Konstantin Kozlovskiy, a Russian hacker, made headlines throughout December with the revelation that he had confessed to hacking the Democratic National Committee, a story that even seemed to drag Kaspersky’s name into the mix. First came the claims he was responsible for hacking the DNC and doing so on orders from someone within the FSB, then came a second wave in the media with the added claim from Kozlovskiy that he had inserted a “poison pill” on the DNC’s servers in the form of data stored in a file with a “.dat” extension.
The mainstream press, however, hasn’t reported everything about Kozlovskiy and his claims.
With a few exceptions (Jane Lytvynenko & Kevin Collier writing for BuzzFeed being a good example), many are leaving out important context, omitting contradictory details and have chosen not to report some of the more outlandish claims that have been made by Kozlovskiy.
Many also avoided reporting on how Mikhailov and Stoyanov were investigated and found to have ties to the United States Intelligence Community through Dmitry Levashov and Kimberley Zenz (fellow at the Atlantic Council) even though the article many references contains a chart outlining the connections and the details of Burykh’s efforts to uncover dirt on Mikhailov.
Kozlovskiy’s Social Media Activity
While Kozlovskiy has been detained, his Facebook account has been active with the earliest post being made on August 14, 2017. It is, according to Kozlovskiy’s wife, Anya, being managed by a “trusted person”. Kozlovskiy’s lawyer, when questioned by reporters working for BuzzFeed, declined to comment.
Irek Murtazin, a correspondent for Novaya Gazeta, has questioned how Kozlovskiy’s Facebook page went unnoticed by reporters for months. Murtazin said he routinely monitors social media for the hashtags and topics that appear on Kozlovskiy’s page, but he didn’t see any of the posts previously.
It does seem a little odd that Kozlovskiy’s posts had remained invisible to many until recently but stranger than that – is some of the content in his posts.
The FSB’s Amazing Malware
In one of Kozlovskiy’s Facebook posts (addressed to Robert Mueller), he claims that many Americans were infected with a virus that could alter their news results and what they see on social media. As BuzzFeed recently reported:
In it, the hacker claims the FSB has created an astoundingly powerful hacking tool, one that makes it possible to distort what users see on their screens, no matter which device — phone, laptop, desktop, or tablet — a person might be using.
The virus Kozlovskiy mentioned in his Facebook post appears to be unknown (both by name and by nature) and some in the infosec industry have already expressed disbelief, such as FireEye’s Ben Read, who stated:
You have some people using Internet Explorer, some people using Chrome. It would need a lot of capabilities to do this across all of the websites you use. Are you using Tweetdeck? Are you on Facebook, Google News? There are so many avenues that it becomes prohibitive to do at the scale being described.
Hacker Was Detained Before DNC Emails Were Acquired
If the implication of Kozlovskiy’s statement is intended to be that he was behind the DNCLeaks published by WikiLeaks, there’s a problem – he was detained before they were even acquired.
Kozlovski was arrested and detained on May 18, 2016 in relation to hacking Russian banks and his role as one of the leaders of a hacking group called “Lurk”.
The emails published by WikiLeaks had dates running as late as May 25, 2016.
So, at least in relation to what WikiLeaks published, it would seem Kozlovskiy certainly won’t have been the person who acquired those emails.
It’s important to note, though, that this doesn’t necessarily debunk Kozlovskiy’s claims. He could, in theory, have created malware or carried out hacking that enabled others to retrieve the emails after he was detained. He could also have been involved in an earlier breach of some sort at the DNC, after all, Cozy Bear (APT29) malware is thought to have been on the DNC network since Summer 2015.
Other Questionable Hacking Claims
Kozlovskiy has also made things unnecessarily difficult for himself regarding his credibility because he has also claimed responsibility for hacking WADA (World Anti-Doping Association), a hack that appears to have been carried out months after Kozlovskiy was detained and – with it being “Fancy Bear” (APT28), it would have been the GRU (according to US intelligence and cyber-security industry sources) rather than FSB being behind that hack.
As The Bell reports:
In his testimony and letters Kozlovsky claims that in recent years he allegedly received from the FSB tasks “to conduct events” in the US and EU countries. From the first letter of Kozlovsky it follows that he allegedly was involved in many other resonant hacker attacks, including the hacking of the World Anti-Doping (WADA) servers. But WADA reported this attack only in September 2016, and the first leak of documents stolen as a result of this attack occurred in August. Kozlovsky had already been in jail for at least three months. In addition, the attack on WADA was the hacking group Fancy Bear, and her US intelligence services are not connected with the FSB, but with the GRU.
Kozlovskiy has claimed to have carried out a hack a considerable amount of time after he was detained. This in itself raises questions about the veracity of Kozlovskiy’s claims.
