In-brief: the arrest of a prominent security researcher from the firm Kaspersky Lab in Moscow has prompted speculation that the Russians may be cleaning house after recent U.S. intelligence revelations about Russian hacking in this country.
A leading expert on cyber crime who has written extensively about the doings of Russian cyber criminal networks was arrested in Moscow on charges of treason in December, according to a report by the Russian business news site Kommersant.
Ruslan Stoyanov, who is the head of the cyber investigations unit at the firm Kaspersky Lab, was arrested along with Sergei Mikhailov, a head of a division of the Russian FSB intelligence service in early December. The article (translated from Russian here) suggests that the investigation may relate to illegal payments from or to “foreign companies” by a “member of a certain Russian company in the field of information security.” However, experts in the West and Russia watchers speculate that other motives may be at work.
In a statement, Kaspersky Lab said that the case against Stoyanov does not involve his work for the company. Stoyanov, Kaspersky Lab said, is “under investigation for a period predating his employment at Kaspersky Lab.” The company also denied any knowledge of the investigation.
Stoyanov has worked for Kaspersky Lab since 2012, meaning that the arrest would have to apply actions that took place more than four years ago. Prior to joining Kaspersky, he had worked for the firm Indrik and as Head of Network Security for the telecommunications firm RTComm.ru. Between 2000 and 2006, Stoyanov was a Major in the Russian Ministry of the Interior, working in the Moscow Cyber Crime Unit.
The arrest prompted speculation that the Russian government was acting in response to recently disclosed intelligence about the extent of Russian government involvement in a campaign of hacks and data leaks that targeted the campaign of Hillary Clinton and other prominent Democrats.
Writing on the blog Lawfare, Paul Rosenzweig of Red Branch Consulting, said that the arrests may be the result of declassified intelligence reports that were made public. Details in those reports on the Russian hacking campaign could have tipped off Russian authorities.
“The public report …offers many striking conclusions and the Russians would, properly, surmise that there were underlying details in the classified version of the report supporting the conclusions,” he wrote.
Of course, the nature of any cooperation between the two men who were arrested and “foreign” sources isn’t described nor has it been reported. The broad definition of the statute under which the men were charged could make a crime of any information sharing with outside sources that was deemed harmful to Russia – including blog posts or talks given at technical conferences.
Stoyanov, in particular, authored a series of blog posts for Kaspersky’s Securelist research blog detailing sophisticated Russian cyber criminal organizations. His most recent, in August, detailed the workings of a group called Lurk that Russian authorities suspect of stealing nearly three billion Rubles from banks in that country.
There is overlap between the activities and tools of Russian cyber criminal groups and state sponsored hacking operations like Fancy Bear, the group charged with hacking into Democratic party organizations. That has led to speculation that Russian intelligence services recruit the help of the country’s cyber criminal gangs on sophisticated operations in exchange for some kind of limited immunity to continue their illegal money-making operations.
A competing theory is that Stoyanov’s research into Russian cyber criminal groups exposed or threatened to expose these connections, leading to his arrest. At least one member of Kaspersky’s research team (dubbed GREAT) dispute that, however, and claim that Stoyanov did not work on so-called “APT” (or Advanced Persistent Threat) research.
The arrest threatens to put a chill over other security researchers working at Kaspersky or other organizations operating under repressive regimes.
Kaspersky Lab has long cultivated close ties with the Russian government. It’s founder, Eugene Kaspersky, is himself a product of the state intelligence apparatus. That connection and history, highlighted in many articles, has long been a source of controversy and sensitivity to Kaspersky and the company.
The arrest will complicate that. Kaspersky will need to “think about the need to distance themselves from law enforcement agencies and to build a more formal relationship with the FSB” Andrei Soldatov, the chief editor of the site Agentura.ru is quoted as saying in the Kommersant article.