MainPublications -

FSB and hackers. What we need to know about a cyber spying scandal

Despite a seemingly intricate picture, there is a unique situation when proper "patriotic" hackers, wrong "opposition" hackers and any "unknown" hackers in general are operating in Russia at the same time, though under a caring eye of the FSB.

Putin speaking at an FSB board meeting
Putin speaking at an FSB board meeting

As a result of Russia's hybrid operations managed by FSB officers, the practices and methods of the special services covered nearly all walks of life in Russia – without much consideration for reasons or sound mind. The currently topical "hybridity" (simply put, openly dirty tricks) seeped not only into the military and political sectors but also into the "elite" life of the Russian society. The motto "the end justifies the means" became a call to action both for the country's leaders and for medium and low-level managers to get rich. Not to mention regular doers. Such moral degradation even infected the inner sanctum of the Russian power system, that is its special services. What is more, it affected the operations of the FSB in the information war, which used to be the reason for Putin's personal pride and tight attention.

Speaking at the FSB board meeting in early 2016, Putin said government websites alone suffered 24m cyber attacks in 2015 and demanded that the FSB better defend Russia's information and communication resources. It was decided to draft a plan on how to improve the situation by 1 June 2016. By the end of 2016, some striking details of FSB agents getting out of hand on the information front started to emerge through a veil of secrecy.

It was a true shock for the Kremlin to watch the failure of time-consuming and carefully prepared cyber operations, which were lavishly paid from the Russian budget, on the front lines of the global hybrid information war. Three elite FSB operatives at once (there were likely to be many more, only well-known facts were made public) decided to make money by selling the Kremlin's hybrid cyber secrets for hard cash either to the CIA or to the successors of James Bond in MI6, or maybe to two interested Anglo-Saxon special services at once.

Among these well-known names are the head of the second operative department of the Centre for Information Security (CIS, military unit 64829) of the FSB, Sergey Mikhaylov, his subordinate Dmitriy Dokuchayev and their undercover colleague Ruslan Stoyanov, who worked on FSB assignments as "head of the department for cyber crime investigation" of the formally non-government company Kaspersky Lab.

Sergey Mikhaylov
Sergey Mikhaylov

Stoyanov was the key intermediary while Mikhaylov and Dokuchayev ensured that right "information" was coming in.

FSB Col Mikhaylov, a high-ranking officer and head of the second operative department of the FSB CIS, was in charge of cyber security at the strategic federal level and effectively oversaw the entire spectrum of online business in Russia.

As part of his job, he knew in detail the running of the FSB operative department engaged in special cyber operations abroad and in Russia, including by holding illegal operations in political, economic and financial sectors, spying in social, foreign corporate and other computer networks. So the colonel knew very much (what a classic fate of a spy).

FSB Maj Dokuchayev held an important post of a senior operative of the second operative department of the Russian FSB CIS and thus took direct part in the implementation of special cyber operations.

The mills of Gods grind slowly

According to quite well-informed Prof Valeriy Solovyov from the Moscow State Institute of International Relations, this entire spy story began when Moscow made sure that information was leaked to a group investigating the downing of the Malaysia Airline flight MH17. Let me remind you that international investigators had determined the circumstances of the terrorist act carried out by the regular Russian troops.

Photo: EPA/UPG

The story developed after the hacking of US websites and attempts to discredit the US election. One can only imagine how much the White House was ready to pay for any information about the hacking attacks. Stoyanov, Dokuchayev and their elder friend Mikhaylov may have done the math and decided that this would be enough to live a carefree life. So far, FSB operatives have "only" found 12m dollars in cash in Mikhaylov's place alone. One can only guess how much money is yet to be found, if ever.

The insights received from the FSB spies let the US leadership implicate not only the Russian special services in the information chaos, which reined in during the US presidential campaign but, what is sadder, say that Putin was personally involved in this and even managed this fascinating process.

They obtained documented evidence of the Russian special services' plans to disrupt the coming elections in France, Germany and other countries through cyber efforts as well as the facts of managed hacking attacks on government institutions and critical infrastructure of democratic countries and illegal cyber operations in the financial sector.

The information obtained allowed the CIA to reliably identify the source of network attacks and reciprocate. In response to Russian cyber "mischiefs", the US administration tightened sanctions on Russia as a whole, including on Putin's pocket sponsors, people from his close entourage, the leadership of the FSB and the Main Intelligence Directorate of the Russian Armed Forces.

