-Baltai are the hackers who were said to crack Medvedev’s Twitter, and put up funny sayings from him that were in his style, but not characteristic, such as regrets about seizing Crimea.
But the results of Shaltai-Baltai’s work, which included highly-publicized email leaks that revealed, for example, that the youth official in the Kremlin told the press what to say, attracted a lot of media attention. People began to wonder why they never seemed to really challenge the system. But there was also the realization that they couldn’t be just kids; or the usual kompromat business black-mailers but something much higher level.
As often happens with stories of this sensational type, where there are no official statements at all, and no fully-reliable source of news because journalists have to rely on law-enforcement leaks, there are a number of different versions of the story floating around in state media, pro-government private media, semi-independent media, and actually-independent media.
But it’s important to remember:
– All we have are two pro-government newspaper accounts based on FSB sources;
– There is no charging sheet or indictment or arraignment in court;
– No relatives have spoken;
– No lawyers have appeared, even to ask the right questions;
– Not a single co-worker, starting with Eugene Kaspersky, has made any statement of substance about why they were arrested.
So there is really very little to go on.
Hush-up of December Arrests
Perhaps most telling is that while Ruslan Stoyanov, the number two or number three department head of Kaspersky Laboratory (even if the PR person denies now he was a “top manager”) was arrested back in December — a man who was well known in the cybersecurity community and spoke at conferences — the news of his arrest did not surface for weeks until now.
Eugene Kaspersky, founder and head of Kaspersky Laboratory had nothing to say on his Twitter feed about the arrest of his colleague and reports of Stoyanov’s arrest did not surface in the independent media, which would seem likely given the intersection between computer professionals, hackers, the media, and opposition.
It’s not uncommon for people to disappear into the Russian prison system — a highly-publicized political prisoner named Ildar Dadin couldn’t be found for over a month recently after he smuggled out an account of his torture. The prison monitors from the remnants of the human rights movement who are occasionally allowed into Lefortovo sometimes report with alarm their discovery of people who had been missing for months — and their completed “treason” investigations of these type which are impossible to stop.
The only thing that can be said about the FSB’s prison, inherited from the KGB, is that the gruel is a little more nutritious and the bedding perhaps a bit warmer, as perhaps the FSB has to get more refined types of information out of its suspects that other types of police who can use cruder methods and worse conditions.
Komsomolskaya Pravda: Hackers for Hire to Damage Business Rival
Komsomolskaya Pravda, a pro-government newspaper and web site, has told the story of Mikhailov, who suspected of “receiving money from a foreign company through an intermediary of a certain Russian information security company.” It repeats Kaspersky’s press release but with one telling mistake (or contradiction): Ruslan Stoyanov was said to come to Kaspersky in 2011 (not 2013) and with “epaulets,” a reference to his job in the police in the department combating cyber fraud.
What is that foreign company? Is it King Servers, mentioned in the hacking of the electoral computers in Arizona and Illinois? What is that “intermediary of a certain Russian information security company”? Is it Kaspersky? King Servers is not a cyber security company, they only rent servers. Is anything named in the Trump dossier related to people and incidents in this case? There aren’t enough clues to go on.
We have now entered the era where kompromat, which is effective but can take time to gather and disseminate, and assassinations — which can be difficult and risky to perform — are displaced by a cruder means of knocking out a rival — crashing their servers.
Pavel Vrublyovsky, Entrepreneuer, Ex-Con and Collaborator
“Nothing is True and Everything is Possible”
So this version of the story in KP, a pro-government newspaper that enthusiastically takes the side of Russian fighters in Ukraine and Syria — with some of the most popular war reporters in Russia — may be true, or may be intended to distract us from any American angle in the story.
This version also highlights the fact that without any relationship to Kaspersky per se, for their own reasons, not self-evident, these particular FSB agents could have had a vendetta against either Chronopay or Vrublyovsky — or even Assist, to take it at face value. Or they may have hoped to show that the FSB is not at all in the business of helping anybody savage their business rivals, although they appear to be.
As the title of Peter Pomerantz’s book goes, “Nothing is True and Anything is Possible“.