He goes even further, claiming to have had a hand in the creation of the WannaCry ransomware, something he claimed in an interview with the TV channel Dozhd.
Timing In Relation To Alleged FBI Bribery of Yevgeniy Nikulin
The timing of Kozlovskiy’s allegations is interesting too.
His statements were made in November 2016, just one month after another hacker, Yevgeniy Nikulin had been arrested for hacks against LinkedIn, Dropbox and Formspring between 2012 and 2013.
Nikulin has stated in a letter, passed to his lawyer Martin Sadilek and reported by Moscow Times, that, after his arrest on October 5, 2016, he was visited by the FBI several times, the first of which were on 14-15 November, 2016.
During those visits, Nikulin alleges that the FBI had asked him to confess to hacking John Podesta’s emails. To quote the Newseeek article that reported it:
the FBI visited him at least a couple of times, offering to drop the charges and grant him U.S. citizenship as well as cash and an apartment in the U.S. if the Russian national confessed to participating in the 2016 hacks of Clinton campaign chief John Podesta’s emails in July.
And in a letter sent to CurrentTime TV, he claims he was visited in February, 2017, and was told:
You must say that it was you who broke H. Clinton’s mail that you prepared and penetrated into the democratic network and polling stations on Putin’s orders, you will name the accomplices, agree with extradition, and in America we will solve all the issues, live in an apartment and we will provide for all of you.
He claims he was offered U.S. citizenship, cash and an apartment in the U.S. if he was willing to confess to the hacking (according to the NewsWeek article).
Of course, correlation isn’t causation, these things could be coincidental by chance, but if Nikulin’s claims are true, it would mean the FBI were looking for hackers to act as a fall-guy/scapegoat/etc just prior to Kozlovskiy’s allegations being made.
It has been reported that Kozlovskiy has said he was ordered to hack the DNC (to help Trump) by an FSB Major named Dmitry Dokuchaev, whom, according to Kozlovskiy, was operating under the pseudonym “Ilya”.
However, it is also reported that Dokuchaev had previously operated under the pseudonym “Forb” before joining the FSB and that he had ties to Shaltai Boltai (aka Humpty Dumpty), a hacking group that hacked Russian officials and published their emails.
Dokuchaev was arrested in December of 2016 on suspicion of treason. Sources for The Bell have claimed that this is in relation to him providing US intelligence services with information relating to those who hacked the DNC. This, however, overlooks the fact his ties to Shaltai-Boltai will have long preceded anything relating to the alleged hacking of the DNC.
So, we are told, he was a hacker that worked against the Kremlin for Shaltai-Boltai, then became an FSB officer while acting as an informant to US intelligence and, according to Kozlovskiy, was also the person who ordered Kozlovskiy to carry out the hacking.
This seems murky at best and does raise questions about the veracity of the claims being made by The Bell’s sources.
As well as mentioning Dokuchaev, Kozlovskiy also mentioned the names Ruslan Stoyanov and Sergey Mikhailov.
Ruslan Stoyanov was a cybercrime investigator that worked for Russian cybersecurity firm Kaspersky. He was named by Kozlovskiy, however, it’s unlikely the two are on talking terms because Stoyanov helped in the investigation that exposed Kozlovskiy and other hackers.
He was arrested last December along with Dokuchaev and Sergey Mikhailov in relation to activities that Kaspersky have pubicly stated occurred before he joined Kaspersky, stating:
This case is not related to Kaspersky Lab. Ruslan Stoyanov is under investigation for a period predating his employment at Kaspersky Lab. We do not possess details of the investigation. The work of Kaspersky Lab’s Computer Incidents Investigation Team is unaffected by these developments.
Covering the fact that Stoyanov was involved in the investigation that led to the arrest of Lurk members (of which, Kozlovskiy was one), The Bell reported:
But before his arrest, Stoyanov was one of the participants in the investigation into the case of the Lurk group, the person involved is Kozlovsky, and even gave comments on this in the media.
A representative of Kaspersky Lab confirmed that Stoyanov took part in the investigation into the Lurk group “as a specialist in conducting investigative actions at the request of the Investigative Department of the Ministry of Internal Affairs of the Russian Federation.”
The arrest of Stoyanov seems to have had a connection to information allegedly being given to VeriSign’s iDefense department (initially through a contact called Dmitry Levashov).
As Gizmodo reported back in February:
According to a Reuters source, the treason charges are related to accusations made by a Russian businessman named Pavel Vrublevsky seven years ago. In 2010, Vrublevsky, founder of internet payment firm ChronoPay, reported the suspects to authorities. He claimed that they had passed state secrets to American firms including Verisign, a company that specializes in domain name services and internet security, which then turned them over to US intelligence. Reuters reports the accusations were never investigated.
