The Fall of a Russian Cyberexecutive Who Went Against the Kremlin

(Bloomberg Businessweek) -- At a business awards ceremony in February 2019 at the Kremlin, a young cybersecurity entrepreneur named Ilya Sachkov chatted with Russian President Vladimir Putin. As cameras rolled, Sachkov invited Putin to visit the Moscow offices of his company, Group-IB, to see its powerful antihacking technologies firsthand. “You’ll definitely be astonished,” he said.

It was the height of Sachkov’s success. He’d started Group-IB as a college student and built it from a tiny consulting firm into one of Russia’s most prominent security businesses. The company had hundreds of employees and was trying to expand into the U.S., Europe, the Middle East, and Asia. Sachkov traveled the world, cutting a glamorous figure in smartly tailored suits.

In a dramatic reversal of fortunes, the once-globetrotting executive is now languishing behind bars after being arrested in September and accused of treason. Sachkov, 35, denies the charges. He faces up to 20 years in a labor camp.

Details of the crimes Sachkov is accused of are shrouded in official secrecy. (Russian authorities don’t disclose specific charges in treason cases.) But interviews with a half-dozen people close to the case reveal that the surprise detention of Sachkov has links to one of the government’s most notorious hacking operations.

One of his alleged transgressions is that he gave information to the U.S. government regarding a hacking team in Russia’s GRU military intelligence service—dubbed “Fancy Bear” by U.S. cybersecurity companies—and its efforts to influence the 2016 U.S. presidential election, four of the people tell Bloomberg. The information Sachkov disclosed helped the U.S. government identify GRU agents involved in the hacking, three of the people say. The FBI declined to comment.

Bloomberg couldn’t determine whether those alleged acts are part of the official charges against Sachkov. Russian media has reported that the charges relate to a separate incident from 2014.

Interviews with people familiar with his case—including close associates, former Group-IB employees, and ex-Russian security officials who maintain close ties to the government—reveal that Sachkov worked in recent years to ingratiate himself with Western intelligence and law enforcement agencies. He sought to reduce his dependence on Group-IB’s Russian state contracts and to enter international markets, a risky game that made him a target of suspicion for both the U.S. and Russia.

Group-IB tells Bloomberg its work in fighting cybercrime has relied only on official agreements or requests from law enforcement agencies, not informal relationships. Sergei Afanasyev, Sachkov’s lawyer, declined to comment on any aspects of his case.

“In Putin’s eyes, the most serious problem is traitors,” says Tatiana Stanovaya, founder of the political consulting firm R.Politik and a nonresident scholar at the Carnegie Moscow Center. “He is full of hatred toward people who leak information.”

U.S. President Joe Biden is seeking greater help from Moscow to curb ransomware attacks and hunt cybercrime gangs operating from Russia. The prosecution of Sachkov doesn’t bode well for those efforts, says Christopher Painter, a former top U.S. cybersecurity official: “This sends a bad signal about cooperation with the U.S.”

Group-IB performs digital forensics and hacking investigations, among other services, and builds technologies that look for breaches deep within computer networks. Some of its most consistent clients have been state-controlled corporations in Russia, including the country’s top two banks, Sberbank and VTB, and Russian government bodies such as the space agency, the central bank, the interior ministry, and the investigative committee (Russia’s equivalent of the FBI). The company obtained a license to work with secret government information, according to two former Russian security officials and an ex-employee. Group-IB denies having such a license.

Dmitry Volkov, a co-founder and now chief executive officer of Group-IB, told Bloomberg in October that Russia accounted for more than half the company’s revenue last year and that he expected that to fall to 40% by the end of 2021. Despite Sachkov’s imprisonment, Volkov said, the company is still looking for a strategic foreign investor and is continuing with plans for an initial public offering on an international market.

Volkov said in late November that Sachkov built bridges with law enforcement agencies around the world “as he has always seen the company’s primary goal in fighting cybercrime worldwide and protecting the company’s customers.” Although Group-IB has the knowledge to identify and counter cybercriminals, Volkov said, “it’s only law enforcement agencies that are authorized to carry out justice and ensure that attackers are captured and no longer pose a threat to anyone. This has been Group-IB’s universal strategy in all the regions of our presence.”

Four months after the awards ceremony at the Kremlin, Group-IB moved its headquarters from Moscow to Singapore, furthering Sachkov’s ambition to build an international powerhouse. He set up offices last year in Amsterdam and Dubai. One way Sachkov sought to establish his credentials internationally was to work with Western law enforcement, four people with knowledge of the matter say.

Sachkov’s mother, Lyudmila Sachkova, described her son as strongly goal-driven and unafraid to take on responsibility, as well as having a head for research and “a keen sense of justice.” Her son was inspired to set up his cybersecurity business after reading a book by two former U.S. Air Force cyberagents, Incident Response: Investigating Computer Crime, she told Bloomberg in a written statement through Group-IB.

Under the umbrella of fighting cybercrime, Group-IB promotes on its website collaboration agreements with Interpol, Europol, and other foreign law enforcement agencies—routine partnerships for Western technology companies. But in courting foreign officials while continuing to do government work in Russia, Sachkov walked a dangerous tightrope.

