ArchiveOODA Original

What Kleptocratic Support for Cybercriminals Means for Russian Cybersecurity Services


The use of deniable actors is hardly unique to Russia, but the state’s complicity and even outright involvement in organized crime is. OODA’s reports “The Russian Threat” suggests that “Russia should be considered a kleptocracy, where the rule of law exists as long as it supports the objectives of the state and the ruling oligarchs.” The report further notes that because the law is subject to the state’s whims, Putin is able “to act decisively to defend Russian interests and to pursue opportunities he views as enhancing Russian prestige and power abroad.” The coopting of cyber criminals represents just such an example of kleptocracy enabling the Russian state to seize controversial opportunities that would be waylaid by opposition from “checks and balances” in true democracies. This ability to act with impunity may be a major factor in explaining why “Putin’s Cyber OODA Loop is Tighter Than Yours”.

Collaboration between the Russian state and cybercriminals is particularly indicative of kleptocracy because it has targeted Russia’s own domestic politics. According to an article by Daniil Turovsky in Meduza, domestic opponents of Putin began to be increasingly targeted by organized Russian hacktivists in October 2005, after a Chechen attack on Nalchik, the capital city of Russia’s Kabardino-Balkaria Republic. Turovsky further notes that Petr Levashov–the primary driver behind the organized non-state hacking efforts against Chechnya in 2005 and one of the first cybercriminals to be brought into the fold by Russian intelligence agencies–openly admitted to sabotaging domestic political opponents for Putin’s United Russia Party as early as 2007.

Cybercriminals Dmitry Dokuchaev and Konstantin Kozlovsky proliferated a sort of Robin Hood complex among Russia’s hackers, whereby cybertheft was justified both by the insurance of foreign banks and the economic weakness of Russia in the post-Cold War world, but Kozlovsky’s “Lurk” hacker organization dared to target even Russian banks. Kozlovsky was eventually arrested, but such forbidden cyberattacks do not always dissuade the FSB from turning hackers, as demonstrated in July, 2018, when the FSB had the charges dropped against a hacker in Belgorod who appeared to have committed 545 attacks against the FSB itself. This acceptance of criminals in Russia lends credence to accusations that the country is a kleptocracy.

The Russian state’s disregard for legal norms also leads to the blurring of state and industrial espionage. After all, a major aim of state supported cyberattacks is the theft of technology being developed in America, as part of its larger goal of leveling the economic playing field.


In a previous report, I questioned the trustworthiness of Russian cybersecurity firm Kaspersky. After all, while the group may wish to appear trustworthy to international clients it may also be beholden to the state backers of the very criminals it is supposed to defend against. The prevalence of Russian hackers has driven demand for Russian cybersecurity firms to investigate and counter them, but they can only continue to do so as long as the Russian state permits it. Much like the proverbial “boy who cried wolf”, the duplicitous activity of Russian non-state actors has a cost, in the form of generalized distrust.

The kleptocratic nature of the Russian state may prove a double-edged sword for Russian cybersecurity firms. In such a system, both criminals and corporations wield abnormal political influence. Moreover, even as criminal-corporate-state collaboration may undermine trust in Russian cybersecurity, it may act as a sort of protection racket, whereby cybersecurity firms are complicit in the very threats driving demand for their “insider” intelligence on regional criminal groups.

The effects of the Russian state’s collaboration with cybercriminals on Kaspersky appear to have been largely negative. As Turovsky noted, Kaspersky’s own former head of investigations, Ruslan Stoyanov, has publicly decried the state’s use of cyber-criminals as proxies, despite facing treason charges, because such proxy criminals may be emboldened to steal foreign money, relatively safe behind the immunity afforded them by their government.

Moreover, as noted in early 2018 by Evan Gershkovich of the Moscow Times, Kaspersky has lost the trust of many of its Western clients due to its close relations with the FSB. This is a a massive blow, as Kaspersky represents “Russia’s most successful cybersecurity firm and the only one to have stablished a firm presence abroad”, with half of the firm’s sales going to clients in Western clients.  Suspicion is warranted. As an encryption developer, Kaspersky is forced by Russian law to acquire a license from the FSB, and allow the agency full access to their work. The FSB also had their own personnel implanted within Kaspersky, which they leveraged to arrest Kozlovsky. While cooperation between cybersecurity firms and their host state’s intelligence agencies in pursuit of cyber criminals is not in and of itself abnormal, the extent of cooperation in Russia is. And if this were not enough to arouse concern, Israeli intelligence found that Kaspersky had obtained NSA information after an NSA employee download their software installed on a home computer. As a result of Russian state-supported cyberattacks, Gershkovich observed, “In the United States, … the lines between hacker and cybercrime investigator have become increasingly blurred.”

Still, more specialized Russian cybersecurity firms may prosper. As noted by Gershkovich, another Russian cybersecurity firm, Group-IB, started expanding into Western markets even as Kaspersky’s reputation abroad suffered.   Antivirus software must be granted full access to data in order to seek out malware. Because Group-IB, a threat intelligence company, does not offer such services, less trust is needed for them to profit from Western customers.  Their proximity to the perpetrators of cyber-attacks abroad make both Kaspersky and Group IB valuable sources of threat intelligence unavailable to more distant firms, but that proximity may still mean that clients must be prepared to examine such intelligence critically.

Morover, even as it has damaged the credibility of its own cybersecurity sector, Russian cyber offensives have also counterintuitively strengthened rival cybersecurity industries in Russia’s near abroad. As noted by e-Estonia, after Russia launched a massive cyberattack against Estonia over a statue in 2007, Estonia was able to make improvements to its already robust security, leading to its recognition today as a global pinnacle of cybersecurity. What’s more, NATO, disturbed by Russian aggression and impressed by Estonian innovation, has become more involved in the country since Russia’s cyber aggression.

Fundamentally, Russian cybersecurity firms may be hindered by their own governments isolationism, epitomized by the plan to disconnect “Runet” from the worldwide web, as detailed in a recent OODA News Brief. This would seem to signify a move toward what Jason Healey terms a “Leviathan Internet”, as described in my report on cyber defensibility.

Tyler Robinson

Tyler Robinson

Tyler Robinson is an OODA analyst currently based in Colorado Springs, Colorado. He holds an undergraduate degree in International Relations and a Master of Letters in International Security Studies from the University of St Andrews. His research interests include political psychology, deniable actors, gray area phenomena, and privatized security.