What the Arrest of the Russian Intel top Cyber-Crime Expert Has to Do With American elections

The Bell

Until now, U.S. authorities have appeared to base their conviction that the Russian government directed hacker attacks against Hillary Clinton’s presidential campaign on technical research alone. Reporting by The Bell reveals that Russian authorities believe four men betrayed their country by confirming the U.S. findings.

Text by

Svetlana Reiter

Cover Photo

Matthew Henry / Unsplash

Sergei Mikhailov  was arrested one year ago, on Dec. 5, 2016. Officers of the agency’s internal security division seized him at his office and led him away with a sack over his head. Mikhailov is a black belt in karate and the officers feared that he might resist, explained one of the colonel’s acquaintances.

Prior to his arrest, Mikhailov was head of the 2nd Directorate of the FSB’s Information Security Center (TsIB) and within Russian intelligence circles he was considered the main authority on cybercrime.

Now he and three other men —  Dmitry Dokuchayev, an FSB major and former criminal hacker, accused in the U.S. of hacking 500 million Yahoo! accounts in 2014;  Ruslan Stoyanov, a former Kaspersky Lab employee; and  Georgy Fomchenkov, a little-known internet entrepreneur — are suspected of state treason. The four are being held in Moscow’s high-security Lefortovo Prison, in cells measuring nine square meters and without hot water, sources close to them say.

Sergei Mikhailov

Name:

Sergei Mikhailov

Age:

43

– Former head of the FSB’s Information Security Center (TsIB), FSB Colonel.

– Prior to arrest, considered the main authority on cybercrime within Russian intelligence circles.

– Born in Minsk (Belarus), married three times.

Ruslan Stoyanov

Name:

Ruslan Stoyanov

Age:

41

– Former head of cybercrime investigation department at Kaspersky Labs. Responsible for communications of the company with law enforcement agencies.

– Before Kaspersky labs, an employee of Moscow police, then president of a cybersecurity company Indrik.

– An old friend of Sergei Mikhailov.

Classified as a “state secret”, the entire affair has been kept out of the public eye. “The four men have been hidden away from everyone, to make sure they don’t give away any sensitive information”, says Ivan Pavlov, a lawyer for one of the defendants.

The Bell has spoken to three people who are very familiar with the accused and their plight to discover why, in their opinion, the men are being prosecuted.

Two of the three people say the men passed the information about last year’s Russian attacks on the Democratic National Committee (DNC). Two sources also say that Russian military intelligence (GRU) was behind the arrest of Mikhailov and his companions. US Intelligence agencies are confident that GRU is behind the attacks on the DNC. The administration of Barack Obama imposed sanctions on the head of GRU Igor Korobov and three of his deputies, but not on any individuals in the competing Russian intelligence service, FSB.


I have not once seen any direct proof of Russia’s interference in the presidential election in the USA. We have talked about it with former president Obama and with several other officials. No one ever showed me any direct evidence.»

Vladimir Putin

NBC. June 2017

One of the sources claims the defendants helped the Americans identify the hackers who broke into the DNC’s servers. The Bell was unable to confirm the claim. But the New York Times last January reported that the detention of Mikhailov and Stoyanov could be connected with hacker attacks on the DNC. It cited two U.S. officials as telling the paper that some Russian sources had played “a crucial role” in helping U.S. intelligence identify the culprits.

The defendants’ lawyers declined to comment on the details of the case. But they denied their clients had committed treason.

What is officially known about the attacks?

The hack made public tens of thousands of documents and emails from Democratic Party members and Hillary Clinton supporters. If it weren’t for “Russian hackers”, she would have won the election, Clinton has repeatedly said.

A shared belief in that claim in the Democratic Party, together with the U.S. intelligence agencies’ reports on Russian interference, have caused the strongest anti-Russian sentiment in the U.S. since the collapse of the Soviet Union.

In January 2017, the U.S. Intelligence community published a report pointing at the GRU as the source of the attack on the Democratic Party. But part of the U.S. intelligence report remained classified and no evidence was given to back up the claim of Russian involvement — which the Kremlin has consistently denied.

