Novaya Gazeta Learns of 3rd Arrest in Hackers’ Treason Case: Is FSB Agent Major Forb the Head of Shaltai-Boltai?

A fourth arrest has come to light related to the Shaltai Boltai hacking group whose members appear to be staff members, or cooperating with, the FSB and a Kaspersky Laboratory employee.

RosBalt, an independent wire service known for reporting on the Nemtsov murder and trial and other sensitive issues says:

As we have reported, Ruslan Stoyanov an employee of the Russian private company Kaspersky Laboratory, which makes anti-virus and other security software and performs forensic studies of hacks, was arrested for treason as has been confirmed in a terse press release from Kaspersky. Kaspersky says the arrest is unrelated to their business and involves the investigation of a case that predated Stoyanov’s employment. Before he came to Kaspersky, Stoyanov worked for Department K at the Interior Ministry, the police division responsible for investigating hacks.

A second arrest was of Sergei Mikhailov, an officer of the Federal Security Service’s Center for Information Security (TsIB) whose mandate isn’t just preventing the hacking of government and business but hacking those it needs to hack in the interests of government and big business.

In Soviet Russia, the hacking investigators hack you. All of the people involved in investigating and preventing hacks can just as readily turn to being the hackers who others then try to investigate.

Some or all of these people may or may not be involved in Shaltai-Boltai, which is a hacking group that may or may not have some authenticity to it, i.e. motivated not by pay or government instructions, which has selectively hacked some government officials but not others, i.e. Prime Minister Dmitry Medvedev, responsible for what remains of the Russian economy, and Kremlin aide Vladislav Surkov, responsible for the separatists in the Donbass, among other jobs in Russia’s “near abroad.”

Rosbalt writes: 

The FSB brought Anikeyev for booking to Moscow, where he was charged with Art. 272 (unauthorized access of computer information).

At first, the FSB counter-intelligence people were interested in the leak of Surkov’s email — by that time it was known it was in the hands of Shaltai-Boltai. Since this was a question of electronic mail with the “gov” domain, the FSO [Federal Protection Service, which guards top leaders and the Kremlin grounds] became very alarmed. This email leak was published on a Ukrainian site by a ban of hackers who called themselves “the CyberJunta.”

We could note that already-existing Ukrainian hackers who worked on exposing Russia’s war in Ukraine hadn’t heard of these hackers, and also suspected that they may be a front for some kind of active measure by Russian intelligence.

RosBalt says “in reality, it was suspected that Anikeyev posted the leaks”. He had traveled to Ukraine before, because his girlfriend lived there; according to available information, he had no intention of returning to Russia. The authorities were also interested in other email Lewis had, which had begun appearing on the Shaltai Boltai site. Said the source:

In December 2016, Mikhailov and Dokuchayev, said to be his “right-hand man,” and also a TsIB officer, were arrested; a judge issued an order for their arrest.

There was also another TsIB officer — that would make a fifth person — who was detained and interrogated, and then released.

This is the version of the story provided by the source:

So after the last summer attack, Shaltai-Boltai found itself with a new boss, or, a “curator,” as the Russian intelligence term has it. The source believes that boss of a now-turned hacking group was Mikhailov. So the targets of Lewis’ team changed, as well as the methods of their work. Previously, Lewis’ people picked out their targets in places where mobile phones were used. They used fake cells (if it was a question of the mobile Internet) or used a spoofed Wi-Fi (if a person was connected to a wi-fi). The downloaded content them would be sent to a member of Lewis’ team who lived in Estonia. He would comb through it and pick out what needed to be put on the open Internet and what could be sold for Bitcoins. Several people who lived in Thailand were part of the financial side of Shaltai-Boltai.

The Bitcoins the group earned by selling some of the hacked correspondence they turned into cash in Ukraine. From time to time, Lewis’ sources would “dump” to him emails that had already been “taken” by other hackers.

So by the fall, Shaltai-Boltai began exclusively to work with the content they got from their “curator,” i.e. the FSB. If before, says RosBalt, the emails dumped on the Internet were mainly “entertaining” in nature, and the people whose secrets were leaked were not particularly harmed, now the emails being leaked contained information capable of causing “serious unpleasantness:. When it became known that Surkov’s email had leaked in Ukraine, that was the last straw.

