Inside the Intrigue of ‘Russia’s Cyberattacks’

“Looks like Sergey [Mikhailov] and Ruslan [Ruslan Stoyanov] were looking for various “scapegoats” who were easy to track down and who had a lot of criminal evidence collected against them, and then reported them to iDefence through Kimberly [Zenz]. This was done so that iDefence could get some publicity for themselves by turning this into a global news story. Then the matter was reported by US intelligence to Russia, and then got on Sergey’s desk who made a big deal out of it and then solved the case brilliantly gaining favors with his bosses. iDefence at the same time was getting huge grants to fight russian cyberthreats.”

 Russian businessman Pavel Vrublevsky

shaltayboltay

On December 4 2016, the Federal Security Service (FSB) arrested Ruslan Stoyanov, the former head of Kaspersky Lab’s Computer Incident Investigation Department. On the same day, they also arrested  three FSB officers: Colonel Sergey Mikhailov, his colleague Major Dmitry Dokuchaev, both senior officers of the 2nd Operational Management of FSB Information Security Center, as well as Georgy Fomchenkov. The four men are detained on charges of high treason (Art. 275 of the Russian Criminal Code). Here is their story. Follow us on Twitter: @Intel_Today

In a very short period of time, we have witnessed an unusual series of events. The US has accused a Russian Intelligence Agency to conduct cyber-attacks related to the 2016 Presidential election, the Russian authorities have jailed most members of a hacker group known as ‘Shaltay Boltay’ and three FSB officers as well as one of their top cyber-security expert from Kaspersky Lab are accused of high treason.

Most media have assumed that these events are related. Surely, the timing of these events seems to indicate some link between them. But what is this link, if any? After all, the GRU is accused of the cyber-attacks, not the FSB.

Until now, I have limited myself to describe these people and collect the information available about them. Today, I will attempt to write their story. It may not be the entire truth. But one has to start somewhere.

In a recent post, I came to the conclusion that the four FSB officers have crossed path with Russian businessman Pavel Vrublevsky.

Pavel Vrublevsky

FSB Colonel Sergey Mikhailov, Major Dmitry Dokuchaev, FSB officer Georgy Fomchenkov and former head of Kaspersky Lab’s Computer Incident Investigations Department Ruslan Stoyanov have all collaborated on a high-profile case.

They were all involved in the investigation of the criminal case regarding the DDoS-attack on ‘Assist’ payment system in July 2010, which resulted in the sale of electronic tickets for Aeroflot flights being unavailable for an extended period of time.

As a result of this investigation, Russian businessman Pavel Vrublevsky was sentenced to two and a half-year in jail. Pavel Vrublevsky has claimed that he had been framed by the FSB officers after he accused Mikhailov and Stoyanov of working for a US Intelligence Agency.

Finally, the FBI has traced back suspicious hacking activities during the US Presidential campaign to servers that are managed by Vladimir Fomenko and quite possible belong to… Pavel Vrublevsky.

Pavel Vrublevsky told Reuters that the arrests were a response to his old allegations (2010) that Stoyanov and Mikhailov had passed secrets on to an American firm: iDefense (now Verisign).

Ruslan Stoyanov

Before joining the Kaspersky Lab’s Computer Incident Investigations Department, Ruslan Stoyanov has worked as a major in the Russian Ministry of Interior’s Moscow Cyber Crime Unit. But, in between these jobs, he worked for a cybercrime investigation firm called ‘Indrik’.  His only colleague at ‘Indrik’ was Dmitry Levashov.

Kimberly Zenz

Dmitry Levashov had an interesting ‘girlfriend’. Her name is Kimberly Zenz who worked for iDefense, now Verisign (iDefense is about to be sold to Accenture). Zenz was the ‘Russia’ expert on cyber-attacks.

There is no doubt that she was getting good Intel. Zenz will perhaps dispute, whether or not, the information she received was classified but she appears to admit both receiving… and passing sensitive information to US Intel Agencies.

Verisign

Kimberly Zenz denies the allegations made by Pavel Vrublevsky . “Nothing like the arrangement as described by Pavel Vrublevsky ever took place,” she said. (Earlier this year, Zenz said she did date ‘a Russian man’ who worked with Stoyanov at Indrik.)

Verisign acknowledges that the firm’s iDefense unit compiled dossiers on cyber crime for clients including private firms and government agencies that include U.S. intelligence services.

Verisign Vice President Joshua Ray declined to comment on Stoyanov. Choosing his words carefully,  Ray said that he does not believe its reports to government agencies and other customers included state secrets.

ThreatConnect & FBI

In September 2016, ThreatConnect — a US cyber-security firm — published a report that included Internet addresses that were used as staging grounds in the U.S. state election board hacks.

That report was based in part on an August 2016 alert from the FBI (PDF), and noted that most of the Internet addresses were assigned to a Russian hosting firm called King-Servers[dot]com.

King Servers

King-Servers is managed by a 26-year-old Russian named Vladimir Fomenko. According to Brian Krebs, Pavel Vrublevsky and Vladimir Fomenko are longtime associates:

Both were prominent members of Crutop[dot]nu, a cybercrime forum that Vrublevsky (a.k.a. “Redeye“) owned and operated for years.

Brian Krebs noticed a very interesting ‘coincidence’:

Fomenko issued a statement in response to being implicated in the ThreatConnect and FBI reports. Fomenko’s statement — written in Russian — said he did not know the identity of the hackers who used his network to attack U.S. election-related targets, but that those same hackers still owed his company USD $290 in unpaid server bills.