Many states employ and fund cyber groups, according to Kaspersky Lab anti-virus expert Denis Legezo. Russian intelligence agencies also have many hackers at their disposal, and they are spread around the world, said one source with close ties to the Russian authorities who is familiar with the system. In recent years, the GRU took the lead in cyber-security affairs, the source added.

But it is impossible to identify which specific cyber group or groups were responsible for last year’s Democratic National Committee hack based on technical traces alone, four cyber experts polled by The Bell confirmed. To prove specifically that the GRU was involved, U.S. investigators would have needed inside sources — preferably with access to confidential state matters, one source explained. Mikhailov had that access.

Relations between intelligence agencies working on the cyber front were strained, one of Mikhailov’s acquaintances said. The FSB and GRU compete for funding and Mikhailov felt the FSB carried out cyber tasks more professionally than the GRU, according to one of his acquaintances.

He used to say that “the GRU breaks into servers in a brazen, clumsy, and brutish manner and it interfered with his own work”, the acquaintance said. Moreover “the GRU’s hackers didn’t even try to cover their tracks”.

How the Russian Hackers Attacked the U.S.

In January 2017, American intelligence agencies have released a declassified joint report on the investigation of cyberattacks during the 2016 Presidential campaign. They made the following conclusions:

The Attacks

The intelligence agencies said they believed that the attacks were ordered personally by President Vladimir Putin.

Administrator:

FSB

Date of the attack:

July 2015

A hacking group possibly linked to the agency, entered Democratic National Committee servers undetected for nearly a year. The group was nicknamed Cozy Bear, the Dukes or A.P.T. 29.

Administrator:

GRU

Date of the attack:

March 2016

A hacking group known as Fancy Bear or A.P.T. 28, supposedly linked to GRU, was the second group to break into the DNC Later it has played a bigger role in releasing the committee’s emails.


The Leakers

DCLeaks.com

The website appeared in June 2016 as the release of the stolen Democratic Party documents began. The documents were also distributed by Wikileaks and different media outlets.

Guccifer 2.0

A self-proclaimed Romanian hacker, who published a part of the DNC documents himself and leaked another part to the media. The U.S. intelligence agencies consider him linked to GRU.


The Results

— December 2016. Barack Obama sanctions Russia under accusations of ordering the cyberattacks. 35 Russian diplomats are expelled from the U.S.

— Sanctioned Russian entities: FSB, GRU (including four top officials personally), and two hackers: Alexei Belan and Yevgeny Bogachev.

— The leaked DNC papers showed that the Committee, despite the rules, had supported Hillary Clinton against Bernie Sanders.

— The emails forced the resignation of the DNC chairwoman Debbie Wasserman Schultz and added to the divide between supporters of Sanders and Clinton’s campaign.

— Weeks before the election, about 60,000 hacked emails from the account of John D. Podesta, Hillary Clinton’s campaign manager, were released.

— They sparked extensive news coverage about the campaign’s internal dynamics, as well as fake news stories.

— If it weren’t for “Russian hackers”, she would have won the election, Clinton has repeatedly said.

A report by the company Crowdstrike, hired last year by the DNC to investigate the attack on its servers, confirmed the covert rivalry between the GRU and FSB. In June, Crowdstrike published its findings — which were later confirmed by U.S. intelligence services.

The most surprising conclusion in Crowdstrike’s report was that the DNC was broken into by hackers not once, but twice. The first breach occurred in summer 2015, and, according to Crowdstrike, was carried out by hackers with links to the FSB.

That attack was so meticulously carried out that almost a full year passed without anyone in the DNC suspecting anything. The next attack took place in spring 2016 on the orders of the GRU, the Crowdstrike report claims. It was spotted by U.S. intelligence agencies, which warned the DNC.


We know that Russian intelligence services hacked into the DNC and we know that they arranged for a lot of those emails to be released and we know that Donald Trump has shown a very troubling willingness to back up Putin, to support Putin.

