By Catherine A. Fitzpatrick
Brian Krebs, a respected cybersecurity specialist whose blog I've read for years, has an interesting post up about the Russian hackers.
The problem I have with it is the claim that Russian media is saying these hackers leaked to American cybersecurity expects.
The Russian media hasn't said that. They've maybe quoted some people who have speculated on it but it's more of a social media thing. Like you'll see this kind of tweet:
Арестован майор ФСБ(ОУ ЦИБ) Дмитрий Докучаев, теперь на его группу повесят все вторжения в системы в США. Отмена санкций в обмен на хакеров
— Vladimir Garnachuk (@volgaport) January 27, 2017
Translation: FSB Major (OU TsIB) Dmitry Dokuchayev has been arrested, now all the hacking into the US systems will be hung on his group. Cancellation of the sanctions in exchange for the hackers.
This is just a tweet, guys. It's not a found fact. It is not in a charging sheet or indictment or even in an investigator's statement leaked to the press. It's just someone rushing to the pessimistic conspiracy-theory conclusions that everybody rushes to in Russia because it's in Russia.
I think all such talk has to be expressed and debated and looked at. I'm not a net-nanny who says people shouldn't "rush to conclusions" and publish the names of suspects they've heard on police radio chat during the hunt for the Boston bombers ahem. I think the only way you get to the truth with a black box like Russia and a black sack like these hacker arrests is you talk, theorize, see if things fit, see if it sticks.
But you do have to point out that there is no CONNECTION. There is nothing to TIE these people to the US.
What's interesting about Krebs is the solid information based on his professional expertise that he HAS brought to this case, for example, although he's putting it himself in the form of speculation -- and later as you see, some interesting facts he has brought about ALLEGATIONS OF an American connection:
The arrests may very well be tied to a long-running grudge held by Pavel Vrublevsky, a Russian businessman who for years paid most of the world’s top spammers and virus writers to pump malware and hundreds of billions of junk emails into U.S. inboxes.
But we don't know that Vrublyovsky - arrested and given a relatively light sentence which he served -- is going to turn around and now talk to American security researchers sympathetically about how the DNC was hacked. We don't know that he OR his hired guns at the FSB hack shop are going to do that. We just don't. The fact that Vrublyovsky has blown in Mikhailov with these accusations for his own personal reasons -- he thinks he's part of the mob that got him in jail -- can't be accepted as facts on the ground because he's not a trustworthy interlocutor as an ex-con in a mafia world with a grudge.
The first thing I thought of when I learned Vrublyovsky (I'm translating it the way it is pronounced in Russian) was a spam king -- hmm, you mean like those marketing people -- spam for some people -- that were said to be on Trump's server talking to Alfa's server? Any relation?
Krebs then goes on to tell you about King Servers, which we already knew about from the New York Times:
That report was based in part on an August 2016 alert from the FBI (PDF), and noted that most of the Internet addresses were assigned to a Russian hosting firm called King-Servers[dot]com.
But then you'd have to tie the King Servers affair to the material we have from the FSB leaks to see if it "fits".
Krebs then tells you about a statement on Chronopay's website (I had alluded to his counter-argument in one of my stories):
“The analysis of the internal data allows King Servers to confidently refute any conclusions about the involvement of the Russian special services in this attack,” Fomenko said in his statement, which credits ChronoPay for the translation. “The company also reported that the attackers still owe the company $US290 for rental services and King Servers send an invoice for the payment to Donald Trump & Vladimir Putin, as well as the company reserves the right to send it to any other person who will be accused by mass media of this attack.”
Let me put my translation:
The company King Servers, which owns the servers from which hacker attacks were made on the servers of the Democratic Party in Illinoise, have declared the absence of any "Russian trail" in the organization of this cybercrime. This company also says that the miscreants owend $290 to the company for the rental of the servers and are retaining the right to send a bill for payment to Donald Trump, Vladimir Putin and any other people who are accused by the media in this attack.
Krebs then writes some more interesting detail:
I mentioned Vrublevsky in that story because I knew Fomenko (a.k.a. “Die$el“) and he were longtime associates; both were prominent members of Crutop[dot]nu, a cybercrime forum that Vrublevsky (a.k.a. “Redeye“) owned and operated for years. In addition, I recognized Vrublevsky’s voice and dark humor in the statement, and thought it was interesting that Vrublevsky was inserting himself into all the alleged election-hacking drama.
