MOSCOW — As my colleague Ellen Nakashima wrote yesterday, the FBI announced bombshell indictments against two Russian spies and two hackers over the 2014 heist of 500 million Yahoo user accounts, “marking the first U.S. criminal cyber charges ever against Russian government officials.” The charges, if true, are some of the first to give detailed evidence of how Russian intelligence agencies use cybercriminals as “hackers-for-hire.”
But what is less clear is why one of the men has been arrested and charged with treason in Russia. Dmitry Dokuchaev, an agent for the cyberinvestigative arm of the FSB, was arrested in Moscow in December. He's accused by the FBI of “handling” the hackers, paying “bounties” for breaking into email accounts held by Russian officials, opposition politicians and journalists, as well as foreign officials and business executives. The Russian targets included an Interior Ministry officer and physical trainer in a regional Ministry of Sports. (The full text of the indictment, which has a full list of the targets and some curious typos, is here.)
Dokuchaev's case is part of a larger and mysterious spate of arrests of Russian cyber officials and experts. His superior, Sergei Mikhailov, deputy chief of the FSB's Center for Information Security, was also arrested in December and charged with treason. According to Russian reports, the arrest came during a plenum of FSB officers, where Mikhailov had a bag placed over his head and was taken in handcuffs from the room. Ruslan Stoyanov, a manager at the Russian cybersecurity company Kaspersky Lab, was also arrested that month. Stoyanov helped coordinate investigations between the company and law enforcement, a person who used to work at the company said.
Below are some of the theories behind the Russian arrests. Lawyers for some of the accused have told The Washington Post that they can't reveal details of the case and, because of the secrecy afforded to treason cases, they don't have access to all the documents.
None of the theories below has been confirmed, nor are they mutually exclusive.
1. Links to U.S. election hacking: With attention focused on the hacking attacks against the U.S. Democratic National Committee allegedly ordered by Russian President Vladimir Putin, some Russian and U.S. media suggested that Dokuchaev and Mikhailov leaked information implicating Russia in the hack to the United States. The Russian Interfax news agency, which regularly cites government officials as sources, reported that “Sergei Mikhailov and his deputy, Dmitry Dokuchaev, are accused of betraying their oath and working with the CIA.” Novaya Gazeta, a liberal, respected Russian publication, citing sources, wrote that Mikhailov had tipped off U.S. intelligence about King Servers, the hosting service used to support hacking attacks on targeted voter registration systems in Illinois and Arizona in June. That had followed reports in the New York Times, citing one current and one former government official, that “human sources in Russia did play a crucial role in proving who was responsible for the hacking.”
Nakashima wrote yesterday that “the [FBI] charges are unrelated to the hacking of the Democratic National Committee and the FBI’s investigation of Russian interference in the 2016 presidential campaign. But the move reflects the U.S. government’s increasing desire to hold foreign governments accountable for malicious acts in cyberspace.”
2. A shadowy hacking collective called Shaltai-Boltai (Humpty-Dumpty): Also called Anonymous International, Shaltai-Boltai was responsible for leaking early copies of Putin's New Year speech and for selling off “lots” of emails stolen from Russian officials such as Prime Minister Dmitry Medvedev. In a theory first reported by the pro-Kremlin, conservative Orthodox media company Tsargrad, Mikhailov had taken control of Shaltai-Boltai, “curating and supervising” the group in selecting hacking targets. Later media reports said that the group's leader, Vladimir Anikeyev, had recently been arrested by the FSB and had informed on Mikhailov, Dokuchaev and Stoyanov. A member of the group who fled to Estonia told the Russian media agency Fontanka that they had recently acquired an FSB “coordinator,” although he could not say whether it was Mikhailov. None of the hacks mentioned in the FBI indictment could immediately be confirmed as those carried out by Shaltai-Boltai.
Lawyers contacted by The Post said that in documents they had seen, there was no link to Shaltai-Boltai in the case.
3. A grudge with a cybercriminal: A Russian businessman who had specialized in spam and malware had claimed for years that Mikhailov was trading information on cybercriminals with the West. Mikhailov had reportedly testified in the case of Pavel Vrublevsky, the former head of the payment services company Chronopay, who was imprisoned in 2013 for ordering a denial of service attack on the website of Aeroflot, the Russian national airline. Vrublevsky claimed then that Mikhailov began exchanging information about Russian cybercriminals with Western intelligence agencies, including documents about Chronopay. Brian Krebs, an American journalist who investigates cybercrime and received access to Vrublevsky's emails, wrote in January: “Based on how long Vrublevsky has been trying to sell this narrative, it seems he may have finally found a buyer.”
4. Infighting at the FSB: The Russian government is not monolithic, and infighting between and within the powerful law enforcement agencies is common. The Russian business publication RBC had written that Mikhailov and Dokuchaev's Center for Information Security had been in conflict with another department with similar responsibilities, the FSB's Center for Information Protection and Special Communications. The conflict may have led to the initiation of a criminal case, the paper's sources said.