Malicious Life Podcast: Infighting and Treason in Russia’s Cyber World

On Dec. 5, 2016, two senior Russian Intelligence officers and two civilians were arrested and accused of treason. A few weeks later, when Western journalists were finally able to speak with the men’s lawyers, they learned that the case was based on events that were, oddly enough, already widely known. This made the arrests even more peculiar.

As more details emerged, the picture became clearer, offering Westerners a rare glimpse into the typically secretive world of Russian intelligence.

 

Powered by RedCircle

ran-levi-headshot
About the Host

Ran Levi

Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.

In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

About The Malicious Life Podcast

Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.

Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:

All Posts by Malicious Life Podcast

Caught in the Crossfire: Infighting and Treason in Russia’s Cyber World

Colonel Sergei Mikhailov was one of Russia’s top cybersecurity experts. As the deputy head of the CIB—Russia’s Center for Information Security, a unit of the FSB, the country’s main security agency—he was involved in almost every cybercrime investigation in Russia over the past 10 years, and was highly respected by his peers in the West.

You can imagine how shocked he must have been on December 5, 2016, when, during a staff meeting in Moscow, several police officers burst into the room, placed a black bag over his head, and led him away in handcuffs. 

Later that same day, Ruslan Stoyanov was preparing to board a flight to China. He was also a leading cybersecurity expert, head of the Cyber Incident Investigations department at Kaspersky Lab, and responsible for the company’s relations with local law enforcement. Stoyanov sent a text to his wife to let her know he had just checked in for his flight, but he w as arrested before he could board the plane. 

Two more men were arrested that day: Major Dmitry Dokuchayev, Mikhailov’s second-in-command, and Grigory Fomchenkov, about whom almost nothing is known, except that Russian news outlets refer to him as a ‘shady businessman’.

Intelligence agencies are notoriously secretive, and Russia’s are no exception. It took nearly two months for word to reach Western news outlets, and even then, no one knew the reason behind the ‘mysterious spate of arrests,’ as The Washington Post put it. The only information Russian authorities were willing to reveal was that the four men had been charged with treason. No other details were provided, as the case was classified as a ‘state secret.’ 

A few weeks later, when journalists were finally able to speak with the men’s lawyers, they learned that the case was based on events from almost six years earlier—events that were, oddly enough, already widely known. This made the arrests even more peculiar.

As more details emerged over time, the picture became clearer, offering Westerners a rare glimpse into the typically secretive world of Russian intelligence.

Pavel Vrublevsky

Pavel Vrublevsky likes to claim that there are no Russian hackers, and that all these stories about Russian cybercriminals terrorizing businesses around the world—many of which we’ve shared on this podcast—are just myths, promoted by cybersecurity vendors trying to hype their products.

The irony is that Vrublevsky himself is one of these cybercriminals—and a highly successful one at that. Journalist Brian Krebs dedicated an entire book, Spam Nation, to Vrublevsky’s exploits, which include peddling fake antivirus software and running a highly profitable pharmacy spam affiliate program. 

In 2010, Vrublevsky was arrested in Russia for orchestrating a DDoS attack against a rival business. Vrublevsky’s company, ChronoPay—an online payment system—was competing with another firm for a contract with Aeroflot, Russia’s largest airline. When the other company won the contract, Vrublevsky bombarded its system with fake payment requests, preventing it from processing e-ticket payments on Aeroflot’s website.

Sergei Mikhailov’s CIB division investigated the case, and Mikhailov himself testified for three hours at the trial, which ended with Vrublevsky being sentenced to three years in prison.

If that wasn’t enough to fuel Vrublevsky’s anger against Mikhailov, he also suspected that the CIB deputy had leaked thousands of incriminating emails and documents stolen from ChronoPay’s network to Brian Krebs, and possibly to Western law enforcement agencies as well. Krebs himself partly confirmed these suspicions on his blog: 

“My book Spam Nation identified most of the world’s top spammers and virus writers by name, and I couldn’t have done that had someone in Russian law enforcement not leaked to me and to the FBI tens of thousands of email messages and documents stolen from ChronoPay’s offices. To this day I don’t know the source of those stolen documents and emails.”

