Friday, April 14, 2017

Shaltay Boltay: The Fall of Russia's Humpty-Dumpty

by Nomad

One of the stories that was, I think, under-reported in all of the ongoing Trump-induced chaos was the strange tale of the arrest of the Russian colonel. Here's some information on that mysterious event. 

The Arrest of the Colonel

In December 2016, one of Russia's top security officials was arrested and it was, by all accounts, an extremely dramatic event. During a meeting, officers grabbed him, putting a bag over his head before taking him away.The charge: high treason.

The accused, Colonel Sergey Mikhailov, was the former chief of the 2nd Operational Management of FSB Information Security Center (ISC).

At that time of the arrest, it was tempting to make some kind of connection between Russian interferences in last year's election and this arrest. The spate of mysterious deaths of Russian officials calls out for some explanation or theory about what's really going on behind the scenes.
However, the story of this particular event, based on the information which has emerged, could easily have been the subject of a Le Carre spy thriller.

Russian media reported that Mikhailov was one of the masterminds of a hacker group called Shaltay Boltay, roughly translated as Humpty Dumpty.
This group claimed to be affiliated with that global network of hackers and activist group, Anonymous.  The mission of Shaltay Boltay was to challenge the state monopoly of news and information.

While he might have been the leader, Colonel Mikhailov was not the only one arrested. His colleague, Major Dmitry Dokuchaev, a senior officer of the 2nd Operational Management of FSB Information Security Center, was also charged and taken into custody. Dokuchaev worked as a hacker under the alias “Forb.”

The Moscow Times reports:
“Forb” gave a interview to Russian newspaper Vedomosti in 2004, revealing that he specialized in “hacking on request” and stealing money from bank cards – an occupation which he said could earn him anywhere between $5,000 and $30,000 a month.
He also claimed that he had carried out a successful attack on U.S. government infrastructure.
In addition to those names, the police seized former journalist Vladimir Anikeev. The only civilian to be arrested, Anikeev was reported to be one of the leaders of Anonymous International, codenamed "Lewis". More importantly, Anikeev is believed to be the founder and leader of Shaltay-Boltay.   

Anikeev's alleged accomplice included two employees from Kaspersky Lab and a former technical assistant at Mobile TeleSystems (MTS), the largest network provider in Russia.

AS one of two employees of private Russian technology firm Kaspersky Labs, Ruslan Stoyanov was a big fish. He was the head of the cyber-investigation division. His job consisted of analyzing cybercrime cases and offering expertise in criminal cases concerning cyber security. 
According to press release from Kaspersky, Stoyanov's criminal activities predate his time with their company.
Interestingly, Stoyanov's LinkedIn profile shows that from 2000 to 2006, he served as a major in the cybercrime unit of Russia's Ministry of Interior.

If the government investigation is correct, the team was working apparently conducting a bit of moonlighting on the side. Still worse, the very officials in charge of investigating hacking operations were in fact, running them.

Humpty Dumpty on the Wall

There's no question that Shaltay Boltay was a thorn in Putin's side. Breaking up this secret hacker group is certainly a victory for the ruling party's otherwise successful attempt to control the narrative. As one of the group's representatives said:
"One of our aims is to inform society about what's really going on; meaning, not to show the picture that is given in Kremlin and non-Kremlin media."
Under Mikhailov's leadership, Shaltay Boltay repeatedly embarrassed the administration with their cyber attacks on mailboxes belonging to senior officials and media personalities. Most of the information they obtained was sold.

President Vladimir Putin and Prime Minister Dmitriy Medvedev.

The hacker's targets have included none other than President Putin and Prime Minister Medvedev. In 2014, Medvedev's Twitter account was hacked and humiliating remarks were posted under the Prime Minister's name.
With more than 2.5 million followers, the impersonators posted tweets denouncing Putin, claiming that Medvedev was resigning for a new career as a freelance photographer. The hackers wrote:
"I resign. I am ashamed of the government's actions. I'm sorry."
On their blog, they later published information from Medvedev's private email account which he or his assistants use for online purchases, among other things. They also published several pictures of Moscow that the prime minister had allegedly taken from a helicopter.
The BBC reported at the time that the fame of the group rested less on pranks and more on "on a track record of publishing internal Kremlin documents."

