The FSB Purge: Two Narratives

I first mentioned the arrest of a Kaspersky researcher for treason last week.  Since then, more of the American press has been focusing on it, often simply assuming that what are now reported to be up to six arrests must have some tie to the Russian hack of the DNC and other election-related targets.

One way or another, the arrests—according to the Russian media accounts—are linked to the country’s hacking of the US election.

Such assumptions don’t even engage with some of the most obvious questions, such as what all these FSB-related arrests would have to do with the hack-and-leak of DNC and Podesta emails allegedly done by Russia’s military intelligence GRU.

Obviously, the timing of the arrests would suggest there might be a connection, but the presumption has been downright sloppy. So in an effort to unpack this story, I’m going to lay out some of the known claimed details

Some of the better English language sources on the arrests are stories in Bloomberg, Guardian, FT, NYT, and Forbes (as well as the Brian Krebs story quoted in detail below).

Committing crimes pre-dating 2012

When news of Stoyanov’s arrest was made public, Kaspersky released a statement saying the activity pre-dated his employment at the security firm, so before 2013. That would seem to rule out involvement in the DNC hack.

Exposing King Servers as key infrastructure in Russian hacks

A more public explanation behind the purge is that Stoyanov and Mikhailov served as sources for the FBI on the investigation into the probes of the state election sites.

On August 18, the FBI released a flash about two probes of US state election websites. Among the details, it released an IP address,, associated with the probe. “The FBI received information of an additional IP address,, which was detected in the July 2016 compromise of a state’s Board of Election Web site.” Why you would need two human sources for this information, I’m not sure, but the implication in this narrative is that it came from the Russians.

On September 2, ThreatConnect released a report analyzing the IP address, tying it to other suspected Russian hacks.

However, as we looked into the 5.149.249[.]172 IP address within the FBI Flash Bulletin, we uncovered a spearphishing campaign targeting Turkey’s ruling Justice and Development (AK) Party, Ukrainian Parliament, and German Freedom Party figures from March – August 2016 that fits a known Russian targeting focus and modus operandi. As we explored malicious activity in the IP ranges around 5.149.249[.]172 we found additional linkages back to activity that could be evidence of Russian advanced persistent threat (APT) activity. This connection around the 5.149.249[.]172 activity is more suggestive of state-backed rather than criminally motivated activity, although we are unable to assess which actor or group might be behind the attacks based on the current evidence.

At the time, the guy who owns King Servers, which hosts that IP, Vladimir Fomenko, played dumb, claiming that the entities tied to the election website hacks owed him money and that the FBI had never contacted him but that he’d be happy to provide information.

More recently, Brian Krebs pulled up some of his old reporting to note that Fomenko has long-established ties to spam businessman Pavel Vrublevsky, including with these servers. Vrublevsky has been trying to implicate Mikhaylov and Stoyanov in leaking Russian investigative details to people in the west for years.

Multiple Russian media outlets covering the treason case mention that King-Servers and its owner Fomenko rented the servers from a Dutch company controlled by Vrublevsky.

Both Fomenko and Vrublevsky deny this, but the accusations got me looking more deeply through my huge cache of leaked ChronoPay emails for any mention of Mikhaylov or Stoyanov — the cybercrime investigators arrested in Russia last week and charged with treason. I also looked because in phone interviews in 2011 Vrublevsky told me he suspected both men were responsible for leaking his company’s emails to me, to the FBI, and to Kimberly Zenz, a senior threat analyst who works for the security firm iDefense (now owned by Verisign).

In that conversation, Vrublevsky said he was convinced that Mikhaylov was taking information gathered by Russian government cybercrime investigators and feeding it to U.S. law enforcement and intelligence agencies and to Zenz. Vrublevsky told me then that if ever he could prove for certain Mikhaylov was involved in leaking incriminating data on ChronoPay, he would have someone “tear him a new asshole.”

Krebs’ story would date Stoyanov’s actions to before his ties with Kaspersky, which would explain that part. But it would also suggest this might be product of a long-standing feud — or that the long-standing feud provides cover for a fight for power within the FSB.