Vrublevsky wanted revenge, or as he colorfully put it, to “tear [Mikhailov] a new asshole.” While in prison, he directed his subordinates to investigate Mikhailov’s past and dig up dirt on the CIB officer. According to Vrublevsky, this investigation confirmed that Mikhailov was indeed the one who leaked his stolen documents. This is also where Kaspersky Lab’s Ruslan Stoyanov enters the picture. 

Before joining Kaspersky Lab, Stoyanov worked for the Main Directorate of Internal Affairs of Moscow, the agency responsible for law enforcement in Russia. It was there that he met Sergei Mikhailov, and the two cybersecurity experts became close friends. Vrublevsky claims that Stoyanov became a middleman between Russia’s cyber law enforcement and the private sector. According to Vrublevsky, Mikhailov gave Stoyanov a CD loaded with ChronoPay’s incriminating data. Stoyanov allegedly took the CD to a Microsoft conference in Canada, where he gave it to Kimberly Zenz, a senior threat analyst living in Moscow at the time and a close friend of his. Vrublevsky claims that Zenz passed the leaked data to Krebs and the FBI. Zenz herself denied these accusations.

In 2011, Vrublevsky handed his investigation’s findings to Russian law enforcement officials, but to his bitter disappointment, nothing happened. It could be that Mikhailov’s position within the Russian intelligence establishment was too powerful to be threatened by Vrublevsky’s claims—or because, as some sources suggested, such information sharing between the CIB and Western intelligence agencies was actually quite common. Those who knew Mikhailov and Stoyanov described them as idealists, adamant about fighting cybercrime, who saw collaboration with foreign intelligence agencies as essential.

A Step Too Far

But it seems that somewhere between 2011 and 2016, Sergei Mikhailove went a step too far. 

A while back, in an episode titled ‘Did the Punishment Fit the Crime?’ we told the story of Roman Seleznev, a 34-year-old cybercriminal who was arrested by the Secret Service in the Maldives in 2014 and subsequently sentenced to 27 years in prison. Some in the Russian Intelligence community suspected that Mikhailov was the one who provided US law enforcement with the information that led to Seleznev’s arrest. If that was indeed the case, then it’s highly likely that Mikhailov’s actions pissed off the wrong people in Moscow, since Seleznev’s father is a prominent businessman and a member of the Russian parliament. Two more Russian cybercriminals were arrested and tried in the U.S. around the same time—again, allegedly with Mikhailov’s active assistance, and possibly with help from Kaspersky Lab’s Ruslan Stoyanov as well.

Whatever the reason, it seems that the GRU – Russia’s foreign military intelligence agency – launched a covert investigation into the CIB and Sergei Mikhailov’s actions. This was likely when someone at the GRU recalled the information provided by Pavel Vrublevsky about how Mikhailov and Stoyanov orchestrated the transfer of leaked data to the FBI in 2010. This information likely led to the 2016 arrests and the accusations of treason. Russian media reported that 10 million dollars were found in a raid of Mikaliov’s home, supposedly a payment he received from the US for the information he delivered. 

If that is indeed the case, Mikhailov wouldn’t be the first spy caught for selling national secrets to foreign Intelligence agencies. But as many western commentators have remarked, something about this story seems… off. First, it’s hard to see how sharing information with a foreign law enforcement agency about a convicted criminal could be considered treason. And second, even if it was treason, the authorities knew about it for at least four years before taking any action. So why were Mikhailov, Stoyanov, and their colleagues only arrested in 2016? It doesn’t make any sense—unless viewed in a much broader context, one involving the discord between rival factions within the Russian government.

Infighting

Rivalry between competing organizations isn’t new, nor is it exclusive to Russia: the US Army, Navy and Air Force, for instance, are notorious for competing over jurisdiction and budgets. A good example is the tension between the Army and Air Force over the Army’s use of the newly invented helicopter for battlefield mobility and airpower in the 1950s and ’60s. The Air Force saw the Army’s use of aircraft as encroaching on their domain, and the two branches clashed over who would control such missions. More recently, the Air Force and Navy have been competing over the development of long-range capabilities: the Air Force is investing in the B-21 next-generation stealth bomber, while the Navy is developing shipborne hypersonic attack weapons. Such duplicative development is clearly inefficient, and budget constraints make the competition between the branches even fiercer. 

