News reports from Russia and a statement from AV company Kaspersky confirmed that two of Russia's leading cyber security experts were arrested on charges of treason. Along with Kaspersky's manager Ruslan Stoyanov, the reports also named Sergei Mikhailov, a senior FSB (Federal Security Service) officer. While Kaspersky had clearly said that the investigation “dates back to the time before Stoyanov was hired by Kaspersky," fresh reports suggest otherwise.
Arrests in Russia could be connected to US election hacks
Kaspersky told the media yesterday that the company has no details of the charges that Stoyanov faces and that the investigation predates Stoyanov's time with the popular antivirus company.
While many of us had speculated if the charges were in any way related to the recent US-Russia cyber cold war saga, Kaspersky's statement put a lid on all such speculations since Stoyanov was hired by Kaspersky in 2012. A visit to his LinkedIn profile also revealed that he was working for a major cybercrime unit of Russia's Ministry of Interior from 2000 to 2006, which made many believe that the latest investigation probably comes from that period.
The Moscow Times reported earlier today that the top cybersecurity specialist in the FSB was reportedly arrested "on suspicion of leaking information to the U.S. intelligence community". TMT has cited an independent newspaper Novaya Gazeta (New Gazette), which links the latest arrests to US election hacks for which the country had accused Russia (emphasis is ours).
According to the independent newspaper Novaya Gazeta, the FSB believes Sergei Mikhailov tipped off U.S. officials to information about Vladimir Fomenko and his server rental company “King Servers," [...] used by hackers suspected of working for Russian state security in cyberattacks.
King Servers was identified in September by ThreatConnect as the operator of an “information nexus” used by hackers that attacked several organizations, including election systems in Arizona and Illinois. [ThreatConnect's report can be accessed here]
Fomenko, who is referenced in the excerpt above, had talked to the NYT ahead of the election, confirming that US election hackers had used his servers. However, he said they were not Russian security agencies.
Mr. Fomenko does not deny that hackers used his servers, but does deny knowing that they did until Sept. 15. He says he does not know who they are, but that they are certainly not the Russian security agencies.
“The analysis of the internal data allows King Services to confidently refute any conclusions about the involvement of the Russian special services in this attack."
The NYT added that "striking a sarcastic tone, he said he would send a bill to Mr. Trump and Mr. Putin for server rent left unpaid by the hackers".
Does U.S. have spies right in the heart of the FSB?
Regardless of Fomenko's connection with Russian security agencies or election hackers, the accusation of Mikhailov tipping US officials is huge, which, if true, would mean that the US had employed spies right in the Kremlin's cybersecurity center.
In a separate report, it was also suggested that Mikhailov could be a member of the hacker collective “Anonymous International” known in Russia as “Shaltai Boltai". Anonymous International has on various occasions leaked private emails and other data to embarrass public Russian figures, but none of these leaks have ever resulted in any arrests since the content of these revelations is more "embarrassing than criminal," Moscow Times added.
Reportedly the second-most senior figure in the Center for Information Security at the FSB, Mikhailov is also responsible for operating Cozy Bear, another APT (Advanced Persistent Threat) group. His arrest is being called as the highest-profile case within the Russian security agency since the breakup of the Soviet Union.
If the accusation of Mikhailov tipping off information to the US is indeed true, does it mean Kaspersky was lying when it said that Stoyanov is being investigated for activities that predated his time with the AV firm? How was Mikhailov, if he was a US asset, compromised right after the inauguration of the new president in the US? Did the new administration share this information with Moscow?
These and many such questions are currently all but unanswered. Right now, the conspiracy theories are running afoul, and in the absence of anything official from the Russian government, we have nothing to base our argument on but the reports coming from Russia.
Whatever the truth is, security experts warn that the arrest will cause cybersecurity experts in Russia to censor sensitive findings with their colleagues elsewhere in the world. Jake Williams, founder of security firm Rendition Software (formerly with the Department of Defense), wrote in a blog post, "For those living and working under oppressive regimes, keep up the good fight. But also remember that no incident response report or conference talk is worth jail time (or worse)".