Two Years Ago — Inside the Intrigue of Russia’s Cyberattacks

“Looks like Sergey [Mikhailov] and Ruslan [Ruslan Stoyanov] were looking for various “scapegoats” who were easy to track down and who had a lot of criminal evidence collected against them, and then reported them to iDefence through Kimberly [Zenz]. This was done so that iDefence could get some publicity for themselves by turning this into a global news story. Then the matter was reported by US intelligence to Russia, and then got on Sergey’s desk who made a big deal out of it and then solved the case brilliantly gaining favors with his bosses. iDefence at the same time was getting huge grants to fight russian cyberthreats.”

 Russian businessman Pavel Vrublevsky

Former FSB Colonel Sergey Mikhailov

March 4 2017 — On December 4 2016, the Federal Security Service (FSB) arrested Ruslan Stoyanov, the former head of Kaspersky Lab’s Computer Incident Investigation Department. On the same day, they also arrested  three FSB officers: Colonel Sergey Mikhailov, his colleague Major Dmitry Dokuchaev, both senior officers of the 2nd Operational Management of FSB Information Security Center, as well as Georgy Fomchenkov. The four men are detained on charges of high treason (Art. 275 of the Russian Criminal Code). Here is their story. Follow us on Twitter: @Intel_Today

RELATED POST: RUSSIA — High Profile Treason Case assigned to Special Services Investigator Mikhail Svinolup

RELATED POST: Dutch Intel Agency Witnessed 2016 DNC Attack by Russian Hackers — Q&A with Dutch Intel Expert Dr Peter Koop [UPDATE]

RELATED POST: Russian Hackers — Evgeniy Bogachev aka “Umbro” aka “Lucky12345”

RELATED POST: NSA Expert Blasts Russiagate Hype

UPDATE (March 4 2019) — On February 26 2019, a Moscow military court sentenced Sergei Mikhailov to 22 years in a maximum security prison and Ruslan Stoyanov to 14 years in a similar facility.

These sentences are very harsh. Keep in mind that Sergei Skripal was sentenced to 13 years.

According to the Kommersant newspaper,

“in 2011, FSB colonel Sergei Mikhailov transferred information concerning the case of the former head of international payment services company Chronopay Pavel Vrublevsky, suspected of staging a DDoS attack on the Assist payment system in July 2010, to the FBI.

Mikhailov recorded the data on a compact disc and gave it to Kaspersky Lab employee Stoyanov, who attended the 2011 International Conference on Cyber Security in New Denver, Canada, and handed over the disc to Kimberly Zenz, employee of the US data protection company I-Defence, affiliated with the FBI.”

And that is the story I told you two years ago on this day… I understand that both men will appeal the court’s verdict.

The court read out only the substantive provisions, as the criminal case is classified.

According to Ruslan Stoyanov’ s lawyer, the DNC hacking — or anything related to the 2016 US Presidential election — was never mentioned during the trial.

“Inga Lebedeva, Stoyanov’s lawyer, was unable to give details on Tuesday because of the secrecy of the case. But she said after the verdict that it did not mention potential meddling in the U.S. elections, and was based solely on Vrublevsky’s testimony.”

Mikhailov was also stripped of his colonel’s rank and military decorations which included the elite “For Services to the Fatherland.”


March 4 2017 — In a very short period of time, we have witnessed an unusual series of events. The US has accused a Russian Intelligence Agency to conduct cyber-attacks related to the 2016 Presidential election, the Russian authorities have jailed most members of a hacker group known as ‘Shaltay Boltay’ and three FSB officers as well as one of their top cyber-security expert from Kaspersky Lab are accused of high treason.

Most media have assumed that these events are related. Surely, the timing of these events seems to indicate some link between them. But what is this link, if any? After all, the GRU is accused of the cyber-attacks, not the FSB.

Until now, I have limited myself to describe these people and collect the information available about them. Today, I will attempt to write their story. It may not be the entire truth. But one has to start somewhere.