In one case, Shaltay-Boltay published private emails allegedly belonging to the head of a Kremlin-inspired "trolling" campaign, tasked with filling the comments sections of Western news websites with pro-Putin messages. That disinformation campaign, one of many so-called Putin's troll nest, was a St. Petersburg-based company called Konkord.
Subsequent investigations by journalists gave birth to the online slang phrase, "trolls from Olgino,"  after the historic district where Konkord's offices are located.

It was reported that a series of fake accounts registered on major discussion boards including social networks, online newspaper sites, video hosting services, etc.  These accounts were used for promoting the Russian point of view in topics involving Ukraine and the Middle East.
In effect, Shaltay Boltay pulled down Putin's pants for the world to laugh at.  
*   *   *
That BBC report noted other PR nightmares for Putin.
Other coups include leaking what it said were private emails of the Russian rebel commander in eastern Ukraine, Igor Girkin (aka Strelkov), apparently discussing separatist plans as far back as 2010, as well as purported Kremlin instruction notes telling Russia's main TV stations how to cover big stories.
In one of the more embarrassing incidents, Shaltay Boltay was able to retrieve and post Putin's 2014 new year’s speech before he delivered it. If the message wasn't clear enough, the hackers were not afraid to put the cherry on top with the statement.
“We’re always with you, even when you least suspect it."
Since Colonel  Mikhailov and Major Dokuchaev were among the government's most trust intel officials, Shaltay Boltay's claim was accurate.

Hackers for Hire

The USA Today reported back in 2014 that the hacking group's political motives should not be overestimated. The political views within the group seem to range widely. As one member reportedly said:
"Some members have liberal views, while others support ideas from the Russian empire. So far, however, we've managed to work together. We are not idealists, but sometimes you want to change the world for the better."
In 2015, Anikeev- under his alias- gave an interview in which he said:
“We get orders from government structures and from private individuals. But we say we are an independent team. It’s just that often it’s impossible to tell who the client is. Sometimes we get information for intermediaries, without knowing who the end client is.”
The group might have begun life as a political organization but over time, insiders reported that members were selling information obtained online with bitcoins and was becoming “increasingly commercial”. 
Hackers for hire, in other words.

This wasn't a betrayal of principles. In fact, Shaltay Boltay never pretended to be principled hacktivists. There was big money to be made in trafficking information and the group reportedly made $1m to $2m selling files, most of which was spent on “operational expenses.”
It's unclear where those profits were made as a result of ransom payments by victims or whether they were sold as blackmail materials against businessmen and government officials. 

Trolls and Moles

Bloomberg gives us this picture of how the blurred relationship between intel agencies and hackers allowed this breach of Russian security.
It's clear why such a competitive intelligence operation could be an interesting sideline for FSB officers. The officers come by all sorts of information in their line of work, and if sold indirectly, through an "independent contractor," it can supplement their FSB income. It works both ways; the FSB's Major Dokuchaev, who reportedly worked on the Shaltay Boltay case, used to be a respected Yekaterinburg hacker nicknamed Forb until he was recruited by the FSB.
The pro-Putin news agency Sputnik quoted a Russian law enforcement official as stating that the CIA did not appear to be have been behind this treason case
 However, the source added:
It is assumed that they regularly provided information to foreign, likely US, intelligence service members."
Interestingly, Ivan Pavlov, the Russian lawyer and open government activist, who represents one of the suspects, said:
"My client, along with the others, has been charged with state treason and cooperating with US intelligence services."
When CNBC attempted to connect some of the dots, US intel agency staffers were naturally close-lipped. Quoting a US intelligence officer, who asked not to be named due to the sensitivity of the story. 
"There are a small handful of people who would know if one or both of these men was a US asset or in any way involved in any intelligence operation, and I'm not one of them..Obviously, this could also be an internal struggle within the FSB, in which case we would have little daylight into what was happening."
Given the number of revelations about Trump staffers and their alleged Russian connections, (including the former head of the NSA, General Michael Flynn)  a leak to the Russians about moles in the FSB is not out of the question. 

