Authored by Morey Haber, VP of Technology with input from Scott Carlson, Technical Fellow
Now, here’s a twist. The awkward discussion of when a white hat becomes a black hat has now allegedly become reality in Russia. The lead incident investigator in Russia for Kaspersky Labs, a world recognized leader in anti-virus solutions, has been arrested on treason charges. Ruslan Stoyanov was arrested in conjunction with Sergei Mikhailov, deputy head of the information security department at the FSB, in December; however, Russian officials have been mum regarding any facts of the detainment. Forbes magazine reports that the case will be tried under Russian criminal code article 275, amounting to a, “secret military tribunal.” This supports the initial charges of treason, although the terms are unclear.
Allegations Related to Previous Work
At Kaspersky Labs, however, it is business as usual as they try to distance themselves from Stoyanov. They have issued a public statement through CNBC indicating that the company is not associated with any of the allegations, saying, “This case is not related to Kaspersky Labs. Ruslan Stoyanov is under investigation for a period predating his employment at Kaspersky Labs. We do not possess details of the investigation. The work of Kaspersky Lab’s Computer Incidents Investigation Team is unaffected by these developments.” It appears the allegations are related to Stoyanov’s previous work at the Russian Interior Cyber Crime Unit. And, at Kaspersky, their daily email blast is peddling security solutions as usual (see below).
What This Could Mean for the Security Industry
So what does this mean for the security industry? Pure uncertainty. We can only assume based on Stoyanov’s current position that he acted as a white hat as Kaspersky. Based on his previous position with the Russian government, a grey hat (probably more black than grey, however). In November, SC Magazine had an in-depth article on the ramifications of hiring black hat employees as white hats within an organization. It appears that this arrest falls into this category based on the transition and now is a media problem for both Kaspersky and the Russian government.
The uncertainly now revolves around the details of the arrest. What crime was actually committed? What data was stolen or leaked? What malware was created? What hacking was conducted? And the million-dollar question: Was any of it related to the United States election?
As a noted, respected person in the malware community, Ruslan Stoyanov is in a position of early discovery, early disclosure, and is likely often tapped for leading “world scale” cyber security research. His getting arrested could send emotional shockwaves through the community because if he can get arrested, other researchers and those who might disclose could be arrested, too. Take this as a shot over the bow.
What could this mean for the world of malware research, even if we know nothing?
- Automated attacks will continue, but authors of attacks and researchers will go further underground
- There will be a hardened line drawn between “pure research” and “criminal investigations” and people will be seeking “free from prosecution” clauses in their employment contracts
- Fewer bugs and attacks will be reported with attribution, increasing the anonymity
We will probably never know, but we can sense the conspiracy theories will evolve with this arrest – and one thing we all need to watch out for is fake news. This story could easily be spun into something much more than it is now; especially with the lack of facts from Russia.
Stay tuned for more information from the BeyondTrust blog as this story unfolds. Subscribe to receive our monthly blog digests.

Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.