By Joseph Menn and Jack Stubbs
SAN FRANCISCO/MOSCOW (Reuters) - Russian cyber-security experts have scaled back cooperation with Western contacts after one of their number was arrested in Moscow on treason charges, making it harder to fight global online crime, U.S. law-enforcement and industry sources say.
Despite acrimonious relations between Russia and the United States in recent years, experts on cyber security in both countries say their law enforcement agencies and private firms had been working together more closely behind the scenes to fight financial fraud and other crimes committed online.
But at least some of that cooperation appears to have come to a sudden halt since Ruslan Stoyanov, head of the computer incidents investigation team at Russian cyber security firm Kaspersky Lab, was arrested in December on suspicion of treason.
Two officers from Russia's Federal Security Service (FSB) were also arrested, identified by a Western security source as Sergei Mikhailov and Dmitry Dokuchayev, both from the FSB's Information Security Center.
Five experts at U.S. or other Western cyber firms all told Reuters their communication with contacts in Russia had been scaled back since the arrests, either because the Russians had stopped replying or because the Westerners had decided it was better not to contact them for now.
"Everybody has clammed up," said John Bambenek, a manager of threat research at Fidelis Cybersecurity.
The arrests send a message that "even an informal information-sharing relationship with trusted Russian intelligence and law enforcement officers might be considered treason,” said Vitali Kremez, director of research at American security firm Flashpoint.
While no charges have been officially announced, the three arrests came after U.S. intelligence agencies publicly accused Russia of interfering in the U.S. presidential election through computer hacking, an allegation Moscow denies.
Ivan Pavlov, an attorney representing one of the suspects, although he did not identify which, said the charges were for treason, related to allegations the men had provided information to U.S. spy services.
Some American cyber-security experts now think the arrests could be a rebuke to the United States or warning to Russians not to aid U.S. investigations into the election or other major controversies.
“This sends a shiver down everybody’s spine,” said a senior U.S. law enforcement official. “We were getting some headway over there” with arrests last year of suspects accused of using sophisticated software programs to steal from bank accounts in multiple countries, the official said.
DO THE RIGHT THING
The official said Kaspersky, which sells cyber security software and advice, was one of the Russian firms seen in the West as "trying to do the right thing" in cooperating with Western law enforcement agencies to help fight cyber crime.
Russia's FSB did not respond to Reuters requests for comment, and no official bodies in Russia have commented about the case. A Kremlin spokesman said only that President Vladimir Putin was aware of media reports about the arrests but the Kremlin could not confirm anything about them.
Stoyanov could not be reached for comment. Reuters was unable to find a lawyer representing him or get in touch with his family.
Kaspersky said the charges against Stoyanov related to a period before he joined the company and that it was not aware of all of his prior activities.
“The computer incidents investigation team, headed by Mr.
Stoyanov, hasn’t had any U.S. projects, as the unit primarily investigates cyber attacks on Russian companies,” the company told Reuters by email.
Stoyanov's team provides "technical assistance" to foreign law enforcement agencies, it said, but it was "not aware of any activities where Mr Stoyanov would have shared information with any organization that wasn’t specifically tied to an active cyber-criminal investigation."
Russia's Interfax news agency cited an unnamed source last week as saying a fourth person had been arrested and up to eight people could be implicated in the case. Reuters was not able to confirm this report.
Cyber crime ignores borders by its nature, and fighting it requires an unusually high level of cooperation between the companies under attack, the private security firms they hire for protection and investigations, and the law enforcement agencies in multiple countries that try to track hackers down.
Some of the best firms that sell cyber security services to private clients also perform work as government contractors and employ law enforcement veterans for their expertise.
Since Russia is one of the major sources of cyber attacks, firms particularly prize communication with Russian contacts. In the past, communication with Russian sources has depended on what people with such contacts describe as an understanding that authorities on both sides would not interfere as long as experts steered clear of classified information.
The senior U.S. official and the five experts from the private sector all said that the arrest of Stoyanov had thrown that basic assumption into doubt.
One of the private sector experts, who has extensive Moscow dealings, said his Russian contacts had stopped talking to him about anything related to the Stoyanov case. Another said a friend at a security firm in Russia was no longer talking to him about cyber crime at all, because "he has real reasons to be worried". He did not give further details.
Three other Western private sector experts said they had stopped or curtailed contacts with Russian sources from their own side, on the understanding that the Russians would no longer welcome it.
POINTING OUT BOUNDARIES
Stoyanov worked for the cyber crime unit at Russia's Interior Ministry from 2001-2006 before leaving law enforcement for the private sector, first for a large Internet service provider and then for Indrik, a small Russian internet security firm. He joined Kaspersky when it bought Indrik in 2012.
Before and after he left the Russian Interior Ministry, he had an unusually high profile abroad, attending conferences in the United States and Germany and making contact with Western government officials and people in private industry, according to people who knew him and saw him at international events.
While working for Indrik, before it was bought by Kaspersky, Stoyanov shared information about Russian criminal hacking gangs with American companies, including at least three firms that had contracts to provide services to U.S. spy agencies, people who had worked for each of those three companies said.
The sources identified one of those companies as Internet infrastructure and security company Verisign. Verisign said in an email to Reuters that its research products do not include "any information that would be classified as state secrets".
Several sources recalled that Stoyanov was careful to make sure any collaboration covered only crime-fighting and did not veer towards the taboo subjects of state-supported hacking.
“When we were learning how to work in Russia, he was pointing out to us what the boundaries of danger would be,” said a Western researcher who collaborated informally with Stoyanov for years before Stoyanov joined Kaspersky.
“He was always super-clear, whenever it came to anything dealing with the state’s interests, don’t even drift that way,” said the researcher.
(Additional reporting by Svetlana Reiter in MOSCOW and Mark Hosenball in WASHINGTON; Editing by Christian Lowe and Peter Graff)