Is Putin Trying to Pin the DNC Hacks on America’s Own Spies?

New Russian reporting on imprisoned hackers and intelligence operatives suggests a head-spinning plot.

discus63/iStock

In early December 2016, just a month after Donald Trump’s stunning presidential victory, Russian authorities stormed a meeting at the headquarters of the FSB, the country’s successor to the KGB, on Moscow’s Lubyanka Square. They were there to arrest Sergei Mikhailov, the second-most senior staffer in the agency’s cyberintelligence arm. The secret arrest was quick and dramatic, as several FSB officers pulled a bag over the head of their colleague and hauled him away in handcuffs. 

Two months later, following several other associated arrests of current and former FSB officials and cybersecurity experts, the Russian newspaper Kommersant exposed the arrests and the charges: treason. 

Earlier this month, the Bell, a respected Russian news startup, published new reporting suggesting the treason prosecutions are tied to Russian interference in the US election. The Bell‘s allegations, along with a follow-up story on claims related to another hacker, have raised skepticism and suspicion—including of a possible plot to pin the hack of the Democratic National Committee on the US’s own intelligence agencies.

Mikhailov’s arrest, which was followed by the arrests of Ruslan Stoyanov, a senior investigator at cybersecurity firm Kaspersky Lab, Georgy Fomchenkov, a former FSB official, and Dmitry Dokuchaev, a Mikhailov lieutenant, coincided with US intelligence agencies releasing public conclusions that the Kremlin had interfered in the 2016 election. The disclosures implicated the FSB’s Center for Information Security—Mikhailov’s and Dokuchaev’s department. 

Over the next several months, theories and information about the four men’s cases came out in a slow, confusing trickle. Maybe the arrested had passed information to American intelligence agencies that helped apprehend a Russian hacker—also the son of a Russian parliamentarian—two years before the election. Maybe the arrests were the result of bureaucratic infighting at the FSB. Reuters reported that the treason charges might have to do with Russian entrepreneur Pavel Vrublevsky, and his electronic payment company Chronopay. Mikhailov had provided key testimony in a 2013 Russian trial that sent Vrublevsky to prison for hacking the website of Russia’s national airline, Aeroflot. Vrublevsky, in turn, had claimed for years that Mikhailov was passing state secrets to American companies, who then turned them over to US intelligence, including information about him and his business.

The Bell‘s recent reporting has complicated these theories. It cited three anonymous sources who said that while the prosecution is, on paper, about industrial espionage against Vrublevsky’s business, in reality, the treason charges are being brought to prosecute the group for providing US intelligence secret information about Russia’s role in hacking the Democratic National Committee. The treason charges relating to Vrublevsky, the Bell reported, are a red herring, deployed because a prosecution for providing information about the DNC hack would undermine the Kremlin’s consistent denials of interference in the US election. 

While The New York Times was the first outlet to link the arrests with the DNC hacking, the Bell provided new details, including that Mikhailov provided US intelligence information that the GRU, Russia’s foreign intelligence agency, was behind the hack. That assertion was made public in a January 2017 report from the American intelligence community.

The claim, said four cyber experts that spoke with the Bell, would have been impossible to arrive at by only looking at the hack’s technical traces. “To prove specifically that the GRU was involved, US investigators would have needed inside sources, preferably with access to confidential state matters,” noted the Bell, summarizing the opinion of one of its sources. “Mikhailov had that access.”

The Bell followed up with a report on another hacker on trial in Russia—Konstantin Kozlovsky, who is accused along with 50 other people of creating a virus that siphoned 1.7 million rubles ($28.7 million) from Russian banks.

Citing posts and court transcripts on a Facebook page attributed to Kozlovsky, the Bell relayed claims that he had hacked into the DNC servers and Hillary Clinton’s email at the direction of FSB officers. In the court recording posted to the page, Kozlovsky claims that the FSB’s Dokuchaev—the one on trial in the treason case—was Kozlovsky’s handler, and that he had “performed different tasks on assignments by FSB officers” for years. But several people, including Dokuchaev’s lawyer and a law enforcement source told the Russian business newspaper RBC that there is no evidence the two men knew each other. Both Kozlovsky and Dokuchaev are from Yekaterinburg and studied at the same university, though not at the same time. Sources implied to RBC that Kozlovsky is taking advantage of these biographical details in order to incriminate the FSB, and help his own position in the case. 

Other doubts about the posts on Kozlovsky’s Facebook page, which were made while the hacker was imprisoned, quickly emerged. None of the reporting on election hacking or the investigation into her use of a private email server have found evidence that any Hillary Clinton email account was successfully compromised, as Kozlovsky’s page claims. The page also boasts of participating in a September 2016 hack of the World Anti-Doping Agency, but, as RBC has pointed out, it wasn’t completed until four months after Kozlovsky’s arrest, when the group behind the attack released information about US athletes. 

The Facebook page also has a post containing a note purportedly from Kozlovsky addressed to Robert Mueller, in which he warns that the FSB used a powerful technology during the US presidential election to distort information appearing on other people’s computer screens. But such technology “just doesn’t make technical sense,” Ben Read, the manager of cyberespionage analysis at the cybersecurity firm FireEye, told Buzzfeed. Plus, it’s hard to believe that its deployment would have gone unnoticed by others in the cybersecurity industry. 

Kozlovsky isn’t the first imprisoned hacker to gain attention by claiming a connection to the DNC hack. The AP’s Raphael Satter has reported on least three others, but found their claims to be unsubstantiated. “None of this is to say these guys [that the Bell reported on] weren’t being prosecuted as part of generalized post-DNC crackdown on Russian hackers,” he noted on Twitter. “But take hackers’ claims with a grain of salt.”

A story in Novaya Gazeta, Russia’s most prominent independent newspaper, alleges that the two stories are together part of an FSB “operational game” to make the US look bad—by suggesting that the DNC hack can be blamed on the Americans. With Dokuchaev and his boss Mikhailov already on trial for sharing information with US intelligence, the article’s author, Irek Murtazin, says Kozlovsky’s posts may be “aimed at strengthening a version of the story, the essence of which is that Mikhailov worked for the US special services, and it was on the assignments of Americans that the websites of the Democratic Party and personal correspondence of Hillary Clinton were cracked.” In other words, if Kozlovsky was, as he claims, hacking the DNC by the orders of his FSB handlers, while those handlers were in fact moles for the US—well, then, Americans are really the ones to blame. 

Why would such a head-spinning theory make sense? Because, Murtazin writes, Russian authorities have not yet decided “which ‘truth’ is better to admit: that Russian special services really interfered in the American elections or that an American spy worked in the heart of the Lubyanka. As they say, both versions are ‘worse.'”

Kozlovsky’s confession also provides a convenient out for the Kremlin, notes Mark Galeotti, a researcher on Russian crime at the Institute of International Relations in Prague. By placing the blame on people who are already imprisoned for treason, and already seen as rogue intelligence elements defying the Kremlin, “it moves the blame to an outsourced hack. This would allow Putin to pretend to be shocked that there are hackers in Russia doing this,” Galeotti told Newsweek.