In principle, some rivalry and internal competition between agencies can be beneficial, as it can push both sides to perform better. But in this case, the internal infighting seems to do Russia more harm than good. A prime example of this is an event many of you are already familiar with.

In the Spring of 2016, representatives from the Democratic National Committee (DNC) reached out to CrowdStrike, asking them to investigate a potential breach of the DNC’s computer network. CrowdStrike’s investigators uncovered not one, but two separate hacks. The first, by a group known as ‘Cozy Bear,’ occurred in the summer of 2015, almost a full year earlier. The second, by a different group of hackers called ‘Fancy Bear,’ took place in April 2016, just weeks before the incidents were discovered. 

What’s interesting, in the context of our story, is that both Cozy Bear and Fancy Bear are APT groups working for the Russian government: Cozy Bear, also known as APT-29, is associated with the FSB, while Fancy Bear, or APT-28, is linked to the GRU. According to CrowdStrike’s findings, the two hacking groups operated independently of each other and may not have even been aware of each other’s presence in the DNC’s network. The fact that two separate threat actors were in the network at the same time likely increased the chances of them being detected and the entire operation being exposed.

If true, this might indicate that the two Russian Intelligence agencies weren’t sharing information with each other, and may have even independently pursued different goals – suggesting that the Russian Intelligence community is not a single, monolithic entity, but a collection of rival organizations, competing for both budgets and responsibilities. The FSB, for example, prides itself on being more professional than its military counterpart: Mikhailov reportedly quipped that “the GRU breaks servers brazenly, clumsily and crudely, and […] traces of GRU attacks were always visible.” There’s also infighting within the FSB itself: Mikhailov’s CIB shares some of its responsibilities with another subunit of the FSB, the Center for Information Protection and Special Communications. 

Intra-government Infighting isn’t new in Russia, either – but it became much more ferocious in the past twenty years or so, as Putin’s rise to power caused a seismic shift in Russian politics. During the first years of his reign, Putin sought to limit the influence of regional governors and oligarchs, and strengthen the political power of those loyal to him. These tensions have escalated dramatically ever since the Russian annexation of Crimea in 2014 – and even more so after the invasion of Ukraine in 2022. 

Kimberly Zenz, the analyst who was accused by Pavel Vrublevsky of collaborating with Mikhailov and Stoyanov, spoke about the situation in a Black Hat talk she gave in 2019. 

“Right now in Russia, there is a situation of escalating infighting. Such infighting is not unique to Russia: many countries have intra-agency competition, but it is more pronounced there – and it is also more pronounced there than it was a few years ago. A phrase I often come across is […] “previously unthinkable”. That is, the amount of infighting and the consequences of infighting have reached a level that was previously unthinkable.”

When Zenz says ‘previously unthinkable’, she’s probably referring to events such as Yevgeny Prigozhin’s rebellion in June 2023. Prigozhin owned the Wagner Group, a private army which he put at Putin’s disposal after Russia’s ground forces suffered surprisingly substantial casualties in the invasion’s initial stages. This heightened Prigozhin’s influence and power, and emboldened him to openly criticize his arch-rivals in the Russian military, Defense Minister Sergei Shoigu and the chief of the General Staff Gen. Valery Gerasimov. In May 2023 he released a video showing him standing in front of bodies of slain troops, and yelling insults at the weak and incompetent military leaders who he claimed refused to supply his forces with ammunition. 

A few weeks later, on June 23rd, in response to alleged missile strikes launched by the Russian regular army against his Wagner troops, Prigozhin declared open war against the Ministry of Defense. For some 24 hours, the world watched in awe as Prigozhin’s soldiers advanced towards Moscow, in what Putin himself denounced as “treason.” The crisis was only averted when Belarusian president Alexander Lukashenko managed to broker a deal with the fuming mercenary leader. If Prigozhin hoped that Putin would honor the deal, he was probably naive: two months later, his plane crashed under mysterious circumstances en route from Moscow to St. Petersburg, killing him and nine other people on board. US officials believe that a bomb was planted in the aircraft before takeoff.

