Threat Intelligence

1/25/2017
04:38 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Kaspersky Lab Incident Investigations Head Arrested In Russia For 'Treason'

Security firm says the case doesn't affect its computer incidents investigation operations.

Kaspersky Lab confirmed today that one of its top cybersecurity investigators was arrested in December in Russia, reportedly amid charges of treason.

News of the arrest of Ruslan Stoyanov, head of Kaspersky Lab's computer incidents investigations unit, as well as Sergei Mikhailov, deputy head of the information security department at the FSB, first came via Kommersant, a Russian economic newspaper, and word later spread to US news media outlets.

Stoyanov, who had been with Kaspersky Lab since 2012, led the firm's cybercrime investigation that ultimately led to the 2016 arrests of 50 members of the so-called Lurk cybercrime gang that stole more than $45 million from Russian financial institutions. The case was said to be Russia's largest-ever crackdown on financial cybercrime.

Stoyanov's arrest sent a chill throughout the security research community, with speculation by some that his cybercrime investigative efforts may have somehow gotten a little too close to Russian nation-state hacking efforts. Russian hacking has been in the spotlight since the US intelligence community published an unclassified report that concludes Russia - under the direction of Vladmir Putin - attempted to influence the US presidential election via hacks and leaks of data from the Democratic National Committee and Clinton campaign manager John Podesta.

According to Kaspersky Lab, the nature of Stoyanov's arrest predates his employment with the security firm. "The case against this employee does not involve Kaspersky Lab. The employee, who is Head of the Computer Incidents Investigation Team, is under investigation for a period predating his employment at Kaspersky Lab," the company said in a statement.

Stoyanov, a former head of network security for Russian ISP OJSC RTComm.RU, also was with Ministry Of Interior's Moscow-based Cyber Crime Unit in the early 2000s.

Security experts say his arrest underscores the sometimes-blurred lines between Russian cybercrime gangs and cyber espionage activity. "I think he flew too close to the sun as his recent investigations more than likely unearthed elements of the Pawn Storm campaign," says Tom Kellermann, CEO fo Strategic Cyber Ventures. "This is a red flag to all security vendors who expose the nexus between the cybercriminal conspiracies and the Russian cyberespionage campaigns."

Pawn Storm, aka Fancy Bear and APT 28, was one of the Russian state hacking groups implicated in election-related hacks against the US.

Researcher Business As Usual

While Kaspersky Lab said it had no information of the "details of the investigation" of Stoyanov and that no official information had been released by the Russian government on the case, the company also maintained that the arrest would not affect its current or future research into Russian cyber activities.

The company said that "as an IT security company, Kaspersky Lab is determined to detect and neutralize all forms of malicious programs, regardless of their origin or purpose."

For now, Stoyanov is officially suspended from his post at Kaspersky Lab, according to the company. "The work of Kaspersky Lab’s Computer Incidents Investigation Team is unaffected by these developments."

Stoyanov in 2015 authored a detailed report for Kaspersky Lab on how Russian financial cybercrime works. The report notes how the risk of prosecution is low for Russian-speaking cybercriminals: "The lack of established mechanisms for international cooperation also plays into the hands of criminals: for example, Kaspersky Lab experts know that the members of some criminal groups permanently reside and work in Russia’s neighbors, while the citizens of the neighboring states involved in criminal activity often live and operate in the territory of the Russian Federation," he wrote.

"Kaspersky Lab is doing everything possible to terminate the activity of cybercriminal groups and encourages other companies and law enforcement agencies in all countries to cooperate," he wrote.

Aleks Gostev, chief security expert for Kaspersky Lab's Global Research and Analysis Team, in a tweet today said that Stoyanov "never worked with any APT stuff," dismissing some online speculation that the arrest was somehow related to cyber espionage research.

He tweeted that the case wouldn't stop the security firm from its work. Kaspersky Lab is "an international team of experts. It's impossible to prevent us from releasing data."

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ValentinaS336
50%
50%
ValentinaS336,
User Rank: Apprentice
1/30/2017 | 2:24:17 AM
Kaspersky Lab FSB hackers
Seems Kaspersky Lab treason connected with US... Russians found out US intelligence confirmed the detained Head of FSB's Information Security Center Mihkailov provided information to them: https://en.crimerussia.com/gromkie-dela/fsb-hacker-accused-of-treason-was-stealing-money-from-people-s-credit-cards/?bitrix_include_areas=Y&clear_cache=Y
duk3
100%
0%
duk3,
User Rank: Apprentice
1/26/2017 | 10:53:15 AM
Re: Contradictory information...
The author's inclusion of the "too close to sun" remarks etc. only tells us that there is a discrepancy between what has been claimed by arrestors and what is being claimed by media pundits. And no surprise to me. There seems to be no shortage of hacks (see what I did there?) claiming to have expertise that are happy to lie their ass off in the news. I'm really thankful that this guy's remarks were included so that I can now look him and his company up to try and find ties to other interested parties or at least other weak baseless shameless claims. This is another clue for your and my own investigations. I also now look forward to reading the 2015 report that was quoted. Thank you, reporter!
Hiruir
50%
50%
Hiruir,
User Rank: Apprentice
1/26/2017 | 10:11:51 AM
Yeah !
Very good article and incredibly scary for many who are working on the market and carrying out work related to potential region state sponsored problems.

DanielGordon
50%
50%
DanielGordon,
User Rank: Author
1/26/2017 | 9:05:04 AM
Good Article
Very good article and very scary for those who are working in the industry and doing work related to potential nation state sponsored attacks.
tmbard
50%
50%
tmbard,
User Rank: Apprentice
1/26/2017 | 8:33:48 AM
Contradictory information...
This post is not clear on the timeframe in which the crime was committed.  First it says that he had "...gotten a little too close to Russian nation-state hacking efforts."  Then quotes Kaspersky Labs saying that his "...arrest predates his employment with the security firm."  After that it quotes Tom Kellermann saying "I think he flew too close to the sun as his recent investigations more than likely unearthed elements of the Pawn Storm campaign."  I feel like there is a lot of FUD being here in regards to information security investigation.

 

If his arrest has nothing to do with his efforts at Kaspersky Labs or any recent infestations in nation state hacking and espionage there should not be any reference to or fear being spread to security experts that are investigating hacking associated to nation state efforts.  Please be clear on the facts here as this can cause unnecessary fear in the information security community.

 
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.