Said the source:

What that means is that he went too far when he took over a group that before that, had merely made fun of Medvedev by hacking his Twitter to make him look ridiculous, or made a buck by hacking some officials with interesting financial information, now they were stepping on bigger toes by showing that Surkov really ran the separatist leaders, as those in the field already suspected three years ago.

There is a theory that Surkov falls in and out of favor and that at the time of this hack he was back in favor running Ukraine and this was a big setback fro him. 

It’s also possible that he simply is moved to different desks from time to time and remains quite firmly in favor, and the hack of his email is a cover for something else, or a distraction, or the results of clan warfare by people who are equally happy to keep Russian troops in Ukraine.

Rosbalt has one source on this, and Novaya Gazeta and Tsargard each have one source, so there is not a lot to go on here. 

There is no indictment; no mothers or wives sounding the alarm; no human rights groups; no lawyers; no co-workers, even, leaking the information with concern to the press. This is unusual even for Russia, where even highly-sensitive political cases do get covered at least in some fashion. 

While it can’t be ruled out, given what we know, it’s a stretch to make the leap to a mission profile for this turned FSB-run hacker group to involve either hacking for Putin to help Trump, or leaking to the Americans the fact that other hackers had hacked for Putin.

Maybe for money or because they are good civic internationalists, they wanted to make sure the world knew about the hack of the DNC or other hacks, such as the election systems of Arizona and Illinois that they felt “went too far”. But since these are the same people who five minutes before that were hacking for their directors at the FSB, we can’t be sure of their agenda in any event.  The hack of Surkov doesn’t tell us anything we didn’t know, it misleadingly implies only he runs the Ukraine account which is false (when military intelligence and many other offices have leadership roles) and it also creates a false impression that there are valiant opposition hackers in Russia who behave like valiant opposition hackers in other countries. These are hackers who were recruited to work for the FSB; they were either happily recruited or reluctantly pressured into cooperation with the FSB through blackmail. They aren’t freedom fighters.

The angle of German Gref perhaps standing behind this hackers group cobbled together part out of FSB agents and part out of turned formerly-independent hackers might explain some of its strangeness. He is an ethnic German born to a family deported under Stalin in Kazakhstan, the former minister of economics in the early years of Putin’s rule, the current CEO of Sberbank, and a member of the board of Russia’s search engine Yandex, and considered a “liberal reformer” within the Russian system. Perhaps he really had hoped to seriously challenge Putin in the 2018 presidential election. Now if his people — if in fact they were his people — are enmeshed in a case of high state treason, those hopes will be dashed.

— Catherine A. Fitzpatrick

While suspended from Twitter after the Medvedev hack in 2015, @b0ltai came back, but interestingly, he stopped tweeting on December 12 — a week after Mikhailov was arrested.

A second account also stopped on December 12.

Perhaps most telling is that while Ruslan Stoyanov, the number two or number three department head of Kaspersky Laboratory (even if the PR person denies now he was a “top manager”) was arrested back in December — a man who was well known in the cybersecurity community and spoke at conferences — the news of his arrest did not surface for weeks until now.

Eugene Kaspersky, founder and head of Kaspersky Laboratory had nothing to say on his Twitter feed about the arrest of his colleague and reports of Stoyanov’s arrest did not surface in the independent media, which would seem likely given the intersection between computer professionals, hackers, the media, and opposition.

Kaspersky has sought to downplay this incident as completely unrelated to their company and related to a criminal case that happened before Stoyanov came to work at Kaspersky — “with epaulets on his shoulders” as some Russian media has put it, mean that he was employed by the police, or Interior Ministry, in Department K, which is for cyber crimes.

As we noted, Kaspersky himself has long had a close relationship to intelligence having graduated from the KGB’s cryptography academy and worked for military intelligence, although currently the official story in all media stories now (because it was in a Kaspersky press release) is that Kaspersky only began “in 2013” to work with the FSB on cyber crimes (such as large cases involving stolen credit cards).

So the least amount of information has come from the company where Stoyanov worked and from which the most might be expected to come, given the close cooperation with the FSB and Interior Ministry, but we have very little — and Kaspersky himself has not even tried to spin people away from linking these arrests to the Trump dossier or the DNC hack. In today’s Russia, you can go from being a witness to being a suspect at the same encounter with law-enforcement, so it pays to keep quiet.

