Blurred boundaries.

Photographer: VASILY MAXIMOV/AFP/Getty Images

How Russian Hackers Became a Kremlin Headache

Leonid Bershidsky is a Bloomberg View columnist. He was the founding editor of the Russian business daily Vedomosti and founded the opinion website Slon.ru.
Read More.
a | A

The recent arrests of Russian cybersecurity officials in Moscow likely had little to do with last year's U.S. election. The story behind them, however, sheds some light on the relationship between the Russian government and the hackers who work for it.

The web of names and their interconnections can be a little hard to follow but is worth it. It shows that these hackers -- some of whom are intelligence officers -- are often essentially privateers, engaged in their own freelance business projects as well as official government business. The Moscow arrests have been reported piecemeal by Russia media over the last week. The arrestees include Sergei Mikhailov, deputy head of the Information Security Center at the FSB, the domestic intelligence service; Major Dmitry Dokuchaev of the same unit; and Ruslan Stoyanov, an employee of cybersecurity firm Kaspersky Lab, who previously served at the Interior Ministry's cybercrime unit. Another civilian, former journalist Vladimir Anikeev, was also arrested.

There have been six arrests in all, according to the usually well-informed pro-Kremlin tabloid Life.ru. At least some of the arrested men are being accused of treason, so the government won't provide any details of the case, but some tell-tale leaks provide clues. 

The first leak surfaced on the ultra-nationalist site Tsargrad.tv, funded by Konstantin Malofeev, a pro-Kremlin financier with telecom interests who has also backed Russia's intervention in eastern Ukraine. It linked Mikhailov to a group of hackers known as Shaltai Boltai, or Humpty Dumpty. In the last few years, this group has published the e-mail archives of a number of Kremlin and Russian government officials, including Prime Minister Dmitry Medvedev and his deputy Arkady Dvorkovich.

A second leak, on Rosbalt, a website close to President Vladimir Putin's former drug czar Viktor Cherkesov, went further. Quoting an unnamed source, Rosbalt claimed that last year, Mikhailov's unit was ordered to "work on" Shaltai Boltai. The FSB team reportedly uncovered the identities of the group's members -- but, instead of arresting and indicting them, Mikhailov's team tried to run the group, apparently for profit or political gain. According to the Rosbalt source, it was deemed that they'd gone too far after a Ukrainian website published the contents of the official mailbox that belonged to Putin adviser Vladislav Surkov. The Rosbalt leak identifies Anikeev as "Lewis," Shaltai Boltai's leader, and claims he was responsible for the Surkov hack.

Shaltai Boltai never pretended to be principled hacktivists. In a 2015 interview with the independent website Meduza.io, a man calling himself "Lewis" claimed the data dumps on top Russian officials were "a side product of different games," namely of a for-profit operation that searched for compromising material for wealthy and highly placed clients. "We get orders from government structures and from private individuals," he told the interviewer. "But we say we are an independent team. It's just that often it's impossible to tell who the client is. Sometimes we get information for intermediaries, without knowing who the end client is."

It's clear why such a competitive intelligence operation could be an interesting sideline for FSB officers. The officers come by all sorts of information in their line of work, and if sold indirectly, through an "independent contractor," it can supplement their FSB income. It works both ways; the FSB's Major Dokuchaev, who reportedly worked on the Shaltai Boltai case, used to be a respected Yekaterinburg hacker nicknamed Forb until he was recruited by the FSB.

The FSB may have got wise to Mikhailov's private schemes after it began investigating why the FBI was interested in a Russian company called King Servers, involved in an attempted hack of voting systems in two U.S. states. The owner of King Servers is a partner of internet businessman Pavel Vrublevsky, who has long claimed Mikhailov had links to the FBI.

According to a piece in Moscow's investigative Novaya Gazeta,the FSB investigation failed to unearth any cooperation between Russian officers and the FBI on the election-related hacks, but it did reveal the Shaltai Boltai connection.

The Russian leaks could be FSB red herrings. But the different pieces of evidence together point toward the Shaltai Boltai version of the arrests. That version is in line with how security agencies generally operate in Putin's Russia: Parallel to their official duties, officers often run private security operations involving blackmail and protection. If Mikhailov ran such a business out of the FSB's Information Security Center, he wouldn't stand out among his colleagues. But in the paranoid world of Putin's third presidential term, leaks of information to Ukraine and to the U.S. would have been impermissible.

Those in the West who fear government-sponsored Russian hackers must keep in mind that these are not people who willingly subject themselves to any kind of military discipline. They aren't necessarily patriots, either. An FSB officer, recruited from the hacking community, can use his rank and position to obtain compromising material and sell it to wealthy clients. A team profiting from these opportunities can include both officers and civilians. The Russian government can hire such a team through intermediaries if it needs something sensitive done -- but so can foreign intelligence services. 

It's a murky world in which actors are both predator and prey. The Kremlin enjoys access to brilliant and unscrupulous people; the downside, of course, is that they may be hard to control.

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

To contact the author of this story:
Leonid Bershidsky at lbershidsky@bloomberg.net

To contact the editor responsible for this story:
Therese Raphael at traphael4@bloomberg.net