That story also noted how common it was for Russian intelligence services to recruit Russian hackers who were already in prison — by commuting their sentences in exchange for helping the government hack foreign adversaries. In 2013, Vrublevsky was convicted of hiring his most-trusted spammer and malware writer to attack one of ChronoPay’s chief competitors, but he was inexplicably released a year earlier than his two-and-a-half year sentence required.
All of this is interesting and useful, but the claim that “many Russian media outlets now report the men are suspected of leaking information to Western investigators about Russian cyber intelligence operations.” They haven't said that (read everything I've done this); if there is one English-language source saying it, it's speculative.
Well, sure. Except we need to dig deeper here. Why was Vrublyovsky trying to hack and mess up a competitor? Who put him up to that? What is Asset (the rival) all about? Who is behind it? Does Aeroflot itself have any preference or payout or thing that would lead us to suspect they had a preferred payments processor? And so on.
This story can't be looked at SOLELY from the perspective of the field of cybersecurity -- although it may turn out to be about that. Hackers are not just powers in society themselves; they are hired guns for other people, maybe more than they are in the US so this might be hard to contemplate for some.
Sure, the FSB needs hackers, and so does the NSA, which is why they make poor hiring choices involving ex-cons or people like Snowden.
But really, a spam king hired by X Big Gun in Russia is hired by the FSB just because they need hackers? This is only true if the people who put him up to attacking Asset were utterly aligned with the FSB or WERE the FSB, because THEY had a business interest in having one payment system over another. SUCH an interest that they'd be willing to cause poor Aeroflot, which is now private and has had a shit-ton of its own internal problems, to lose more than a million dollars over loss of ticketing services for days. Truly, guys, that bit has to be researched because it explains MOTIVE.
The "inexplicable release" can't be ONLY explained by the FSB's need for hackers. After all, Russia is a vast country of nerds and educated programmers, and not all were fortunate enough to escape to get a job for Google or Facebook in California. Sure, they may need some very sophisticated ones. And the issue here isn't the Vrublyovsky himself sits and bangs the keyboard, what this may be about is an understanding that he comes "with" a team or at least a very clever hacker that is his gunman, and that's what the FSB wanted. We don't know. But just looking at it all from my perspective, I'm thinking the early release comes from some business interest with connections that wanted Aeroflot or Asset harmed, and had the assets in the Investigative Committee or the Federal Corrections System to spring Vrublyovsky, likely using the UDO "time off for good behavior" system. Many an "asset" has been sprung in this way; we have only to recall the former minister of defense's mistress when they were all caught in an apartment sale scam.
This bit from Krebs is interesting, just like the original story by Andrew Kramer which is VERY INTERESTING, but I need to see the guy:
Meanwhile, the malware author that Vrublevsky hired to launch the attack which later landed them both in jail told The New York Times last month that he’d also been approached while in prison by someone offering to commute his sentence if he agreed to hack for the Russian government, but that he’d refused and was forced to serve out his entire sentence.
That is, forgive me for being a tad skeptical of weepy stories that suddenly appear in the NYT at a time when we need to imagine that there are some people who might turn to helping us prove the Trump dossier is totally real.
That is, I voted for Hillary and I'm quite prepared to believe all these bad things, but I have spent a lot of time myself trying to research the Russian connection to Trump. And I don't find the smoking gun. There are many promising angles that maybe some journalist will push through to such a smoker -- and in my view, the Alfa-Trump servers story is very likely, and I utterly disbelieve Glenn Greenwald and Snopes on this -- I think Franklin Foer got it right and I'm glad he persisted to his second story.
PS just as an aside, guys. How come all the same hackers and lefty geeks and Anon script kiddies and crypto kids, as well as the lefty and liberal blog sites and media who feed off them who were blasting us all for months on end saying the Russians couldn't POSSIBLY be behind the DNC and other hacks and there was "no proof" are instantly finding a million angles to show the Trump dossier is real because an ex-con spam king says so, or because the fact of arrests of Russian hackers at/around the FSB tells us this?
Seriously, it is awfully damn strange. What are the explanations for this?