According to Zenz, in the last few years the stakes for Russian officials involved in such internal conflicts have risen considerably. 

“One big thing that has changed is the outcomes. Prior to 2014, if you lost some kind of an institutional conflict there was a good chance you would lose your job, you might face criminal charges – but you probably weren’t going to go to jail. You might even keep your ranks and benefits, you might keep your money. So it wouldn’t be good – but you’d probably be okay. Now, you’re more likely to face arrest and prison.”

According to a recent study, at least 35 high-ranking officials were prosecuted in the past few years: 25 of them received prison time, with 18 sentenced to more than 5 years. 

If Zenz is correct, then it’s likely that Mikhailov and Stoyanov were victims of this infighting. The cause might be their mutual objection to Russia’s practice of covertly enlisting criminals to attack its adversaries, in return for protecting them from foreign prosecution as long as they avoid targeting victims inside the country. Stoyanov, in particular, is a very vocal critic of this practice, going as far as chastising the Russian government even after he was arrested, in an open letter he sent to a local journalist from his prison cell. 

It might be tempting to view the escalating infighting inside the Russian Intelligence community as good news for Russia’s adversaries in the west, as it incentivizes its leaders to prioritize their domestic rivals over their foreign ones – but Kimberly Zenz says that’s not necessarily true, in the grand scheme of things, because – 

“This incentivizes them to take risks and act aggressively. [One example] of such very aggressive and risky behavior that had unintended add-on effects, I think, is NotPetya. […] It does seem pretty clear they were trying to target Ukraine. I don’t believe that anyone in any of the Russian security services was trying to cause 10 billion dollars in global damages and slow shipping and stop medication being produced. […] It got out of control.”

Another consequence of the infighting is reduced cooperation between Russia’s law enforcement and their western counterparts, since an official who engages in such cooperation – as was evident in Mikhailov’s case – risks having his rivals accuse him of unpatriotic acts. Kimberly Zenz thinks this was intentional: someone in Russia’s Intelligence, she says, wanted to send a chilling message for those who wish to collaborate with western law enforcement. And indeed, it seems that since the arrests, such collaborations have decreased significantly. 

Epilogue

In the year after their arrests, Mikhailov and Stoyanov were held in a pretrial detention center. They were reportedly kept in cramped cells with no hot water. In October 2018, the 40 year old Stoyanov was rushed to the hospital in critical condition, after a pulmonary inflammation caused a blood clot to block a critical blood vessel. He survived, although his exact medical condition is unknown. 

The trial itself was also conducted behind closed doors. Pavel Vrublevsky was called to testify against the man who helped imprison him a few years earlier. Kimberly Zenz, wishing to clear Stoyanov’s name, volunteered to fly to Moscow and testify on his behalf. This would have placed her in great personal risk, as she herself was accused by the Russian authorities as being an “American spy”, and managed to narrowly flee Moscow shortly after her friend was arrested. She said that this caused her to have a big fight with husband – but she was willing to risk herself for her friend. “Ruslan is an honest guy, he’s a good guy. He does not deserve this,” she said. The judges, however, refused her request, a decision that probably hints that the trial wasn’t a fair one to begin with. 

Ultimately, it was Dimtry Dokuchaev – Mikhailov’s former deputy in the CIB – who sealed his boss’s fate. Dokuchaev signed a plea deal with the prosecution, in which he admitted to passing information to foreign intelligence agencies, claiming that he wasn’t aware of the criminal nature of his and Mikhailov’s actions. 

On February 26, 2019, Sergei Mikhailov was sentenced to 22 years in prison for treason, and Ruslan Stoyanov was sentenced to 14 years. Both were fined several hundred thousand rubles. Mikhailov was also stripped of his military rank and several medals of honors he received for his service. Their fate serves as a chilling reminder: in Putin’s Russia, doing the right thing is an act of extraordinary courage.