Hillary Clinton

Reuters. July 2016

Crowdstrike also concluded that the attacks had been carried out independently of each other — meaning the FSB and GRU had essentially been each other’s rivals. But Crowdstrike founder  Dmitry Alperovich  didn’t answer the Bell’s question how his company was able to distinguish between hackers working for the FSB and those employed by the GRU.

The Bell doesn’t know whether Mikhailov could have helped Alperovich reach that conclusion. But according to a source close to one of the defendants, Mikhailov passed on the information to Crowdstrike through an intermediary. The Bell could not confirm this claim.

Аs part of his job, Mikhailov had direct contact with foreign intelligence agencies and private cyber-security companies. Unlike many other law enforcement and intelligence services officials known in Russian as siloviki, he had been free to participate in various cyber-security conferences and events, two of his acquaintances said.

Two of Mikhailov’s acquaintances say he shared information about Russian financially motivated hackers with his foreign counterparts. One source claims that Mikhailov did so on as many as 10 separate occasions — with Stoyanov, an old friend, often acting as an intermediary.

Many Russian hackers follow an unspoken rule not to engage in criminal activity “at home” in order to not give Russian authorities a pretext to detain them. At the same time, Russia is generally unwilling to extradite hackers. Mikhailov and Stoyanov would help foreign intelligence agencies with information in precisely such cases, the sources said.

Some cases of such cooperation are known: for example FSB’s TsIB department, where Mikhailov worked, and the FBI worked together on the case against Roman Seleznev, the son of a State Duma deputy who is now serving a 27-year sentence in the U.S. for hacking into bank accounts. This is recorded in court documents in the case against Seleznev.

А tail was put on Mikhailov and his group by Russian intelligence around April, one of the sources close to them said. Another source close to a highly placed U.S. intelligence official confirmed that claim.

According to the Crowdstrike report, a second attack on the DNC took place in March. Eight months later, Mikhailov and his group were detained. And several weeks after that, right before the New Year, the outgoing Barack Obama administration leveled new sanctions against Russia. This time, they weren’t connected to Russian meddling in Ukraine.


Ridiculous. It’s just another excuse. I don’t believe it. They have no idea if it’s Russia or China or somebody. It could be somebody sitting in a bed some place.

Donald Trump

Fox News. December 2016

The sanctions target both the FSB and GRU for interference in the U.S. elections. But personal sanctions were only leveled against GRU head Igor Korobov and three of his deputies.

The sanctions list also included two hackers long sought by the FBI — Alexei Belan and Yevgeny Bogachev. The U.S. Treasury Department, which oversees sanctions, did not respond to a question about whether the two men were suspected of involvement in the DNC attack.

How the case against Mikhailov and the others began?

The charges brought against Mikhailov and the others were in no way connected to the possible leaking of information on hackers or last year’s attacks on the DNC, three sources close to the case told The Bell. Instead, to start the treason prosecution, the FSB used the case of the Russian entrepreneur  Pavel Vrublevsky, owner of the payment system Chronopay.

Mikhailov and the three others originally were being held on charges that since 2007 they provided information about Vrublevsky to U.S. intelligence, who were also interested in him.

The group is charged with doing it for money. Mikhailov supposedly ordered his subordinate, Dmitry Dokuchayev, to pass on intelligence on Vrublevsky to U.S. officials, with Stoyanov acting as an intermediary. But the organizer of the deal with the U.S. was Georgy Fomchenkov, a fourth suspect. In February, the Reuters news agency reported that Fomchenkov is a former FSB official but little else is known about him.

Mikhailov and Vrublevsky are enemies of sorts. In 2011, Vrublevsky was sentenced to three years behind bars on charges of organizing a hacker attack on a rival payment system connected to the Russian state carrier Aeroflot — a charge Vrublevsky denies.

Back then, Mikhailov was the primary witness against him. But before he was locked away, Vrublevsky instructed his subordinates, including former Foreign Intelligence Service (SVR) employee  Dmitry Burykh , to collect dirt on Mikhailov.