In a recent post, I came to the conclusion that the four FSB officers have crossed path with Russian businessman Pavel Vrublevsky.

Pavel Vrublevsky

FSB Colonel Sergey Mikhailov, Major Dmitry Dokuchaev, FSB officer Georgy Fomchenkov and former head of Kaspersky Lab’s Computer Incident Investigations Department Ruslan Stoyanov have all collaborated on a high-profile case.

They were all involved in the investigation of the criminal case regarding the DDoS-attack on ‘Assist’ payment system in July 2010, which resulted in the sale of electronic tickets for Aeroflot flights being unavailable for an extended period of time.

As a result of this investigation, Russian businessman Pavel Vrublevsky was sentenced to two and a half-year in jail. Pavel Vrublevsky has claimed that he had been framed by the FSB officers after he accused Mikhailov and Stoyanov of working for a US Intelligence Agency.

Finally, the FBI has traced back suspicious hacking activities during the US Presidential campaign to servers that are managed by Vladimir Fomenko and quite possibly belong to… Pavel Vrublevsky.

Pavel Vrublevsky told Reuters that the arrests were a response to his old allegations (2010) that Stoyanov and Mikhailov had passed secrets on to an American firm: iDefense (now Verisign).

Ruslan Stoyanov

Before joining the Kaspersky Lab’s Computer Incident Investigations Department, Ruslan Stoyanov has worked as a major in the Russian Ministry of Interior’s Moscow Cyber Crime Unit. But, in between these jobs, he worked for a cybercrime investigation firm called ‘Indrik’.  His only colleague at ‘Indrik’ was Dmitry Levashov.

Kimberly Zenz

Dmitry Levashov had an interesting ‘girlfriend’. Her name is Kimberly Zenz who worked for iDefense, now Verisign (Update:  iDefense is now part of Accenture Security). Zenz was the ‘Russia’ expert on cyber-attacks.

There is no doubt that she was getting good Intel. Zenz will perhaps dispute, whether or not, the information she received was classified but she appears to have admitted both receiving and passing sensitive information to US Intel Agencies.


Kimberly Zenz denies the allegations made by Pavel Vrublevsky . “Nothing like the arrangement as described by Pavel Vrublevsky ever took place,” she said. (Earlier this year, Zenz said she did date ‘a Russian man’ who worked with Stoyanov at Indrik.)

Verisign acknowledges that the firm’s iDefense unit compiled dossiers on cyber crime for clients including private firms and government agencies that include U.S. intelligence services.

Verisign Vice President Joshua Ray declined to comment on Stoyanov. Choosing his words carefully,  Ray said that he does not believe its reports to government agencies and other customers included state secrets.

ThreatConnect & FBI

In September 2016, ThreatConnect — a US cyber-security firm — published a report that included Internet addresses that were used as staging grounds in the U.S. state election board hacks.

That report was based in part on an August 2016 alert from the FBI (PDF), and noted that most of the Internet addresses were assigned to a Russian hosting firm called King-Servers[dot]com.

King Servers

King-Servers is managed by a 26-year-old Russian named Vladimir Fomenko. According to Brian Krebs, Pavel Vrublevsky and Vladimir Fomenko are longtime associates:

“Both were prominent members of Crutop[dot]nu, a cybercrime forum that Vrublevsky (a.k.a. “Redeye“) owned and operated for years.”

Brian Krebs noticed a very interesting ‘coincidence’:

“Fomenko issued a statement in response to being implicated in the ThreatConnect and FBI reports. Fomenko’s statement — written in Russian — said he did not know the identity of the hackers who used his network to attack U.S. election-related targets, but that those same hackers still owed his company USD $290 in unpaid server bills.

A English-language translation of that statement was simultaneously published on, Vrublevsky’s payment processing company.”