Tsargrad TV: Hacker Hustled Away From a FSB Board Meeting With a Bag Over His Head
Novaya Gazeta referenced Tsargard in its first piece on the hackers’ arrest, but didn’t get into Tsargrad’s version of the story; the most sensational element of Novaya‘s story — that FSB security arrested Mikhailov during the FSB’s own board meeting by putting a “light-proof” black bag over his head — comes from Tsargrad. Is it true? Well, Tsargrad itself says it was a victim of one of the hackers — Mikhailov — so this has to be kept in mind. And Tsargrad is getting this story from some FSB agent close to them who may just want to tell the story this way to scare people off from it.
German Gref of Sberbank and Big Data
“Big data” in this headline is written in English. Many Internet terms, especially for the latest phenomenon, tend to be in transliterated English, as their Russia equivalents in Cyrillic letters, in a sentence tend not to be able to fit into the 140 character space of a tweet. But long before the Internet, vycheslitel’naya mashina — computer — for example, was shortened to kompyuter or komp.
FSB Head of Hacking Pushed Into Retirement
That’s why some US press has hastened to say these hacker arrests could be about the DNC hack or the allegations of the Trump dossier, as they believe the people indicated in those stories must have come from this agency and are now going to be punished or sacrificed by President Vladimir Putin who either wants an object lesson about those who hack and leak without strict government supervision or a limited hang-out to do damage control, or a disinformation campaign to hide the fact that the Kremlin is really behind all the hacks in the US.
It’s important to keep in mind that these arrests may have nothing to do with any events in the US, although we can’t trust the pro-government papers telling us this.
Tsargrad says they learned that Gerasimov’s retirement was all but a fait accompli and had been hastened along by the internal investigation the FSB conducted about how information on its strong-arm DDoS practices was leaking out. That’s how Sergei Mikhailov, Gerasimov’s deputy at TsIB and the head of the 2nd operations department, came to be dismissed — “the real hero of this story,” says Tsargrad.
A Black Bag Over the Head
It’s interesting that in six weeks in Moscow — a town with a lot of leaks, a lot of stories, and many things getting out one way or another — THIS story just never surfaced anywhere until now. That’s how black the sack was.
Tsargrad’s “source in law-enforcement” (likely the FSB) told them that Mikhailov’s arrest was quite dramatic — agents (who themselves were likely masked, we could add) put a bag over Mikhailov’s head right during a board meeting of the FSB.
Tsargrad says that according to its sources, Mikhailov was involved in the group of hackers known as Shaltai-Baltai — “he could be their direct curator and protector.”
We would point out here that the work of Shaltai-Baltai always had that KGB feel — the leaks never seemed to challenge Putin himself or anyone close to him, but only targeted lower figures who either seemed to need to be “kept in line” by Putin (Medvedev) or for various reasons needed to be discredited (a youth official associated with the Kremlin controlled youth movements, some of which turned violent.)
FSB-Created Hackers On Mission
Shaltai-Baltai also became the answer to the question people often had about WikiLeaks: why are there never any Russian leaks? Why does nobody ever hack Russia? As with the perestroika years, given the “inertia of fear” as it has been called by some Soviet authors, where people are too paralyzed to move even when allowed, sometimes the KGB and later FSB have to do things in society themselves.
Translation: Throughout the world, politicians begin writing nonsense when their accounts are hacked, but only in Russia do they speak the truth for which everyone was long waiting.
Tsargrad itself has reason to hate them:
“In the spring of 2014, at the height of the Russian Spring [the term used to describe the resurgence of Russian nationalism around the annexation of Crimea and invasion of the Donbass–The Interpreter], Shaltai-Boltai broke into the email box of Aleksandr Dugin, the editor-in-chief of Tsargrad. They didn’t find anything compromising, of course, and that meant they failed to blackmail him or sell his correspondence to any interested persons. It was just dumped online.
“I had been preparing a data base of the major Russian media so that those people who speak out against American hegemony in favor of the multi-polar world, critics of the Atlanticist imperialism both from the left and the right, become more actively involved in the information policy of Russia.”
So it seemed that Shaltai-Boltai, aside from the usual motivation of cybercriminals to make money had something of value — this list of “Putin’s friends” and “Russian agents of influence.”
Dugin’s ‘Friends of Putin’
Dugin is often mistakenly described in the Western media as an “advisor to Putin” or having influence on the Kremlin which has never really been the case. Putin and other top leaders have found it useful to allow Dugin and other such colourful figures such as Vladimir Zhirinovsky to flit around on talk shows and get themselves in the news for outrageous outbursts — so Putin can look rational by contrast.