One thing that’s interesting about all this is that, for some time, the US intelligence community did not attribute the probes of voter registration databases to Russian intelligence. A September 20 DHS alert attributed it to criminal hackers seeking identity theft data. The October 7 ODNI/DHS statement affirmatively declined to attribute it. It was not until the January 6, 2017 report on the hacks that the IC first blamed Russian intelligence (without specifying whether it was FSB or GRU) for the probes.

So if the FSB purge pertains to revealing details about the voter database probes to US intelligence, the first US public acknowledgment of that intelligence came after most people allegedly involved in exposing the tie had been arrested (though people like former Russian Ambassador Michael McFaul were yapping about such things in public statements, and the WaPo had gotten soft leaks about it). That is, in spite of complaints that US reporting might have set off this molehunt, for the registration databases, the molehunt preceded the IC’s affirmative (public) use of the data.

Hack-and-leaking top Russians

The other major allegation against the Russians is that they were involved with a hacking group Shaltai Boltai (which translates as Humpty Dumpty from Alice in Wonderland). The group has blackmailed and/or exposed the emails of a number of top Russian leaders, including Prime Minister Dmitry Medvedev and his deputy Arkady Dvorkovich.

Reports claim that Anikeev started the group years earlier, and the FSB either tried to infiltrate it, but then got swept up, or always had ties to it. Ultimately, though, the implication is that FSB was working both sides, using an Anonymous-modeled hacking group to acquire materials on powerful Russians even while, perhaps, using such hackers for Russian ends.

In mid-to-late October, the group released the emails of Vladislav Surkov, the architect of Putin’s Ukrainian policy. There wasn’t much revealed, though it did make it clear planning for Russia’s Ukrainian intervention went back some time. The understanding behind this narrative is that releasing these emails got too close to Putin, which led to the crack-down on the group.

Even when the emails got released, there was no public discussion of the possibility that this was US retaliation against Russia — not even after NBC published a really dick-wagging story on October 14 promising CIA retaliation. That’s the public story, anyway, which was really weird, given that exposing Putin’s plotting in Ukraine would be a really logical retaliation for the DNC hack (even if American exceptionalists like to pretend we would never do a hack and dump). The private story is different, but any private opinions I’ve heard don’t describe who might have conducted such a hack.

It’s also not entirely clear the timing works out. But it’s not clear we’ve got all those details yet.

I’m still working through these issues — and warnings from Russian observers that both of these narratives may just be convenient front stories for something else and/or for pure power consolidation are well taken.

What has also gone unmentioned is that at a time when Russia and the US would be staring each other down on a “cyber” battlefield, Putin just apparently took out a number of the key players in that field. No one has mentioned that, but even if these guys were working both sides in a manner that brought value to Putin, having them removed may leave holes in Russia’s cyber offense for the near future.

Update: This FT piece, based off an interview with what is alleged to be the last remaining Shaltai Boltai member at large, would seem to confirm that that explains the arrests (it explains the SB got FSB handlers in early 2016). Though I’d ask why someone would return from Thailand to apply for asylum in Estonia if Putin were after them.

Known arrestees

Colonel Sergey Mikhailov, deputy head of the Information Security Center at the FSB

Major Dmitry Dokuchaev (AKA Forb), also with ISC

Ruslan Stoyanov, now with Kaspersky but with earlier with cybercrime investigation firm Indryk and before that Ministry of Interior’s Cyber Crime Unit

Journalist Vladimir Anikeev, believed to have been in Ukraine and alleged to have led the hack ofVladislav Surkov

Known dates

August 18: FBI flash identifying new King Servers-related IP address used in probes of election related sites

September 2: ThreatConnect report implicating King Servers

September 5: Obama and Putin discuss hacks at G-20

September 20: DHS alert attributes voter registration probes to criminal hackers in search of PII

September 27: King Servers owner Vladimir Fomenko claims FBI hasn’t contacted him

October 7: ODNI/DHS statement on Russian hacking declines to attribute voter database hacks to Russian state

October 14: CIA preparing possible cyber response on Russia

October 23-25: Hackers release emails of Vladislav Surkov, exposing Putin’s Ukrainian plans

October 31: Obama contacts Putin on red cyber phone for first time

November 9: Anikeev reportedly detained, begins cooperating

November 26: Anonymous White House statement affirms integrity of election

December 4: Arrests of Mikhailov and Stoyanov

December 9: CIA-based leaks (based off recent human intelligence) claim DNC hack designed to get Trump elected

December 13: Last date on (partial) dossier implicating Trump

January 6, 2017: In declassified Russian Hack Report, US Intelligence Community for the first time attributes probes of voter websites to Russian intelligence (not specifying FSB or GRU): “Russian intelligence obtained and maintained access to elements of multiple US state or local electoral boards.”