A Great Fall

By the end of last year, time was running out for Humpty Dumpty. Two leaks seemed to implicate Mikhailov to the hacker group. The most damaging leak came from the pro-Putin news organization, Robalt. Bloomberg reported:
Quoting an unnamed source, Rosbalt claimed .. Mikhailov's unit was ordered to "work on" Shaltay Boltay. The FSB team reportedly uncovered the identities of the group's members -- but, instead of arresting and indicting them, Mikhailov's team tried to run the group, apparently for profit or political gain.
At that point, it was only a matter of time. To make matters worse, according to the Rosbalt source, the Shaltay Boltay's leader was identified by name as Vladimir Anikeev.
FSB officers reportedly managed to identify all the members of the hacker group via Anikeev’s phone.

According to Anikeev’s lawyer, Ruslan Koblev, his client has admitted to being the hacker known as ‘Lewis’ and denies knowing either Colonel Mikhailov and Major Dokuchaev. Furthermore, his client is charged only with part 3 of Article 272 (Illegal Access to Computer Information) with the maximum prison sentence of five years.. (The high treason charges come with a 20-year sentence.)

His arrest appears to have brought down the Colonel who suddenly found himself given ushered from a meeting by police with a bag over his head.

Most Wanted

One final piece of this strange tale needs mentioning. How it fits together is anybody's guess.

Qn February 28, 2017, a federal arrest warrant by the United States District Court, Northern District of California was issued for Dmitry Dokuchaev. He was, you might recall, also an officer of the Russian FSB and one of the colonel's alleged partners in crime. He was indicted along with yet another FSB officer, Igor Sushchin. They were accused of hiring Alexsey Belan and Karim Baratov to carry out the attack on Yahoo servers.

According to the FBI notification, that warrant was based on an indictment charging him with conspiring to commit computer fraud and abuse; accessing a computer without authorization for the purpose of commercial advantage and private financial gain; damaging a computer through the transmission of code and commands; economic espionage; theft of trade secrets; access device fraud; aggravated identity theft; and wire fraud.
From at least January of 2014, continuing through December of 2016, Dmitry Aleksandrovich Dokuchaev is alleged to have conspired with, among others, known and unknown FSB officers, including Igor Sushchin, to protect, direct, facilitate, and pay criminal hackers, including Alexsey Belan. Dokuchaev and his conspirators allegedly agreed to, and did, gain unauthorized access to the computer networks of and user accounts hosted at major companies providing worldwide webmail and internet-related services in the Northern District of California and elsewhere.
This is apparently related to the hacking of at least 500 million Yahoo accounts. That unprecedented break-in allowed criminals to obtain passwords and login information for Yahoo users’ email accounts. That means any sensitive data or documents contained in Yahoo emails could be compromised – not just credit card numbers but bank account numbers, Social Security numbers, driver’s license numbers, passport information, birth certificates, deeds, mortgages and contracts to name just a few.

It was, experts say, one of the most audacious cybercrimes ever committed since it involved the sort of data that permits "full-scale identity theft, which is far more harmful to consumers than just credit card fraud."
Despite the warrants, it is highly unlikely that authorities in the US will ever get their hands on the perpetrators. Slate offers an interesting take on these developments.
The indictment filed against Dokuchaev, Sushchin, Belan, and Baratov gives the rather remarkable impression that arrest and prosecution was not necessarily even the Justice Department’s endgame. Instead, the details of the Yahoo breach laid out in the document seem designed to embarrass the four accused men, perhaps even get them in trouble with their own employer—and to spread distrust of the FSB within Russia and neighboring countries.
The colonel's name is not mentioned in FBI warrants. Perhaps the Russians tied up that loose end when he suddenly found himself given the bum's rush with a bag over his head.