It’s not uncommon for people to disappear into the Russian prison system — a highly-publicized political prisoner named Ildar Dadin couldn’t be found for over a month recently after he smuggled out an account of his torture. The prison monitors from the remnants of the human rights movement who are occasionally allowed into Lefortovo sometimes report with alarm their discovery of people who had been missing for months — and their completed “treason” investigations of these type which are impossible to stop.

The only thing that can be said about the FSB’s prison, inherited from the KGB, is that the gruel is a little more nutritious and the bedding perhaps a bit warmer, as perhaps the FSB has to get more refined types of information out of its suspects that other types of police who can use cruder methods and worse conditions.

But it’s also odd that an FSB officer, who might not have an open network of friends like a cybersecurity expert in a private company, but would at least have some sympathetic co-workers — had no one to leak his arrest right away, no one in his office or among his relatives or other contacts that might have called a reporter.

And we may never hear the real story of what happened to these men (there is now a third, Dmitry Dokuchayev), as their trial may be declared “secret” and held behind closed doors. There are good lawyers in Russia, but they may have trouble even getting in to see their own clients. One such lawyer who has taken up high-profile political cases was himself abducted by the FSB this week as he attempted to defend Crimean Tatars in Russian-occupied Crimea.

Komsomolskaya Pravda, a pro-government newspaper and web site, has told the story of Mikhailov, who suspected of “receiving money from a foreign company through an intermediary of a certain Russian information security company.” It repeats Kaspersky’s press release but with one telling mistake (or contradiction): Ruslan Stoyanov was said to come to Kaspersky in 2011 (not 2013) and with “epaulets,” a reference to his job in the police in the department combating cyber fraud. 

What is that foreign company? Is it King Servers, mentioned in the hacking of the electoral computers in Arizona and Illinois? What is that “intermediary of a certain Russian information security company”? Is it Kaspersky? King Servers is not a cyber security company, they only rent servers. Is anything named in the Trump dossier related to people and incidents in this case? There aren’t enough clues to go on. 

Komsomolskaya Pravda (KP) then said it had its own sources saying the arrest “could be related to a DDoS attack on the Assist payments system” which was made by a competitor in the payments business which caused Aeroflot ticket buyers to be unable to purchase tickets online for several days, and which cost Aeroflot a loss of 146 million rubles ($2.4 million).

Pavel Vrublyovsky, Entrepreneuer, Ex-Con and Collaborator

The FSB’s Center for Information Security (TSIB) then learned that Pavel Vrublyovsky, owner of the Chronopay payments system, the rival to Assist, may have organized the DDoS attack on Assist, and also “may have had contacts with the siloviki (power ministries, i.e. the FSB and others) who hindered the investigation.”

We could add that since Investigative Committee staff (itself a rival of the FSB and other agencies) have been arrested for blocking investigations into mafia lords, it’s feasible that FSB agents could be guilty of the same.

“Just the facts,” says KP in describing the fact that Vrublyovsky was then arrested in 2011, recanted, but was then tried again when the FSB found more information to prove his guilt. He was sentenced to 2.5 years of labor camp, a relatively light term which he has now already served.

During Vrublyovsky’s trial, materials from that criminal case wound up on the Internet, exposing the methods of how FSB agents interfere with business, picking sides in various commercial wars. Vrublyovsky’s representatives claim that the attack on Assist was in fact instigated by the FSB to discredit Chronopay — in other words, not Chronopay’s idea but a set-up.

KP says that while the investigation in Vrublyovsky’s case was completed, FSB agents kept researching the case, looking for the hackers who might have done this job for Vrublyovsky in 2011. What is known, says KP, is that the FSB commissioned a forensic probe of the DDoS on Assist from the Kaspersky Laboratory. 

We don’t know how “it is known,” and the question naturally arises, in dealing with cases and media reports like this in Russia, what enemies of the FSB in general, or those FSB agents in particular in some other law-enforcement agency or government office, let that fact leak, or set KP up to say it.

Kaspersky Laboratory has not commented on this allegation in KP, and in their original press release about Stoyanov’s arrest says that it “does not concern the professional activity of the company and neither its experts, its business, its products, or clients of the company are in any way effected.”