As a result of US sanctions on the FSB, guaranteed huge profits (not accounted for in any books, thus going into one's own pockets) from licensing the import of electronics to Russia appeared at risk. The FSB oversees the import of any devices with ciphering capability, including mobile phones, tablets and even common cordless accessories such as computer mice and keyboards. Not to mention parts to more sophisticated devices. Now US any licensed manufacturers around the world find it more difficult to have commercial contacts with the FSB.

Senior officials from France, Germany and a number of other EU countries publicly said that it is necessary to develop stronger national and allied cyber security bodies, tighten the corresponding legislation and advance cooperation within the NATO framework.

Crime and punishment

Clearly, Putin was enraged by such developments and repressions in the FSB followed. Because the situation exposed the Kremlin leaders' true attitude not only to its own people but also to the world community and civilized international law.

As a result, Mikhaylov, Dokuchayev and Stoyanov were arrested on suspicion of "high treason" in December 2016 and escorted for questioning to the FSB remand centre Lefortovo. Mikhaylov was arrested right at the FSB board, which was very reminiscent of the Stalin-Beriya traditions. A "public enemy" was walked out to a "paddy wagon" with a thick sack on his head.


The FSB CIS head (who is also the first deputy head of the 1st service of the FSB specializing in counterintelligence), Andrey Gerasimov, was suspended (what a bad luck, right before retirement) and is currently under investigation by the FSB security department with a real prospect of going to jail "for betraying" Putin's motherland. What is more, the spy scandal also affected the inspirer and founder of the CIS, FSB Lt-Gen Boris Miroshnikov, who is rumoured to be at least dismissed ahead of time.

Trying to justify himself, FSB deputy director Col-Gen Dmitriy Shalkov was in a rush to say in his speech in the State Duma that the "FSB is ready to repel cyber attacks". In his speech he used a rather weird wording when he said that the FSB does not require "intermediate razgon". In Russian, the word "razgon" means not only some "acceleration" but a rather heavy kick in the backside to free the post.

One should also pay attention to the last remaining deputy head of the FSB CIS (at least until the end of the investigation), who got active recently trying to prove his loyalty and started to torment the Russian offices of Microsoft and Cisco with the formal bureaucratic requirements of the second OSCE list of confidence-building measures for cyberspace. In this case, we have a typical situation for trading with the USA: lift or soften sanctions on the FSB in exchange for letting Microsoft and Cisco work in Russia.

Nikolay Murashov
Nikolay Murashov

To be fair, there are signs of the latest "backdoor" agreements: the US Department of Commerce suddenly (probably after the phone conversation between Trump and Putin) announced the softening of sanctions against the FSB which were introduced by the previous US administration.

Thus, the relevant branches of the FSB are now all "panic and gloom" because of the rage of the big master and patron of all Russian spies.

Domino effect

In parallel to the failure within the FSB, its connections with other organizations "fell apart".

Thus, the light was shed on the controversial role of the Kvant research institute which has been developing hacking software for the FSB since 2008. In 2012-14, the Russian firm Infotex, acting on the instruction from Kvant, bought from the Italian company Hacking Team a 451,000-euro Galileo hacking software pack providing unauthorized access to gadgets on the net, including access to mail and text exchanges, web camera and microphone, making of screenshots and recognition of buttons being pressed.

The FSB cyber failure also exposed the true nature of Kaspersky Lab, a Russian company developing antivirus products and, under the brand of Kaspersky Antivirus, protection from unauthorized access, and which is trying (or rather has been trying) to hit the international market of services. It turned out that its products were nothing else but an important tool in cyber operations conducted by the FSB and other Russian special services because it pursues the goals which are directly opposite to those declared in the ads, that is to gain unauthorized access and cause damage to computer networks and personal computers by infecting them with spyware and malware.

The knowledge of these facts allows for a new interpretation of the massive attack on small and medium Russian business (but not oligarchs' businesses) with the Trojan Scatter virus in 2015-16. The software ciphers users' computer files and offers to decipher them for a fee. The Trojan did not turn on if it detected Kaspersky Lab's antivirus solution in the system, which makes one think of a new, "innovative marketing" method for the promotion of Kaspersky's software. It is clear that this method involves the direct use of banned methods of deliberate infection of potential clients' computers with viruses.