Coincidences: The Netherlands, Porn Sites and WebMoney

According to a recent piece in the NYT, Dutch Intel Agencies have provided information to the US IC. ThreatConnect has identified six of the eight addresses as originating from servers owned by King Servers in Dronten, the Netherlands. The company’s main customers are pornographers.

Mr. Fomenko said prospective renters using the nicknames Robin Good and Dick Robin had contacted him online in May 2016 and paid through WebMoney, an online payment system, not an uncommon profile for his clients. [NYT] If true, it means that FSB Colonel Sergey Mikhailov could easily identify such customers. (See below)

Georgy Fomchenkov

Reuters was unable to contact Fomchenkov or a representative of him, find any further information about his identity from publicly available sources, or determine what role he was accused of playing in the case.

Kommersant has provided some details about Georgy Fomchenkov, whose name had been earlier revealed by Novaya Gazeta. He was involved in the work of payment services used by webmasters of pornographic sites. And there is ‘traces of his activities’ in the archives of forum, administrated by the founder of Chronopay payment system Pavel Vrublevsky.

And of course, like Sergey Mikhailov, Dmitry Dokuchaev and Ruslan Stoyanov, Georgy Fomchenkov was also involved in the investigation of Pavel Vrublevsky.

Sergey Mikhaylov

According to Pavel Vrublevsky,

“Sergey Mikhaylov’s main asset is the ability to see account data at Webmoney using Webmoney’s cooperation with FSB Infosec Center.

They (WM) are secretly collecting huge amounts of all kinds of data on the account holders, and knowing the culprit’s WM wallet ID it is trivial to find the real identity behind it.”

In other words, it would be fairly easy for Sergey Mikhailov to identify ‘Robin Good’ and ‘Dick Robin’…

And ‘Shaltay Boltay’? 

Major Dmitry Dokuchaev is a former well-know hacker (Forb) recruited by the FSB (Sergey Mikhailov) while he was in jail for his cyber-crimes.

According to various sources, Sergey Mikhailov and Dmitry Dokuchaev took control of the ‘Shaltay Boltay’ group in the summer of 2016. The leader of this group was arrested in October 2016 and various media reported that he named  Sergey Mikhailov and Dmitry Dokuchaev who were arrested on December 4 2016.


According to a source connected with the investigation, the FSB officers and Ruslan Stoyanov — the former head of Kaspersky Lab’s Computer Incident Investigation Department — are accused of having passed secrets to U.S. firm Verisign and other unidentified American companies, which in turn shared them with U.S. intelligence agencies. [REUTERS]

At this point, the story is pretty much what Russian businessman Pavel Vrublevsky describes in an email to one of his employee in the fall of 2010.

“Looks like Sergey [Mikhailov] and Ruslan [Ruslan Stoyanov] were looking for various “scapegoats” who were easy to track down and who had a lot of criminal evidence collected against them, and then reported them to iDefence through Kimberly [Zenz].

This was done so that iDefence could get some publicity for themselves by turning this into a global news story.

Then the matter was reported by US intelligence to Russia, and then got on Sergey’s desk who made a big deal out of it and then solved the case brilliantly gaining favors with his bosses.

iDefence at the same time was getting huge grants to fight russian cyberthreats.”

So, is the story true? And, if it is true, is the story the whole truth? As Italians say: “se non è vero, è ben trovato.” (If it is not true, it is a — pretty — good story.)

On the other hand, I am not entirely convinced that this is the whole story. As an astute observer noticed, Russian authorities at times use old cases as a way of charging people suspected of later crimes.

UPDATE (April 2 2018) — This case is still fuzzy but a few facts are known. Dokuchaev, Fomchenkov, Mikhailov, and Stoyanov are charged with treason. But because the case is classified, very little is known about the exact allegations against them.

This high-profile case has been assigned to a well-known and highly experienced officer of the Special Services Investigation Directorate: Mikhail Svinolup. One of the FSB officer is defended by Ivan Pavlov. Svinolup and Pavlov have met on several high-profile treason cases.