Naturally, even if Kaspersky was involved in performing a job for the FSB — a contact they now publicly acknowledge — confidentiality clauses in contracts or common sense (if they wanted to keep in business) would prohibit them from exposing this attack.

So this version of the story in KP, a pro-government newspaper that enthusiastically takes the side of Russian fighters in Ukraine and Syria — with some of the most popular war reporters in Russia — may be true, or may be intended to distract us from any American angle in the story.

This version also highlights the fact that without any relationship to Kaspersky per se, for their own reasons, not self-evident, these particular FSB agents could have had a vendetta against either Chronopay or Vrublyovsky — or even Assist, to take it at face value. Or they may have hoped to show that the FSB is not at all in the business of helping anybody savage their business rivals, although they appear to be.

As the title of Peter Pomerantz’s book goes, “Nothing is True and Anything is Possible“.

Tsargrad TV: Hacker Hustled Away From a FSB Board Meeting With a Bag Over His Head

Novaya Gazeta referenced Tsargard in its first piece on the hackers’ arrest, but didn’t get into Tsargrad’s version of the story; the most sensational element of Novaya‘s story — that FSB security arrested Mikhailov during the FSB’s own board meeting by putting a “light-proof” black bag over his head — comes from Tsargrad. Is it true? Well, Tsargrad itself says it was a victim of one of the hackers — Mikhailov — so this has to be kept in mind. And Tsargrad is getting this story from some FSB agent close to them who may just want to tell the story this way to scare people off from it.

German Gref of Sberbank and Big Data 

Tsargrad titled its piece “And This Man Was Supposed to Head Up Big Data“. Tsargrad, we will recall, is owned by Konstantin Malofeyev, a conservative businessman often described in the Russian media as “the Russian Orthodox oligarch” to stress his religious affiliation contrasting with Jewish or secular oligarchs. Malofeyev is known to have funded Col. Igor Strelkov and other Russia-backed separatist leaders in their war in eastern Ukraine. He also favors Internet “safety” which can involve “decency” in Russia as well and preventing the corruption of youth, and sits on the board of the pro-government League for Internet Safety.

“Big data” in this headline is written in English. Many Internet terms, especially for the latest phenomenon, tend to be in transliterated English, as their Russia equivalents in Cyrillic letters, in a sentence tend not to be able to fit into the 140 character space of a tweet. But long before the Internet, vycheslitel’naya mashina — computer — for example, was shortened to kompyuter or komp.

Tsargrad took up this story from the angle of Andrei Gerasimov, head of the FSB’s Center for Information Security, who, as we know from other press reports, was being pressured into retirement. The TsIB “curates practically the whole line of battle with cybercrime in Russia from the hacks of credit and finance information to leaks of personal data to plants in the media and social networks,” Tsargrad enthused.

“Curate” is the Russian term of art used about the KGB and later FSB to explain that combination of surveillance and management and operations involved in having the secret police run the state by controlling various figures. So when American researchers look for clues about the hacking of the DNC or sources in the Trump dossier, they assume it has to come from this shop, since they are known to be in charge of hacking, basically. That is, there are of course other shops in other agencies, including military intelligence and the police that do this same thing and are even rivals of the FSB, but the main job appears to be performed by this office. 

It’s important to keep in mind that these arrests may have nothing to do with any events in the US, although we can’t trust the pro-government papers telling us this. 

Tsargrad says they learned that Gerasimov’s retirement was all but a fait accompli and had been hastened along by the internal investigation the FSB conducted about how information on its strong-arm DDoS practices was leaking out. That’s how Sergei Mikhailov, Gerasimov’s deputy at TsIB and the head of the 2nd operations department, came to be dismissed — “the real hero of this story,” says Tsargrad.

A Black Bag Over the Head 

It’s interesting that in six weeks in Moscow — a town with a lot of leaks, a lot of stories, and many things getting out one way or another — THIS story just never surfaced anywhere until now. That’s how black the sack was. 

Tsargrad’s “source in law-enforcement” (likely the FSB) told them that Mikhailov’s arrest was quite dramatic — agents (who themselves were likely masked, we could add) put a bag over Mikhailov’s head right during a board meeting of the FSB. 