Burykh told The Bell that he found out Mikhailov had been working closely with Western intelligence agencies since 2010. Report written for Vrublevsky said that Mikhailov had leaked sensitive information “on Russian cyber-criminals, who had refused to cooperate with him, to a U.S. citizen”. More specifically, Mikhailov reportedly handed the U.S. citizen — a woman — information on Russian state-sponsored hacker attacks against Estonia and Georgia in 2007 and 2008.

Burykh says he found that Mikhailov gave the information to Stoyanov, who then passed it on to  Kimberly Zenz  of the U.S. company iDefense Intelligence. From there, it went to the U.S. Department of Defense.

How Mikhailov’s Group Leaked Information to the U.S.

(As described by former External Intelligence employee Dmitry Burykh)

Sergey Mikhailov

TsIB FSB


Ruslan Stoyanov

Kaspersky Labs employee


Dmitry Levashov

Former employee of one of Stoyanov’s companies


Kimberly Zenz1

Analyst at IDefence Intelligence


Rick Howard2

Former director at IDefence Intelligence


William Lynn3

Former United States Deputy Secretary of Defense

1. Zenz denies any involvement in the scheme.

2. Howard denied to comment.

3. Lynn denied to comment.

Burykh describes Zenz as a cyber-security expert who built a career around Russian cyber investigations. She lived in Russia for several years in the early 2000s and speaks fluent Russian, German and Farsi. Zenz declined to comment, but in an earlier interview with Reuters, she denied her involvement. She also told the RBC outlet: “I don’t work for the CIA, I never gave them intelligence and I have never been an agent for any government”.

Last year Vrublevsky became a witness in the case against Mikhailov.

What could be the motive of Mikhailov and the others?

The pro-Kremlin tabloid LifeNews ran an article reporting that the authorities allegedly found $12 million at Mikhailov’s country home. But speaking to The Bell, his lawyer, Ruslan Golenkov, and his wife, Anna, described that report as slander.

Stoyanov was paid, at most, only a few thousand dollars for his services, while Mikhailov was paid some more, one source told The Bell. That information could not be verified by other sources and the defendants’ lawyers categorically deny that money was involved.

Mikhailov’s wife says they own a modest apartment in Moscow and an unfinished house in the Moscow region.

Mikhailov was married three times and Golenkov says that he gave his former wives all of his property upon divorcing. According to the State Real Estate Registry, Mikhailov and his ex-wife Natalia co-owned three apartments in another remote Moscow suburb.

Georgy Fomchenkov

Name:

Georgy Fomchenkov

Age:

Around 40

– Supposedly a former FSB official.

– An internet enterpreneur, one of creators of Whitebill.com payment system, popular among porn sites, spam distributors, and sites selling pharmaceuticals.

– Assumed to have supplied the FSB with teams of hackers whenever needed.

Dmitry Dokuchayev

Name:

Dmitry Dokuchayev

Age:

34

– Former employee of the FSB’s Information Security Center, FSB Major.

– Until the late 2000s a criminal hacker, nickname: Forb. Specialized in credit card fraud. Got caught, agreed to work for FSB.

– In the U.S., charged with hacking 500 million Yahoo! accounts in 2014. On search warrant by Interpol.

One of the colonel’s acquaintances insists that Mikhailov’s main motive to share information about Russian hackers with Western intelligence agencies was a desire to fight crime. A source at Kaspersky Lab also describes Stoyanov as a “romantic idealist”. “He saw that bad things were happening and tried to stop them”, the source says. Another acquaintance said that Stoyanov had known Mikhailov for a long time and had offered to help him as a friend.

The GRU and FSB did not respond to requests for comment. Vladimir Putin’s spokesman Dmitry Peskov said that investigation of the case is not within the purview of the Presidential Administration, and it has no information on the case.

This story is produced with the support of the Investigative Reporting Program at UC Berkeley

By Svetlana Reiter

Includes reporting by Anastasiya Yakoreva

Created with Setka Editor


The Bell's Newsletter

An inside look at the Russian economy and politics. Exclusively in your inbox every week.