Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/25/2017
04:38 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Kaspersky Lab Incident Investigations Head Arrested In Russia For 'Treason'

Security firm says the case doesn't affect its computer incidents investigation operations.

Kaspersky Lab confirmed today that one of its top cybersecurity investigators was arrested in December in Russia, reportedly amid charges of treason.

News of the arrest of Ruslan Stoyanov, head of Kaspersky Lab's computer incidents investigations unit, as well as Sergei Mikhailov, deputy head of the information security department at the FSB, first came via Kommersant, a Russian economic newspaper, and word later spread to US news media outlets.

Stoyanov, who had been with Kaspersky Lab since 2012, led the firm's cybercrime investigation that ultimately led to the 2016 arrests of 50 members of the so-called Lurk cybercrime gang that stole more than $45 million from Russian financial institutions. The case was said to be Russia's largest-ever crackdown on financial cybercrime.

Stoyanov's arrest sent a chill throughout the security research community, with speculation by some that his cybercrime investigative efforts may have somehow gotten a little too close to Russian nation-state hacking efforts. Russian hacking has been in the spotlight since the US intelligence community published an unclassified report that concludes Russia - under the direction of Vladmir Putin - attempted to influence the US presidential election via hacks and leaks of data from the Democratic National Committee and Clinton campaign manager John Podesta.

According to Kaspersky Lab, the nature of Stoyanov's arrest predates his employment with the security firm. "The case against this employee does not involve Kaspersky Lab. The employee, who is Head of the Computer Incidents Investigation Team, is under investigation for a period predating his employment at Kaspersky Lab," the company said in a statement.

Stoyanov, a former head of network security for Russian ISP OJSC RTComm.RU, also was with Ministry Of Interior's Moscow-based Cyber Crime Unit in the early 2000s.

Security experts say his arrest underscores the sometimes-blurred lines between Russian cybercrime gangs and cyber espionage activity. "I think he flew too close to the sun as his recent investigations more than likely unearthed elements of the Pawn Storm campaign," says Tom Kellermann, CEO fo Strategic Cyber Ventures. "This is a red flag to all security vendors who expose the nexus between the cybercriminal conspiracies and the Russian cyberespionage campaigns."

Pawn Storm, aka Fancy Bear and APT 28, was one of the Russian state hacking groups implicated in election-related hacks against the US.

Researcher Business As Usual

While Kaspersky Lab said it had no information of the "details of the investigation" of Stoyanov and that no official information had been released by the Russian government on the case, the company also maintained that the arrest would not affect its current or future research into Russian cyber activities.

The company said that "as an IT security company, Kaspersky Lab is determined to detect and neutralize all forms of malicious programs, regardless of their origin or purpose."

For now, Stoyanov is officially suspended from his post at Kaspersky Lab, according to the company. "The work of Kaspersky Lab’s Computer Incidents Investigation Team is unaffected by these developments."

Stoyanov in 2015 authored a detailed report for Kaspersky Lab on how Russian financial cybercrime works. The report notes how the risk of prosecution is low for Russian-speaking cybercriminals: "The lack of established mechanisms for international cooperation also plays into the hands of criminals: for example, Kaspersky Lab experts know that the members of some criminal groups permanently reside and work in Russia’s neighbors, while the citizens of the neighboring states involved in criminal activity often live and operate in the territory of the Russian Federation," he wrote.

"Kaspersky Lab is doing everything possible to terminate the activity of cybercriminal groups and encourages other companies and law enforcement agencies in all countries to cooperate," he wrote.

Aleks Gostev, chief security expert for Kaspersky Lab's Global Research and Analysis Team, in a tweet today said that Stoyanov "never worked with any APT stuff," dismissing some online speculation that the arrest was somehow related to cyber espionage research.

He tweeted that the case wouldn't stop the security firm from its work. Kaspersky Lab is "an international team of experts. It's impossible to prevent us from releasing data."

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ValentinaS336
50%
50%
ValentinaS336,
User Rank: Apprentice
1/30/2017 | 2:24:17 AM
Kaspersky Lab FSB hackers
Seems Kaspersky Lab treason connected with US... Russians found out US intelligence confirmed the detained Head of FSB's Information Security Center Mihkailov provided information to them: https://en.crimerussia.com/gromkie-dela/fsb-hacker-accused-of-treason-was-stealing-money-from-people-s-credit-cards/?bitrix_include_areas=Y&clear_cache=Y
duk3
100%
0%
duk3,
User Rank: Apprentice
1/26/2017 | 10:53:15 AM
Re: Contradictory information...
The author's inclusion of the "too close to sun" remarks etc. only tells us that there is a discrepancy between what has been claimed by arrestors and what is being claimed by media pundits. And no surprise to me. There seems to be no shortage of hacks (see what I did there?) claiming to have expertise that are happy to lie their ass off in the news. I'm really thankful that this guy's remarks were included so that I can now look him and his company up to try and find ties to other interested parties or at least other weak baseless shameless claims. This is another clue for your and my own investigations. I also now look forward to reading the 2015 report that was quoted. Thank you, reporter!
Hiruir
50%
50%
Hiruir,
User Rank: Apprentice
1/26/2017 | 10:11:51 AM
Yeah !
Very good article and incredibly scary for many who are working on the market and carrying out work related to potential region state sponsored problems.

DanielGordon
50%
50%
DanielGordon,
User Rank: Author
1/26/2017 | 9:05:04 AM
Good Article
Very good article and very scary for those who are working in the industry and doing work related to potential nation state sponsored attacks.
tmbard
50%
50%
tmbard,
User Rank: Apprentice
1/26/2017 | 8:33:48 AM
Contradictory information...
This post is not clear on the timeframe in which the crime was committed.  First it says that he had "...gotten a little too close to Russian nation-state hacking efforts."  Then quotes Kaspersky Labs saying that his "...arrest predates his employment with the security firm."  After that it quotes Tom Kellermann saying "I think he flew too close to the sun as his recent investigations more than likely unearthed elements of the Pawn Storm campaign."  I feel like there is a lot of FUD being here in regards to information security investigation.

 

If his arrest has nothing to do with his efforts at Kaspersky Labs or any recent infestations in nation state hacking and espionage there should not be any reference to or fear being spread to security experts that are investigating hacking associated to nation state efforts.  Please be clear on the facts here as this can cause unnecessary fear in the information security community.

 
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23281
PUBLISHED: 2021-04-13
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated remote code execution vulnerability. IPM software does not sanitize the date provided via coverterCheckList action in meta_driver_srv.js class. Attackers can send a specially crafted packet to make IPM connect to ro...
CVE-2021-27598
PUBLISHED: 2021-04-13
SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet.
CVE-2021-27600
PUBLISHED: 2021-04-13
SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored ...
CVE-2021-27601
PUBLISHED: 2021-04-13
SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attac...
CVE-2021-27602
PUBLISHED: 2021-04-13
SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the sour...