Kaspersky Lead Incident Investigator in Russia Arrested – What it Could Mean for the Security Industry

Morey Haber, January 25th, 2017

Kaspersky Lead Incident Investigator in Russia Arrested

Authored by Morey Haber, VP of Technology with input from Scott Carlson, Technical Fellow

Now, here’s a twist. The awkward discussion of when a white hat becomes a black hat has now allegedly become reality in Russia. The lead incident investigator in Russia for Kaspersky Labs, a world recognized leader in anti-virus solutions, has been arrested on treason charges. Ruslan Stoyanov was arrested in conjunction with Sergei Mikhailov, deputy head of the information security department at the FSB, in December; however, Russian officials have been mum regarding any facts of the detainment. Forbes magazine reports that the case will be tried under Russian criminal code article 275, amounting to a, “secret military tribunal.” This supports the initial charges of treason, although the terms are unclear.

Allegations Related to Previous Work

At Kaspersky Labs, however, it is business as usual as they try to distance themselves from Stoyanov. They have issued a public statement through CNBC indicating that the company is not associated with any of the allegations, saying, “This case is not related to Kaspersky Labs. Ruslan Stoyanov is under investigation for a period predating his employment at Kaspersky Labs. We do not possess details of the investigation. The work of Kaspersky Lab’s Computer Incidents Investigation Team is unaffected by these developments.” It appears the allegations are related to Stoyanov’s previous work at the Russian Interior Cyber Crime Unit. And, at Kaspersky, their daily email blast is peddling security solutions as usual (see below).

Kaspersky Lead Incident Investigator in Russia Arrested

What This Could Mean for the Security Industry

So what does this mean for the security industry? Pure uncertainty. We can only assume based on Stoyanov’s current position that he acted as a white hat as Kaspersky. Based on his previous position with the Russian government, a grey hat (probably more black than grey, however). In November, SC Magazine had an in-depth article on the ramifications of hiring black hat employees as white hats within an organization. It appears that this arrest falls into this category based on the transition and now is a media problem for both Kaspersky and the Russian government.

The uncertainly now revolves around the details of the arrest. What crime was actually committed? What data was stolen or leaked? What malware was created? What hacking was conducted? And the million-dollar question: Was any of it related to the United States election?

As a noted, respected person in the malware community, Ruslan Stoyanov is in a position of early discovery, early disclosure, and is likely often tapped for leading “world scale” cyber security research. His getting arrested could send emotional shockwaves through the community because if he can get arrested, other researchers and those who might disclose could be arrested, too. Take this as a shot over the bow.

What could this mean for the world of malware research, even if we know nothing?

  • Automated attacks will continue, but authors of attacks and researchers will go further underground
  • There will be a hardened line drawn between “pure research” and “criminal investigations” and people will be seeking “free from prosecution” clauses in their employment contracts
  • Fewer bugs and attacks will be reported with attribution, increasing the anonymity

We will probably never know, but we can sense the conspiracy theories will evolve with this arrest – and one thing we all need to watch out for is fake news. This story could easily be spun into something much more than it is now; especially with the lack of facts from Russia.

Stay tuned for more information from the BeyondTrust blog as this story unfolds. Subscribe to receive our monthly blog digests.