To get an idea of the setting, think of the board meeting footage last year of Putin speaking solemnly at this same type of annual meeting where the FSB report their accomplishments, such as the summary execution of hundreds of suspected Islamists in the North Caucasus, with the dutiful FSB head Alexander Bortikov by his side, and bottles of mineral water arranged on the podium, and the audience — FSB officers — motionless except for when clapping is required. To put a black sack over a fellow officer’s head during such a meeting and bundle him out the door sends a dramatic message to every FSB agent never to do anything remotely like what that hapless victim was said to do — leak things. Especially to foreigners.

Tsargrad also tells the story of Assist’s costly DDoS attack and adds this interesting detail:  “Vrublyovsky, who had earlier met with the above-referenced Sergei Mikhailov, decided to set the FSB office and Department K of the Interior Ministry against each other.” Department K, in the Interior Ministry or police, is the FSB’s rival.

So Vrublyovsky said the case against him was fabricated by the TsIb and asked Department K to investigate. On his desk, when he was detained, a note was found: “Sergei Mikhailov at the FSB TsiB FSB leaked us,” i.e. he was said to have leaked the facts of Vrublyovsky’s case to the media. Also on Vrublyovsky’s desk was a folder with documents that exposed Mikhailov’s contacts.

This was in 2011. “If the internal security service [of the FSB itself] had been put into gear back then, perhaps many spy and hacker scandals of the future could have been avoided,” fumes Tsargrad.

FSB-Created Hackers On Mission 

Shaltai-Baltai also became the answer to the question people often had about WikiLeaks: why are there never any Russian leaks? Why does nobody ever hack Russia? As with the perestroika years, given the “inertia of fear” as it has been called by some Soviet authors, where people are too paralyzed to move even when allowed, sometimes the KGB and later FSB have to do things in society themselves.

Tsargrad describes Shaltai-Boltai as having “literally come out of nowhere.” In the technical community, no one knew who they were; the group’s members were able to encrypt themselves very well and lived abroad, it was said, although they happened to have access to the personal data of virtually all the Russian political and business elite from Medvedev to media magnate Aram Gabrelyanov, the owner of LifeNews.

Translation: Throughout the world, politicians begin writing nonsense when their accounts are hacked, but only in Russia do they speak the truth for which everyone was long waiting.

Tsargrad itself has reason to hate them:

Dugin himself commented:

Dugan’s list, once published, became the reason for the persecution of people in it, and even the jailing of some. Someone on the list died a suspicious death.

Dugin’s ‘Friends of Putin’

Dugin is often mistakenly described in the Western media as an “advisor to Putin” or having influence on the Kremlin which has never really been the case. Putin and other top leaders have found it useful to allow Dugin and other such colourful figures such as Vladimir Zhirinovsky to flit around on talk shows and get themselves in the news for outrageous outbursts  — so Putin can look rational by contrast.

Dugin has spoken on the same platform of the annual conservative “Moscow the Third Rome” meeting where Sergei Ivanov, Putin’s chief of staff at the time, also spoke, but he isn’t some kind of regular Kremlin visitor in any respect or given any space in influential state publications. His brand of ultranationalist “Eurasianism” in part overlaps with Putin’s own, but Putin’s guru is Ivan Ilyin.

Nowadays, Dugin and others of his persuasion like Col. Igor Strelkov, who led the separatist forces in eastern Ukraine, are very frustrated with Putin, whom they see as having betrayed the “Novorossiya” cause of restoring the greater Russian Empire. They fear he is under the influence not just of “fifth columnists,” those traditional foreign-tainted enemies within, but “sixth columnists” who are people who seem like “one of us” but engage in defeatist talk about the war in Ukraine.

Putin is chairman of the board of Moscow State University, which decided to fire Dugin from his position in the university’s philosophy department in 2015. Some hoped this was because Dugin incited the killing of Ukrainians on his social media pages — something that in fact Russian state media had more reach and effect doing at the same time. But the efforts that went into hacking his email means that there may have been hopes to remove him for other reasons.

Dugin made a data base of “friends of Putin” and “agents of influence of Russia” which was of interest because it was based on his ideology — other people might have different “friends of Putin” or  different “agents of influence of Russia”.

‘Hybrid Cyberwars’ 

IT expert Igor Ashmanov, in an interview with Tsargrad, called Shaltai-Baltai’s hacking, “hybrid cyberwars,” like the hybrid war in Ukraine, part covert and part overt.

