Arrests are unlikely to derail Russian cyberespionage

Widely publicised arrests offer insights into the secret world of state hacking activities

Three men accused of treason including two officers in the Federal Security Service (FSB) have had their appeals against an extended custody order turned down, the RBC news site reported yesterday. Media outlets provided unusually detailed coverage of the story that the FSB had arrested two of its own officers and another individual. The investigation has receded into secrecy and the allegations are unclear, ranging from allowing information to reach US intelligence to collusion with hackers who blackmailed Russian victims. More generally, the case opens a window on how Russian intelligence agencies use third parties to carry out hacking.

What next

Moscow will attempt to tighten control over the cyber intelligence sector and obscure its connections with private actors, but this case -- despite the embarrassment it causes -- is unlikely substantively to change the pattern of multiple agencies using cyber technology to probe foreign political institutions and making that information public when it suits the Kremlin's ends.

Subsidiary Impacts

  • Implicit confirmation of Russian hacking will harden suspicions of Moscow in Western states.
  • Cyber intrusions targeting the United States will continue but leaks may moderate while Moscow assesses Trump's intentions.
  • Political hacking is likely before the French and German elections, while Ukraine can expect more cyberattacks on infrastructure.

Analysis

The arrests in December, first reported in January, were part of a coordinated operation triggered by the belief that US intelligence was being tipped off about Russian cyber operations by individuals with first-hand or second-hand access to classified information.

Three individuals are known to be charged with treason:

  • Colonel Sergey Mikhailov, head of the Second Operational Directorate of the FSB's Information Security Centre;
  • Major Dmitry Dokuchayev, serving in the same FSB unit; and
  • Ruslan Stoyanov, head of investigations at the Kaspersky Lab cybersecurity company.

In a related case, Vladimir Anikeyev, founder of the underground hacking group Shaltay-Boltay ('Humpty Dumpty'), is also under investigation, although apparently not accused of treason. He was arrested in October. The arrest in November of two more Shaltay-Boltay members was reported on February 1.

As the case is sensitive and will be tried by court martial, little is known about the treason charges. Some experts in Moscow believe the suspects were responsible, directly or inadvertently, for providing confirmation of Russia's role in hacking and leaking Democratic Party emails during the US presidential election.

Kremlin spokesman Dmitry Peskov denied that Mikhailov or Dokuchayev were themselves engaged in hacking US sites because "we catetorically reject any assertions" of Russian involvement.

Broad spectrum of hacking activity

The leaks and speculation surrounding this story have begun to fill out the complex picture of interconnections between state security, criminal groups and the private sector.

Multiple spy agencies run their own cyber operations

As well as the FSB, the military intelligence agency (GRU), the Federal Protection Service (FSO) and Foreign Intelligence Service are all active in cyberespionage (see RUSSIA: Security agencies will vie for influence - May 9, 2016).

The FSB and other intelligence agencies are increasingly developing in-house cyber capabilities, but they also engage outside groups for occasional work or as auxiliaries operating at arm's length.

Private sector

It is common for state security agencies to maintain close ties to private providers elsewhere, but in Russia the connections are closer because of the government's jealous control of domestic internet traffic and the state security backgrounds of many key figures in the private sector.

Kaspersky has stressed that Stoyanov is being investigated for activities dating from before his employment with the company. Stoyanov previously worked for the interior ministry.

Criminal groups

Dokuchayev was previously a hacker who was arrested for cloning credit card numbers. He was offered a choice between prison and working for the FSB.

According to some reports, Mikhailov and Dokuchayev were tasked with overseeing Shaltay-Boltay, which hacks into the email correspondence of prominent figures (mostly in business or government) and offers it for sale on its website. The group's co-founder, Alexander Glazastikov, has said the FSB began trying to co-opt it last year.

Patchwork alliance

This alliance of hackers directed by the intelligence agencies is characteristic of the distinctive Russian approach to cyberespionage, reflecting the Kremlin's ability to mobilise non-state actors to do its bidding and thus to expand its capabilities at speed. This approach has several advantages:

  • diffusion -- through the deployment of a wide range of actors including intelligence services;
  • flexibility -- by exploiting the imagination and entrepreneurship of non-state actors;
  • deniability -- through the use of third parties for particularly politically sensitive operations; and
  • value for money -- in that criminals and commercial corporations will often accept work as the price of continuing in business.

Disruptive rivalries

At the same time, the method has in-built drawbacks. It contributes to rivalries between agencies because the diffusion of the approach encourages zero-sum competition.

The FSO and GRU appear to have been instrumental in publicising details of the arrests to embarrass the FSB and undermine the emergence of its Information Security Centre as the single most powerful cyber intelligence structure.

Corrupting influences

Criminal connections also work both ways. If claims that senior FSB officers in a privileged and sensitive position acted for personal gain, through the Shaltay-Boltay connection, are substantiated, it will only be the latest example of criminalisation in law enforcement (see RUSSIA: More arrests of corrupt officials are likely - August 1, 2016).

Russia's cybersecurity industry risks undermining its credibility. Kaspersky Lab and its main Russian rival, Group-IB, have been at pains to deny any close relationship with the FSB for fear of the reputational damage this could cause them.

Cyberwarfare

Moscow has long been known to be developing and carrying out coordinated cyberattacks, from the distributed denial of service attacks launched against Estonia in 2007 and Georgia in 2008, and periodic attacks on energy and financial institutions in Ukraine.

Cyber technology is used to spy on, confuse and potentially disable adversaries

Russian cyberespionage is bold in scale and ambition and has three vectors:

Intelligence-gathering

Russia is supplementing traditional human intelligence with cyberespionage, using data hacking to gather anything from political gossip to information on military deployments. Recent months have seen increasing evidence of this, as the Czech, Italian, Norwegian and Polish foreign ministries have reported intrusions by Russian hackers.

Damaging leaks

As the leak of emails from US presidential candidate Hillary Clinton's campaign demonstrates, Moscow is prepared to make active use of material gained via espionage to influence politics and policy.

In a presumed effort to undermine German Chancellor Angela Merkel and complicate relations between Berlin and Washington, WikiLeaks -- increasingly the FSB's vessel of choice for deniable leaks -- released documents in December from a German parliamentary enquiry into intelligence cooperation with the United States.

The French, German and Dutch counter-intelligence services have all warned that they expect to see Russia using strategic leaks to influence their respective elections this year (see RUSSIA/EUROPE: Moscow will exert multiple pressures - December 8, 2016).

Disruption

Russian military doctrine increasingly regards 'information operations' -- spanning everything from disinformation to cyber intrusion -- as an essential domain of warfare, especially as a way of preparing the ground for military operations.

Such actions also offer a method of putting pressure on governments and institutions as an alternative to higher-risk activities.

Cyberattacks on Ukraine's electricity network in December 2015 and again in December 2016 --- this last time, financial institutions were also attacked -- are formally deniable despite the circumstantial evidence of similar sophisticated activities (see INTERNATIONAL: Impunity will incentivise cyberattacks - December 16, 2016).