1) Russia is now working overtime through its networks of influence to get people to believe in the authenticity of the Trump dossier, because they know if they do that, they can endlessly keep busy chewing and arguing about whether Michael Cohen was really in Prague, or whether the Russian in the cybersecurity firm is in Kaspersky Lab or King Servers or WHERE, and never focus on the fact that this is a decoy, and the FBI has OTHER information, but maybe they can't close in on the suspect.
2) These people had a change of heart when Trump was really elected and the veil fell from their eyes and they now have gotten religion about Russia.
Well, alright.
The most important thing Krebs has is information we couldn't have known as it was his private knowledge he didn't relate until now:
In that conversation, Vrublevsky said he was convinced that Mikhaylov was taking information gathered by Russian government cybercrime investigators and feeding it to U.S. law enforcement and intelligence agencies and to Zenz. Vrublevsky told me then that if ever he could prove for certain Mikhaylov was involved in leaking incriminating data on ChronoPay, he would have someone “tear him a new asshole.”
But we already know from the Russian media (leaks from the FSB and whatever) that Vrublyovsky has been trying to wriggle out of the charges against him -- which we don't know are true or not given that he is a spam king and the sort of person to hire creepy cyber thugs for his work -- that Vrublyovsky was crying the blues about how these nasty FSB men were ganging up on him.
I'm afraid to go look for who really owns Chronopay and Assets because this is likely above my pay grade as a blogger. I do recall that on railroad ticket processing apps operating on the Internet, Navalny was able to uncover a big scam from by Putin's friend Vladimir Yakovlev, former CEO of Russian Railways. So, I figure both the air ticket systems are of that nature -- big oligarchs behind them because they involve lots of cash payments that perhaps are easily not recorded and turned into slush funds or diverted offshore.
Let's do back up here, however. Why would this good, trained, solidly employed FSB agent Mikhailov, who, unlike the other people arrested didn't previously work for an FSB rival (Department K a the police) like Stoyanov, and weren't hackers forced to become FSB agents, like Dokuchayev and Anikeyev, decide he needed to blow things into the Americans. Why?
Would any pay that our probably not terribly competent spy people could offer him, or any operational cover they could offer him (obviously blown now if they were really in it), be worth it?
Obama promised the Russians that he would respond to the Russian hack of the DNC and the other bad things "in kind". Is this the blow-up of that thing? That equal things would be done to the Russians. Were they done? Did they work? Or? I remember when I read that I was worried, because I don't think intelligence under Obama is capable of that. Forgive me, but it's not just the lack of leadership and the waning of skills for 8 years, but it's just a general sense that Russian specialists don't exist in these places anymore capable of this kind of job, and these agencies are hopelessly penetrated by moles, which is why we have Snowden. I have absolutely no reason to think that other than a hunch, so maybe -- I hope -- I'm wrong. Perhaps the arrest of Mikhailov is a failed CIA operation. But for me, it's more plausible scenario to believe it's a failed operation by German Gref.
It's hard for me to believe that anybody in Eugene Kaspersky's shop would be helping American intelligence, for lots of reasons.
This theory Krebs puts forth, based on the ex-con Vrublyovsky's variant is that Mikhailov is crooked and helping the Americans. About Ruslan Stoyanov, Vrublyovsky said he is a former agent of the Interior Ministry's BSTM, which we knew, but he adds that he was "fired for who the hell knows why" and that he "took direct part in the operation with the British police on the DDoS attacks on the British casino by the group from Saratov.
Well, we need British intelligence/journalists/somebody to corroborate that there was this thing.
He says Stoyanov organized a mini-company called Indrik that had no website and it's not clear if it is even a registered company which is supposed to be involved in DDoS protection. "Kiryushen, in the last attack on Aeroflot, recommended them. Likely not without Sergei's help," i.e. Mikhailov.
You see, if these things were true, they happened on Kaspersky's clock, and then Eugene is either in on them or not. Perhaps the reason he is absolutely silent about this man's arrest is that he has nothing to do with this (or everything to do with it, but likely the former) and just will let him burn. Obviously it wouldnt' be good for his business, which relies on the FSB's good graces, to have such a hobby thing like this going on.