Thus this "antivirus" firm and the FSB CIS connected with it are the main technical links of subversive information operations by the Russian special services, including the Russian FSB and the Main Intelligence Directorate, in cyberspace.

In-house moonlighting

Cyber operations, necessary software and equipment cost a lot even for the FSB. Therefore they found a simple solution: hacking attacks allegedly carried out by "unidentified criminals" on financial institutions abroad and in Russia provided them with significant non-budget amounts of money.

By means of phishing and other illegal operations connected with control of money flow on financial accounts, the FSB significantly replenished unaccounted monetary funds in the hands of the Russian special services and their heads. Considering the cover of the "Kaspersky protection" and the ideal disguise of "elusive hackers", the affected party had no chance of protecting or returning its money while official accusations were made against some unidentified "hacking groups" and "cunning foreign special services".

For example, in 2014-15, strange cyber attacks on Russian banks with the Buhtrap phishing virus involved true digital certificates issued to real legal entities registered in Moscow.

An unusual increase in the number of targeted attacks on corporate networks in Russia was registered in 2015. They were disguised as mass ones and involved the hacking of protection through partners and the use of vulnerabilities of the Internet of Things, including routers, network video cameras, smart TVs, and service infrastructure systems. They gained access to emails, sent out false bank account details and cashed the obtained money via a chain of banks. The losses inflicted by several such attacks reached up to 5m dollars. In 2016, the number of hacking attacks on official Russian information websites almost tripled compared with 2015 while cyber criminals stole 650m roubles from Russians' accounts by means of fraud.

In this context, one should mention the illegal activities of already "failed" FSB officer Mikhaylov and his "team" which had regular working contacts with Russian banks and other financial institutions. For example, Mikhaylov discussed with the management of Russian Sberbank "the service need for unlimited access to the client database" of this bank, which is over 100m clients.

Sberbank head office in Moscow
Sberbank head office in Moscow

Stoyanov, a super agent of Kaspersky Lab and "fighter against hackers", also stood out when he created, on his boss's instruction, a hacking virus software to steal money and discreetly control financial resources, the so-called super-Trojan to gain access to the Russian financial system. This FSB "tool" was actively and discreetly planted into the data networks of the biggest banks, thus enabling the service to anonymously steal money in addition to gaining unauthorized access to information about clients, deals, transactions and what not.

To create an alibi and conceal their unlawful activities home and abroad, the "specialists" of the FSB CIS regularly issued "warnings" and "improved the vigilance" of financial institutions, including by informing Russian banks. In early December 2016, the FSB CIS rocked the entire banking and financial system of Russia with a "terrible news" about an imminent "unexpected" enemy mega-attack on Russian banks. The attack was of course "successfully repelled" "with the help of the FSB CIS", however the true consequences of unauthorized intrusion into the financial systems of Russian banks will not be revealed at once, if at all. And possibly not for all bank clients.

Thus, it is no surprise that well-known Russian hacking groups feel themselves at ease and act boldly namely on the Russian territory – for they are supervised and covered by their FSB handlers.

Indeed, what we protect we rob. Even judging by open-source statistics, every year Russia tops the sad rating of countries whose users are most prone to getting infected with viruses.

Swindlers on Master's service

One more peculiar feature of the Russian cyber system is that for its special cyber operations, the FSB involves many "anonymous and elusive" hacking groups which, despite their different names, are all based in Russia. If necessary, names may change in the course of operations, they can vanish and re-emerge again, however their target remains unchanged, namely democratic countries, their leadership and infrastructure, international and national financial institutions, or a propaganda "leak" of certain information for more precise tasks.

Photo: AndreyPopovDepositphotos

APT28, also known as Sofacy and Fancy Bear, is an especially active hacking group which Western specially believe to be in direct connection with the Russian special services. Namely this group is accused of penetrating the networks of the Democratic National Committee and the World Anti-Doping Agency in 2016. According to Mariusz Burdach, a representative of the Polish company Prevenity providing information security solutions for government institutions, in December 2016 the APT 28 group, associated with the Russian special services, used fake emails allegedly written by the NATO secretary-general to attack the computer system of the Polish Foreign Ministry. They used a server of the Foreign Ministry of one of the Latin American countries as a bot server. In January 2017, there were similar reports about attempts by some "unknown" Russian hackers to ferret around official websites and internal online resources of the Czech Foreign Ministry.