Dugin has spoken on the same platform of the annual conservative “Moscow the Third Rome” meeting where Sergei Ivanov, Putin’s chief of staff at the time, also spoke, but he isn’t some kind of regular Kremlin visitor in any respect or given any space in influential state publications. His brand of ultranationalist “Eurasianism” in part overlaps with Putin’s own, but Putin’s guru is Ivan Ilyin.
Nowadays, Dugin and others of his persuasion like Col. Igor Strelkov, who led the separatist forces in eastern Ukraine, are very frustrated with Putin, whom they see as having betrayed the “Novorossiya” cause of restoring the greater Russian Empire. They fear he is under the influence not just of “fifth columnists,” those traditional foreign-tainted enemies within, but “sixth columnists” who are people who seem like “one of us” but engage in defeatist talk about the war in Ukraine.
Putin is chairman of the board of Moscow State University, which decided to fire Dugin from his position in the university’s philosophy department in 2015. Some hoped this was because Dugin incited the killing of Ukrainians on his social media pages — something that in fact Russian state media had more reach and effect doing at the same time. But the efforts that went into hacking his email means that there may have been hopes to remove him for other reasons.
Dugin made a data base of “friends of Putin” and “agents of influence of Russia” which was of interest because it was based on his ideology — other people might have different “friends of Putin” or different “agents of influence of Russia”.
“Sberbank has at its disposal one of the largest information security services in Russia. It was proposed not just to strengthen security, but to make a new Internet special service, like the US NSA, which keeps all Americans under a bell jar [i.e. under surveillance– The Interpreter].”
Put together the information from the savings accounts of millions of Russian citizens in Sberbank (the name means “Savings Bank” and is likely the most popular) along with the information about those same people on social networks, and you’ll have one of the largest mass data bases on Russian citizens:
“The chairman of the board of the largest bank in Russia, German Gref, could not help but be briefed on such a plan,” says Tsargrad. If Mikhailov had not been arrested, he would have been directly under Gref’s supervision in making use of this vast data bank. Gref is “a man who has entree to Western globalist circles and also has stubbornly refused to open an office in Russian-occupied Crimea,”
This was from Dugin’s perspective was wrong — and here he and Putin’s views would be aligned.
Big Data to Win the 2018 Presidential Elections
Thus experts believe that Donald Trump was able to win the elections thanks to the company Cambridge Analytics which applies Big Data in political campaigns and PR campaigns or black PR [negative advertising] against concrete candidates. Cambridge Analytics has studied the possibilities of influence the electorate for many years through “targeted” advertising, taking into account not only an abstract social group but all the data which are shown about a user of say, Facebook. Existing technologies enable you to target a specific audience, combining not only factors of sex, age, education and other basic information but also their combination and other more trivial preferences — for example, musical or culinary tastes, hobbies, past-times, etc. In a word, everything that you tell about yourself in social networks.
“The purses in the ranks of the FSB illustrate the high level of work and worthiness of our special services which has begun seriously to take up this topic, despite the fact that high-ranking figures in their own agency were involved.”
King Servers and Siberian Vladimir Fomenko
The Russian press around these hacker arrests have mentioned King Servers — which the New York Times have covered back on September 27, 2017.
“We have the information, but nobody contacted us,” said Vladimir M. Fomenko, a tattooed 26-year-old who snowboards in his free time and runs a business out of a rented apartment.“It’s like nobody wants to sort this out,” he added with a sly grin.Mr. Fomenko was recently identified by an American cybersecurity company, ThreatConnect, as the manager of an “information nexus” that was used by hackers suspected of working for Russian state security in cyberattacks on democratic processes in several countries, including Germany, Turkey and Ukraine, as well as the United States.
One cybersecurity specialist recognized this cocky behavior pattern, which we could note we have seen in hackers, Kremlin trolls, and some officials:
“The equivocation of responses by Mr. Putin and Mr. Fomenko is studied and deliberate, Kenneth Geers, a senior research scientist at Comodo, a cybersecurity firm, and a former cybersecurity officer with NATO, said in a telephone interview.“You are not saying yes, you are not saying no, so it’s frustrating for the victim, and it’s intimidating,” he said. “You are suggesting there is more to come.”The tattoo, though, “is something of a giveaway.”