A spokesperson from Verisign, the only American firm identified, denied that it had been given any secret information. The company does have an iDefense unit that gathers information on cybercrime and supplies dossiers to US intelligence, but the spokesperson insisted that it does not deal in classified information. “Nothing like the arrangement as described by Pavel Vrublevsky ever took place,” said Kimberly Zenz, a former analyst at Verisign’s iDefense unit.
Sergey Mikailov is reported to have been Dokuchaev’s immediate superior at the FSB and was the deputy head of the information security department of the FSB. He was also arrested on suspicion of treason. Dokuchaev has been described as Mikhailov’s “right-hand man” and there are allegations that both men are connected to hacking group Shaltai-Boltai.
Russian independent news outlet Novaya Gazeta has reported that the FSB believes Mikhailov tipped off U.S. officials to information about Vladimir Fomenko and his server rental company “King Servers,” which the American cybersecurity company ThreatConnect identified last September as “an information nexus” used by hackers suspected of working for Russian state security in cyberattacks.
Fomenko’s business partner has long accused Mikhailov of working with the FBI and Mikhailov has also been alleged to have passed on details of dissident Russian hackers to US intelligence and Kimberley Zenz through Ruslan Stoyanov and Dmitry Levashov.
Dmitry Levashov was Ruslan Stoyanov’s former business partner and close friend. Levashov was also Zenz’s common-law husband.
It is alleged that Levashov is the one who helped Zenz get information from Mikhailov and later introduced her to Dokuchaev.
Kimberley Zenz works for Deutsche Cyber Sicherheitsorganisation but was previously working at VeriSign iDefense (as we’ve already covered in relation to Stoyanov’s arrest in previous paragraphs).
The Bell article most frequently referenced by our own media also has an interesting chart based on an investigation carried out by Dmitry Burykh, that puts Zenz in quite a pivotal position.
source: The Bell
It is also a position that retains usefulness in her role as a fellow at the Atlantic Council, where of course, she is no stranger to Dmitri Alperovitch (of CrowdStrike).
Zenz has denied involvement in the scheme to Reuters and also made a statement to RBC:
“I never did that. I do not work for the CIA, I never gave them information and was not a government agent of any state. I also stated my readiness to testify to Russian law enforcement agencies, and they know how to contact me, but did not do it”
However, this wasn’t actually a refutation of any of the connections Burykh had identified.
It should be noted that Burykh was a former SVR agent that later came to work for Pavel Vrubelsky and was requested to dig up dirt on Sergey Mikhailov after Vrubelsky was arrested and sentenced to 30 months for hiring a botnet from a third party to attack a rival payment processing firm as Vrubelsky was convinced that Mikhailov was working with US intelligence.
So, it is possible that some of the claims could be coming from a grudge Vrubelsky has against Mikhailov, however, the connections outlined by Burykh certainly forge a plausible path from these Russian dissidents to the US intelligence community via Zenz.
Shaltai-Boltai / Humpty-Dumpty / Anonymous International
Anonymous International (aka Shaltai-Boltai / Humpty-Dumpty) is a hacking group known for hacking the Russian government and leaking information and documents obtained from government officials. They target high-profile politicians, departments of government and large corporations, selling the data they acquire online.
Dmitry Dokuchaev, Ruslan Stoyanov and Sergey Mikhailov are all alleged to have historic ties with the group.
From all the murkiness surrounding this – several theories have emerged, however, only some of these have gained traction in our mainstream press.
Towards the end of December 2017, several mainstream sites published a theory that the whole Kozlovskiy story could be a plot by the Kremlin to undermine the intelligence allegedly gathered by the network that Burykh had identified or to undermine US intelligence in general.
Away from the mainstream press other theories have been presented. One example is the theory that this may have been an attempt to find a “fall guy” or “scapegoat” to take the blame for hacking the DNC as a means of being able to “gas-light” the public when needed in case claims that were made regarding the DNC being hacked were later questioned.
Regardless of the theories out there, one thing seems to remain consistent throughout the observations from both sides, Kozlovskiy’s claims seem to be far-fetched and some of the things he has asserted have been contradicted by the facts surrounding his arrest and detention.
The timing of his statements (November 2016), the fact all of the evidence appears to have first been placed online (on facebook) only recently (in August 2017) and that this wasn’t generally known about until within the last couple of months – all add to the intrigue.
Ultimately, though, there are too many holes, too many contradictions and outlandish claims being made that cyber-security professionals have expressed doubts in some of what he has alleged.
With regards to Kozlovskiy’s “poison pill” claims, if the DNC or CrowdStrike suddenly discover the “poison pill” that Kozlovskiy makes references to, it had better be on the disk images given to the FBI too – or people will understandably question whether Kozlovskiy has pushed his details to Alperovitch via Zenz so that the evidence could be fabricated.