I still want to know how Department K's guy at Kaspersky got to hob-nob and do ops with the FSB's Mikhailov. Were they in Komsomol together? No, too young. Karate class? These are not natural allies so that means this is either a very weak place in this story or there's "a thing" we haven't seen, i.e. "another Russian". That is, Kaspersky's finally-public collaboration with the FSB on fighting cyber-crime announced in 2013 when Stoyanov was said to be hired does not explain it. It might even have been hard for the FSB to accept that Kaspersky's guy, from their rival, Department K, was someone they now had to play nice with for the sake of crime-fighting for the Motherland. I just don't know the dynamics. We need more here. The theory of the case asks us to believe these two colluded AND they had an American angle, and I'm not buying either completely.
Obviously, as much as we think of Russia as a monolith with companies and government and intelligence all intertwined, in fact it is more complicated and a harried Aeroflot official has to find some hacker-helper for his site ticketing problems like any executive in the world, and hires a private company not knowing what he gets, or even hires them but doesn't realize that even unknown to them, some guy is working some other angle.
Cyber-anarchists are the people who really run things in the world as I explained in my book three years ago. Krebs quotes Vrublyovsky's email -- my translation:
Stoyanov has an employee whom nobody knows about -- Dmitry Levashov. Levashov lived for a long time with a certain Kimberly Zenz. She in turn is the main official specialist on Russian issues for the company iDefense. Almost all negative documents about Russia (DDoS attacks on Estonia, Georgia, the mythical RBN) are signed by her.
Well, here I'd interpret Vrublyovsky as being pro-Putin, pro-FSB largely speaking and therefore not a friend to the cause of finding out who hacked the US. So I'd be careful.
What he's doing here is burning Mikhailov with the things he think he can best burn him -- contact and leaking to the Americans. He continues:
Sergei Mikhailov's main asset is the ability to look at data in wallets in the Webmoney system using the cooperation with the FSB TsIB of the latter. And they in turn in secret from the user collect an enormous collection of data on system users, and accordingly know the wallets of any ill-doer; to find him out exactly is next to elementary. It looks like Ruslan and Sergei found various "marks" who were easily turned or on whom there was a large base of evidence and through Kimberly, leaked to iDefense, so that the later turned now already for their own profit an even or a crime into one with a global international hue, and officially through US intelligence dumped to Russia, where it landed on Sergei's desk and thus often made a mountain out of a molehill; the later would defend itself elegently, and iDefense would receive incredible grants from the USA in the struggle with the Russian threat.
Well, the acidic tone of this piece, which Krebs also remarks on, and the cynical and anti-American feeling shining through, let's me know that this testimony itself is not trustworthy. Maybe Mikhailov did these things; maybe not.
I personally don't buy the theory of "large grants from the US government" as a reason for the motivation of cybersecurity companies because I think a) this isn't true for all of them at least b) things don't work here as they do as in Russia and c) it's a very primitive explanation for the motivation of professionals who aren't required to get government contracts (as they are in Russia) but can go to private companies and likely earn more.
But hey, now that we know that "the system works this way," according to Vrublyovsky, we'd have to wonder if the entire story of "brave Russian hackers leak the truth about Putin's hack of the DNC to US intelligence to save the world from Trump" in fact works this way, i.e. is fake. I guess I don't buy that narrative for a 100 reasons which I can put in another post if you don't get it.
Krebs then quotes the lady in question, Kimberly Zenz:
“It is hard for me imagine how Vrublevsky would be so powerful as to go after the people that investigated him on his own,” Zenz told KrebsOnSecurity. “Perhaps the infighting going on right now among the security forces already weakened Mikhaylov enough that Vrublevsky was able to go after him. Leaking communications or information to the US is a very extreme thing to have done. However, if it really did happen, then Mikhaylov would be very weak, which could explain how Vrublevsky would be able to go after him.”
Bingo. There is some oligarch, person, thing behind all this -- go back to that huge loss Aeroflot suffered. Aeroflot is a government company but as an "asset" it must belong to a certain clan/mafia group. More research is needed. I agree that on his own, this low-level guy who may have gotten an FSB friend to moonlight for him, wouldn't do all these other things.
Since Zenz and all the others in this story are really basically interested in the success of their commercial field, which relies on trust, this comes next:
Nevertheless, Zenz said, the Russian government’s treason case against Mikhaylov and Stoyanov is likely to have a chilling effect on the sharing of cyber threat information among researchers and security companies, and will almost certainly create problems for Kaspersky’s image abroad.