A English-language translation of that statement was simultaneously published on ChronoPay.com, Vrublevsky’s payment processing company.

Coincidences: The Netherlands, Porn Sites and WebMoney…

According to a recent piece in the NYT, Dutch Intel Agencies have provided information to the US IC. ThreatConnect has identified six of the eight addresses as originating from servers owned by King Servers in Dronten, the Netherlands. The company’s main customers are pornographers.

Mr. Fomenko said prospective renters using the nicknames Robin Good and Dick Robin had contacted him online in May and paid through WebMoney, an online payment system, not an uncommon profile for his clients. [NYT] If true, it means that FSB Colonel Sergey Mikhailov could easily identify such customers. (See below)

Georgy Fomchenkov

Reuters was unable to contact Fomchenkov or a representative of him, find any further information about his identity from publicly available sources, or determine what role he was accused of playing in the case.

Kommersant has provided some details about Georgy Fomchenkov, whose name had been earlier revealed by Novaya Gazeta. He was involved in the work of payment services used by webmasters of pornographic sites. And there is ‘traces of his activities’ in the archives of crutop.nu forum, administrated by the founder of Chronopay payment system Pavel Vrublevsky.

And of course, like Sergey Mikhailov, Dmitry Dokuchaev and Ruslan Stoyanon, Georgy Fomchenkov was involved in the investigation of Pavel Vrublevsky…

Sergey Mikhaylov

According to Pavel Vrublevsky,

Sergey Mikhaylov’s main asset is the ability to see account data at Webmoney using Webmoney’s cooperation with FSB Infosec Center.

They (WM) are secretly collecting huge amounts of all kinds of data on the account holders, and knowing the culprit’s WM wallet ID it is trivial to find the real identity behind it.

In other words, it would be fairly easy for Sergey Mikhailov to identify ‘Robin Good’ and ‘Dick Robin’…

And ‘Shaltay Boltay’? 

Major Dmitry Dokuchaev is a former well-know hacker (Forb) recruited by the FSB (Sergey Mikhailov) while he was in jail for his cyber-crimes. According to various sources, Sergey Mikhailov and Dmitry Dokuchaev took control of the ‘Shaltay Boltay’ group in the summer of 2016. The leader of this group was arrested in October 2016 and various media reported that he named  Sergey Mikhailov and Dmitry Dokuchaev who were arrrested on December 4 2016.

Conclusions

According to a source connected with the investigation, the FSB officers and Ruslan Stoyanov — the former head of Kaspersky Lab’s Computer Incident Investigation Department — are accused of having passed secrets to U.S. firm Verisign and other unidentified American companies, which in turn shared them with U.S. intelligence agencies. [REUTERS]

At this point, the story is pretty much what Russian businessman Pavel Vrublevsky describes in an email to one of his employee in the fall of 2010.

“Looks like Sergey [Mikhailov] and Ruslan [Ruslan Stoyanov] were looking for various “scapegoats” who were easy to track down and who had a lot of criminal evidence collected against them, and then reported them to iDefence through Kimberly [Zenz]. This was done so that iDefence could get some publicity for themselves by turning this into a global news story. Then the matter was reported by US intelligence to Russia, and then got on Sergey’s desk who made a big deal out of it and then solved the case brilliantly gaining favors with his bosses. iDefence at the same time was getting huge grants to fight russian cyberthreats.”

So, is the story true? And, if it is true, is the story the whole truth? As Italians say: “se non è vero, è ben trovato.” (If it is not true, it is a — pretty — good story.) On the other hand, I am not enrirely convinced that this is the whole story. As an astute observer noticed: “Russian authorities at times use old cases as a way of charging people suspected of later crimes.”

Stay tuned…

REFERENCES

A Shakeup in Russia’s Top Cybercrime Unit — KrebsonSecurity

Treason charges against Russian cyber experts linked to seven-year-old accusations — Reuters

The FSB Purge: Two Narratives — emptywheel

Reuters Confirms Krebs’ Supposition on Russian Treason Charges —  emptywheel

A Voice Cuts Through, and Adds to, the Intrigue of Russia’s Cyberattacks — NYT

Obama Administration Rushed to Preserve Intelligence of Russian Election Hacking — NYT

RELATED POST: Russian Media Reveal Identity of Third FSB Officer Arrested on Charges of Treason

RELATED POST: WHO IS Shaltay-Boltay? Ruslan Stoyanov

RELATED POST: RUSSIA: FSB Shaken by a Major Reshuffle

RELATED POST: WHO IS Shaltay-Boltay? FSB Major Dmitry Dokuchaev

RELATED POST: WHO IS Shaltay-Boltay? FSB Colonel Sergey Mikhailov

RELATED POST: WHO IS Shaltay-Boltay? Konstantin Teplyakov and Aleksandr Filinov

RELATED POST: WHO IS Shaltay-Boltay? Alexander Glazastikov

RELATED POST: WHO IS Shaltay-Boltay? Irina Shevchenko (‘Alice’)

RELATED POST: WHO IS Shaltay-Boltay? Vladimir Anikeev (‘Lewis’)

RELATED POST: The ‘Humpty Dumpty’ Case: “Six Characters in Search of an Author”

RELATED POST: The Moscow Four: What story hides behind the arrest of Russia’s top cybercrime investigators?

This entry was posted in Cyber Warfare, Cybercrime, GRU, Russia, Shaltai-Boltai and tagged , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s