Although lawyers are barred from disclosing any details in such a case, it seems almost certain that these four men are accused of passing classified information, most likely to an American Intelligence Agency (probably but not necessarily the CIA).

Dmitry Dokuchaev and entrepreneur Georgy Fomchenkov have agreed to a plea bargain. They admit to having transferred data to a foreign intelligence agency.

“One of RBC’s sources says the two suspects claim to have shared information with foreign intelligence agencies ‘informally,’ denying that there was anything criminal about the exchange. Dokuchaev and Fomchenkov say they were only trying to help punish cyber-criminals operating outside Russia and therefore outside their jurisdiction.

As a result of the plea bargains, the two men’s trials will be fast-tracked in a special procedure where the evidence collected against them isn’t reviewed. Dokuchaev and Fomchenkov will also face lighter sentences — no more than two-thirds of Russia’s maximum 20-year sentence for treason.” [Meduza]

Former FSB Information Security Center agent Sergey Mikhailov and former Kaspersky Lab computer incidents investigations head Ruslan Stoyanov insist on their innocence. Both men have turned down plea bargains.

Finally Kimberly Zenz has acknowledged that Ruslan Stoyanov’s lawyer contacted her.

“She says she provided him a statement that was shared with investigators, where she maintains that she does not work for the CIA, never turned over any data, and has never worked as a government agent for any country. She also stated that she never paid Ruslan Stoyanov for any information.” [Meduza]


A Shakeup in Russia’s Top Cybercrime Unit — KrebsonSecurity

Treason charges against Russian cyber experts linked to seven-year-old accusations — Reuters

The FSB Purge: Two Narratives — emptywheel

Reuters Confirms Krebs’ Supposition on Russian Treason Charges —  emptywheel

A Voice Cuts Through, and Adds to, the Intrigue of Russia’s Cyberattacks — NYT

Obama Administration Rushed to Preserve Intelligence of Russian Election Hacking — NYT

RELATED POST: Russian Media Reveal Identity of Third FSB Officer Arrested on Charges of Treason

RELATED POST: WHO IS Shaltay-Boltay? Ruslan Stoyanov

RELATED POST: RUSSIA: FSB Shaken by a Major Reshuffle

RELATED POST: WHO IS Shaltay-Boltay? FSB Major Dmitry Dokuchaev

RELATED POST: WHO IS Shaltay-Boltay? FSB Colonel Sergey Mikhailov

RELATED POST: WHO IS Shaltay-Boltay? Konstantin Teplyakov and Aleksandr Filinov

RELATED POST: WHO IS Shaltay-Boltay? Alexander Glazastikov

RELATED POST: WHO IS Shaltay-Boltay? Irina Shevchenko (‘Alice’)

RELATED POST: WHO IS Shaltay-Boltay? Vladimir Anikeev (‘Lewis’)

RELATED POST: The ‘Humpty Dumpty’ Case: “Six Characters in Search of an Author”

RELATED POST: The Moscow Four: What story hides behind the arrest of Russia’s top cybercrime investigators?


Inside the Intrigue of ‘Russia’s Cyberattacks’ [UPDATE April 2 2018]

Inside the Intrigue of ‘Russia’s Cyberattacks’ [Breaking News — FSB Col and Kaspersky Scientist Found Guilty]

Two Years Ago — Inside the Intrigue of Russia’s Cyberattacks

This entry was posted in Cyber Warfare, Cybercrime, GRU, Russia, Shaltai-Boltai and tagged , , , , , , , , , , , . Bookmark the permalink.

1 Response to Two Years Ago — Inside the Intrigue of Russia’s Cyberattacks

  1. That is very attention-grabbing, You are a
    very professional blogger. I’ve joined your rss feed and look forward to searching for extra of your wonderful post.
    Additionally, I have shared your website
    in my social networks


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s