“This really weakens the relationship between Kaspersky and the FSB,” Zenz said. “It pushes Kaspersky to formalize relations and avoid the informal cooperation upon which cybercrime investigations often rely, in Russia and globally. It is also likely to have a chilling effect on such cooperation in Russia. This makes people ask, “If I share information on an attack or malware, can I be charged with treason?’”
Andrei Soldatov said the same thing to the Guardian; others have said that the main lesson learned from this story is that all these relations between Russian/international cybersecurity firms with the FSB and their set of recruited or hired hackers are going to have to be re-negotiated.
Forgive me if I'm not staying up late worrying about their problem, and wondering if it is a good idea to date Russians if your job is to deal with security related to Russia. The reality is, this world is impossibly interbred now. The main hope of our proof for the DNC hack (or least a major source of the proof) is a Russian emigre (Dmitry Alperovsky) that you have to hope to God doesn't have a grandmother in Russia having her pension removed now, or some other form of pressure.
No one is going to listen to my thoughts on this because I'm a crazy cat lady and not a geek but I think some may accept the premise that not every Russian citizen or emigre will be trustworthy and in that kind of situation, you have only one hope: triangulate, triangulate, triangulate with other Russians to try to get the story.
My answer to Krebs:
There isn’t any Russian media actually saying that point; I’ve covered this story pretty extensively, translating the main articles. Perhaps there’s one story in the English-language Moscow Times or something, but be specific.
I think there has been speculation on Russian social media, and comments sometimes reported by media that maybe there is some “leak to Westerners” angle on this. I was the first to report this in English and I explained the complicated way in which one *might* extract how this *might* be a swoop down by counter-intelligence to burn people who exposed Russian officials in the Trump dossier or something related to the US. That’s extrapolation from known facts, which is like lost-wax casting.
That’s because it’s Russia. We don’t know. There is no indictment, no lawyer, no weeping relatives, no human rights groups with a shred of info from other prisoners, no co-workers leaking, no neighbours talking about strange men in masks — NOTHING. ALL we have are two or three FSB agents leaking a story told from THEIR perspective.
I urge you to read through everything we’ve published to see if you can put together any other hypotheses, which are always useful.
Fourth Arrest Comes to Light in Russian Hackers’ Case
http://www.interpretermag.com/russia-update-january-28-2017/#16023
‘Hybrid Cyberwars’: Are the Russian Hackers’ Arrests About American or Internal Russian issues?
http://www.interpretermag.com/russia-up … 017/#16021
Novaya Gazeta Learns of 3rd Arrest in Hackers’ Treason Case: Is FSB Agent Major Forb the Head of Shaltai-Boltai?
http://www.interpretermag.com/russia-up … 017/#16021
Russian Hackers and FSB Agents Arrested in Moscow for ‘Treason’ on Suspicion of Leaking to US Intelligence
http://www.interpretermag.com/russia-up … 017/#16007
Top Manager of Kaspersky Laboratory and FSB Officer Arrested in ‘Treason Case,’ Kommersant Reports
http://www.interpretermag.com/russia-up … 017/#15997
Kaspersky Lab Denies Arrested Russian Cybersecurity Expert Was ‘Top Manager’; Case Related to His Previous Work
http://www.interpretermag.com/russia-up … 017/#15999
PS I should add in fairness that now we have the news Krebs has brought about Vrublyovsky's emails. But we already knew Vrublyovsky was fuming and busy trying to find a way to "get" the FSB people he thought had burned him. So it's just not enough until we find out more who is behind the companies, German Gref, etc.
PPS this is an interesting comment -- after a bunch of comments under the Tsargrad article by people who want to kick Gref's ass and send him to hard labor!
Наталья Макеева4 days ago 07:30
С.Михайлов вроде в 90-х был в ФАПСИ и одновременно непонятно чем в РБК занимался...
Подробнее: Зачистка ЦИБ ФСБ: борьба за Big Data http://tsargrad.tv/article/2017/01/25/zachistka-cib-fsb-borba-za-bigdata
So Mikhailov worked in FAPSI? Did he? Really? Then he is KGB not just FSB.
He was at RBC? Oh? In what capacity?
Needs research.
Posted by: Catherine Fitzpatrick | January 29, 2017 at 12:48 AM