Novaya Gazeta didn’t include this part of Tsargrad’s article, but here is where the “Trump connection” comes in — although not in the way some have thought.

According to Tsargrad’s sources, Sergei Mikhailov, the FSB agent, was in negotiations with the leadership of Sberbank. That’s why the photo of German Gref, CEO of Sberbank, is in Tsargrad’s image with the article, along with a Guy Fawkes mask, used by Anonymous. 

Tsargrad said sources told them that Mikhailov was holding talks with the Sberbank leadership:

Put together the information from the savings accounts of millions of Russian citizens in Sberbank (the name means “Savings Bank” and is likely the most popular) along with the information about those same people on social networks, and you’ll have one of the largest mass data bases on Russian citizens:

This was from Dugin’s perspective was wrong — and here he and Putin’s views would be aligned.

Big Data to Win the 2018 Presidential Elections

With such a “Big Data” base of Russian citizens, Gref could do a lot, but Tsargrad sources say Gerasimov’s ambitions went beyond more than banal enrichment. As Tsargrad sees it:

Hillary Clinton meanwhile, says Tsargrad, relied on traditional methods such as media plants and discreditation of her rival from a moral perspective; Trump used more modern technologies from memes on Twitter to targeting with Big Data.

US specialists on election campaigns might find this a skewed description of the US elections, but it doesn’t matter; what matters is that the Russians absorbed the idea that they needed “big data” to win elections.

It strikes us Putin would be the one most interested in this Russian Big Data for his 2018 re-election, but in the possession of Gref’s hacker, so to speak, who might be “contrary to national interests,” the information about be in “the wrong hands”. Perhaps Gref himself thought to run against Putin. 

“This wouldn’t only smell of kerosene,” said Tsargrad — meaning it was flammable material — and then some.

All of this ended up being grounds for pushing Gerasimov, the head of the FSB’s hacking shop, into early retirement. “Only one thing is clear: Mikhailov and Gerasimovv fell in the battle of the patriots and globalists for Big Data,” says Tsargrad.

By “patriots” here, Tsargrad means the nationalists or even ultra-nationalists who might seemingly have an “internationalist” vision like the old Soviet Communists by calling themselves “Eurasianists,” but it’s only because their version of Eurasia is dominated by Russia, not Central Asia. Their “patriotism” was preventing Western corruption of their native Russian values, the family, the church, women as wives and mothers, and so on. The “globalists” were people who didn’t mind the penetration of Western culture, say, in the form of i-phones or popular films, but who would still (being FSB agents) want to turn this to a particular Russian identity.

These differences are hard to describe for the Russian scene because “globalism” has a certain connotation in the West, but it is similar. To give the reader a feel: beneath Tsargrad’s article is a banner for a sensational article: “Why has Russia Invested 6 Billion Dollars in Nazi Kiev?” as if Russia’s current war wasn’t fierce enough, and “Chapman Predicts Start of War with USA” — yes, that Anna Chapman, the spy who was expelled from the US after being exposed as a “sleeper” spy. If you have time to linger on Tsargrad, you can click on a scary banner at the top with a stamp bearing George Soros’ visage and vote for the “Russophobe of the Year” — both Soros and Hillary Clinton are in the list, but doing badly, at 7% and 6% of votes currently, by contrast with “Westernizer” Chubais.

To sum up, Tsargrad is proud of these hacker arrests:

The Russian press around these hacker arrests have mentioned King Servers — which the New York Times have covered back on September 27, 2017.

Times reporter Andrew Kramer travelled to Biysk, a town in Siberia near the Mongolian border, to meet up with a young man, Vladimir Fomenko, who was discovered to run a company named King Servers with servers in Russia and abroad, through which some of the hacking attempts in the US had run.

Fomenko, a young man with a tattoo on his neck made in the infamous image of the Guy Fawkes mask used by Anonymous, seemed to taunt US authorities:

One cybersecurity specialist recognized this cocky behavior pattern, which we could note we have seen in hackers, Kremlin trolls, and some officials:

Is Fomenko also in the shadowy Shaltai-Boltai group hooked up to the FSB’s hacking shop? He doesn’t say. The FBI published the URLs involved in the hacks and perhaps they will be tracked eventually to the FSB.