January 11: Partial anti-Trump dossier published by BuzzFeed; Christopher Steele flees his home

January 23: GCHQ head Robert Hannigan quits to spend more time with his family

January 25: Kommersant announces arrests

6 replies
  1. martin says:

    Holy shit.   Even Netflix couldn’t make this shit up.  Thanks for  publishing your insights.  Meanwhile, I do wonder… when you have time.. if you’d be so kind as to  publish your recipe for rhubarb and strawberry pie?  At least, it will give us time to digest the last 2 months of hyper intrigue while planning our strawberry beds and contemplating something other than the daily drivel of Spy vs Spy. It’s so depressing. Much better to envision a delightful Michigan boiled dinner with homegrown desserts, Michigan cult beer, with nice conversation devoid of political bullshit.  Like..oh, I don no.. something along the lines of “hey.. I got a ticket today! Or..  “fuck, took me three hours to fill out my 1040”.. or “geezus, I was just diagnosed with terminal Gout”..  you know.. interesting stuff… vs all this geopolitical mindfuck.

    Insert ear to ear grin smiley here.

    Carry on.


  2. fastenbulbous says:

    Any evidence that Agent Orange tipped them off upon taking office? If there was a conspiracy to put him in office, they would start to “clean up” after the mission was accomplished, right?  (Enqiring (sic) minds want to know….)

    • emptywheel says:

      The tip would have had to come before he was formally in office, bc two people were arrested in early December.

  3. lefty665 says:

    Hard to tell what’s going on with those black cats in the coal bin. Thanks for continuing to chew on it and to bring structure to the discussion. That sheds some light.

  4. harpie says:

    Hi Marcy, I apologize that this is O/T. [I’m not on twitter, though I follow you and bmaz and others…sometimes I just feel like I have to say something.]

    Just, now, it’s being reported [ie: WaPo] that “Government Reveals Over 100,000 Visas Revoked Due to Travel Ban”. When the judicial orders started coming in a couple of days ago [1/31/17; 4:15pm], I checked out the CBP website for information on the Executive Order, and found . I copied the answer to a FAQ: How does the lawsuit/stay affect DHS operations in implementing this executive order? [All emphasis my own]


    The Department of Homeland Security will continue to enforce all of President Trump’s Executive Orders in a manner that ensures the safety and security of the American people. President Trump’s Executive Orders remain in place—prohibited travel will remain prohibited, and the U.S. government retains its right to revoke visas at any time if required for national security or public safety. President Trump’s Executive Order affects a minor portion of international travelers, and is a first step towards reestablishing control over America’s borders and national security.


    Approximately 80 million international travelers enter the United States every year. Yesterday, less than one percent of the more than 325,000 international air travelers who arrive every day were inconvenienced while enhanced security measures were implemented. These individuals went through enhanced security screenings and are being processed for entry to the United States, consistent with our immigration laws and judicial orders.


    The Department of Homeland Security will faithfully execute the immigration laws, and we will treat all of those we encounter humanely and with professionalism. No foreign national in a foreign land, without ties to the United States, has any unfettered right to demand entry into the United States or to demand immigration benefits in the United States.

    Today, [2/3/17 12:08pm] there are some changes:
    First paragraph omitted
    Second paragraph is now first paragraph, minor changes: Removed “Yesterday”; after “were inconvenienced” added: “after the Executive Order was signed”
    Third paragraph is now second and remains unchanged.
    New paragraph 3:

    The Department of Homeland Security will comply with judicial orders; faithfully enforce our immigration laws, and implement President Trump’s Executive Orders to ensure that those entering the United States do not pose a threat to our country or the American people.

    Sorry about all this, but I found the original first paragraph egregious [and I guess so did someone else], and seeing the term “enhanced” in regard to government actions makes me cringe.

  5. Ming says:

    Ming find time-line interesting when ShadowBrokers added

    Russian SVR head Fradkov fired

    Ivanov canned and patrushev appointed head of svr

Comments are closed.