In May 2014, the hackers of the so-called Cyberberkut group attacked the server of the Central Electoral Commission when Ukraine was holding the presidential election. They also blocked the websites of government institutions and TV channels, hacked politicians' email accounts. On 23 December 2015, as a result of illegal actions by the Russian hacking group Sandworm, which used a malicious software platform to access the network of the Prykarpattyaoblenerho energy company and knock out power, there was a power outage in western Ukraine.

Spiegel and Observer journalists quoted researchers with the computer security firm Trend Micro as saying that these were Russian hackers posing as the so-called hacking "ISIS group", "Cyber-Jihad", which is active in Western Europe. In particular, in April 2015, the French TV channel TV5 was hacked by "Islamist hackers". Experts blames these attacks on the Russian special services.

The "opposition" hacking project Shaltai Boltai (Humpty Dumpty) turned out to be yet another creation of the FSB CIS. It shared false reports on global information resources, "leaked" compromising information as the FSB saw fit, and also did not shy away from extorting money from the victims of the black PR (it's important to be self-sufficient!). These hackers are suspected of hacking and publishing letters from the personal email accounts of Prime Minister Dmitriy Medvedev, Deputy Prime Minister Arkadiy Dvorkovich, lower-rank officials, as well as the notorious "Surkov plans to destabilize Ukraine".

Vladimir Anikeyev
Vladimir Anikeyev

The main "whistleblower" of the project, St Petersburg-based "journalist" (more professionals St Petersburg for you!), Vladimir Anikeyev, was reportedly arrested by the FSB in late October 2016 and is now in the FSB Lefortovo remande centre. His hacking accomplices Aleksandr Filinov and Konstantin Teplyakov were detained in November 2016. An unidentified hacker hiding under the nickname boltai is in Estonia while Anikeyev's spy lady friend Irina Shevchenko is in Kyiv (also known as Alisa and a seductive she-devil). Russian papers controlled by the FSB claim that Anikeyev testified against Mikhaylov (which looks like a cover-up operation to conceal the true reasons behind the failure), "which for the detention of an experienced US spy" who for many years "pretended to be a patriotically-minded elite officer of the FSB".

It is also noteworthy that the Shaltai Boltai project and Mikhaylov and his "team" seem to have fallen victim to the plain internal fight for access to the tsar, power and money inside the FSB. Two subordinate offices – the FSB CIS and the FSB military counterintelligence department (MCD) – clashed over one object of interest. As suggested by the media, FSB MCD chief Col-Gen Aleksandr Bezverkhniy, acting on the order from Russian Defence Minister Sergey Shoygu, instructed his subordinates to investigate the brazen Shaltai Boltai members, who turned out to be from the FSB in a tragic twist of events. So had it not been for this unexpected case the FSB CIS would not have been rocked by the crackdown and a series of arrests and would have continued to "serve" the fatherland and line its own pockets.

Despite a seemingly intricate picture, there is a unique situation when proper "patriotic" hackers, wrong "opposition" hackers and any "unknown" hackers in general operate in Russia at the same time, though under a caring eye of the FSB.

A separate group stands out, which consists of students drafted into the army as "state" hackers from the so-called "research companies" of the Defence Ministry (to be more precise, the Russian Military Intelligence Directorate). In July 2013, Defence Minister Shoygu personally announced the start of a "big hunt" for graduates of technical universities, mostly software developers, engineers and cryptographers. One of these "research companies" is known to have been formed within the framework of the Joint Centre for Preparation and Combat Use of Electronic Warfare Troops near Tambov.

What is more, in 2014, Russia announced the establishment of the "information operation troops" and the deployment of their detached unit in Crimea for the purpose of "disrupting the work of information networks of a potential enemy", simply put, for illegal cyber and other information attacks.

The irony of this intricate story is that the plan of a cyber world conquest, which has been painstakingly plotted by the former FSB boss and the incumbent president of Russia, and which relied on long-term playing figures cunningly placed on the geopolitical map, flopped because of the greed, corruption, intrigues and scuffles among the officers of the elite FSB.

Igor SoloveyIgor Solovey, World editor at
Read news on social networks Facebook, Twitter and Telegram