He became entangled in a byzantine web of powerful Russian technologists and intelligence officials who’ve now been accused of treason, according to earlier accounts in Russian media and new reporting by Bloomberg.

A central figure is Sergei Mikhailov, 47, a former senior official with the Federal Security Service, or FSB—the main domestic successor to the Soviet-era KGB—who led investigations into cybercriminals in Russia. Mikhailov was arrested in Moscow in December 2016, one month after the U.S. presidential election, and charged with treason. He was convicted in 2019 and sentenced to 22 years in prison after a trial in which Sachkov was a key witness for the prosecution, according to Mikhailov’s defense team, which has accused Sachkov of providing false testimony.

Although the official details of that case haven’t been made public, three people close to Sachkov and Mikhailov say the two men had known and worked with each other for years, including collaborating with foreign governments. Both ultimately provided information to Western officials that helped the U.S. prove Russia’s role in the election hacking, the people say. Those findings led to the sanctioning by the U.S. of top GRU officials and the indictment of 12 of its alleged agents. The FSB didn’t respond to a request for comment on whether Sachkov’s prosecution is linked to Russia’s meddling in the 2016 election.

The alleged treachery by Mikhailov and Sachkov had roots, in part, in a long-running conflict between the GRU and the FSB, which compete for resources and prestige in many areas, including foreign hacking operations, according to three people familiar with the matter.

Crowdstrike Holdings Inc., a U.S. cybersecurity company hired in 2016 to investigate the hack of the Democratic National Committee, pinned that breach and the subsequent leak of confidential internal documents on the GRU, in findings endorsed later by U.S. intelligence agencies. Crowdstrike also found that the GRU and FSB had each hacked the DNC’s servers in independent operations in 2015 and 2016, suggesting competition between the agencies.

The hacking of the DNC’s servers resulted in the whistleblowing organization WikiLeaks publishing about 20,000 private emails just before the Democratic National Convention that chose Hillary Clinton as the party’s nominee for president in July 2016. The documents, which showed efforts by party officials to undermine Clinton’s chief rival for the nomination, Bernie Sanders, forced the resignation of the head of the DNC, Representative Debbie Wasserman Schultz. Clinton has blamed her defeat in the general election by Donald Trump on Russia’s interference. Putin has repeatedly denied that the Russian state has meddled in U.S. elections.

Three people familiar with Sachkov’s case tell Bloomberg that one reason he may have been targeted is that he provided information to Western agencies about Vladislav Klyushin, the founder of another Russian cybersecurity company with Kremlin ties, who was arrested by Swiss authorities at the request of the U.S. in March, after he stepped off a private jet on his way to a skiing holiday with his family.

Klyushin, 41, has been in a Swiss maximum-security detention facility since then, fighting extradition to the U.S. on insider-trading charges. His lawyer, Oliver Ciric, says American authorities want to charge his client with orchestrating the election hacking. He argues that the insider-trading charges were created as a “pretext” to get Klyushin to the U.S. to pressure him to provide information about the operation.

Through his lawyer, Klyushin tells Bloomberg that he doesn’t know why he was arrested in March and not before, saying he traveled freely to Europe before then. He says he doesn’t know whether Mikhailov and Sachkov had offered any information about him and doesn’t know about possible cooperation between Group-IB and Western intelligence services.

Klyushin has a wealth of information about Russian interference in the 2016 election, and his extradition to the U.S. would be very damaging for the Kremlin, two people familiar with the matter say. He owns a company in Russia called M13, whose website states it provides media-monitoring services to the Kremlin, the defense ministry, and other Russian institutions. One of Klyushin’s senior employees—Ivan Yermakov—was among the 12 alleged GRU operatives charged in the U.S. over the election hacking, and he is also a co-defendant in the insider-trading case against Klyushin, according to U.S. judicial documents reviewed by Bloomberg.

For Sachkov, there were danger signs in the final few weeks before his September arrest. He told associates that he’d been warned to not leave the country. According to one person close to him, he feared he’d be arrested. If Russian authorities ever found out the information he’d shared, he allegedly told another person, they would have him killed.

Sachkov’s fate will be decided in a secret trial that his defense team says might not start for 12 to 18 months. He’s being held in Moscow’s Lefortovo Prison, a notorious ex-KGB detention site with a long history of housing political prisoners, known for its harsh conditions and severe rules restricting inmates’ communications. A human-rights ombudsman who visited Sachkov in October says he complained that he wasn’t allowed to send or receive letters and was being kept in an information vacuum.

Afanasyev, Sachkov’s lawyer, said on Nov. 22 that the conditions of his imprisonment had improved. He’s been transferred to a better cell and is now receiving letters, as well as medicine and food meeting his dietary requirements—though as of Dec. 1, he hadn’t received any family visits, Afanasyev said. He also said Sachkov is “giving testimony” to investigators from behind bars.

In a letter he passed to his attorney, Sachkov—whose pretrial detention has been extended for an additional three months, to Feb. 28—appealed to Putin to allow him out of prison under home arrest. “I’m not a traitor or a spy. I’m a Russian engineer,” he wrote, according to Afanasyev.
 
Read next: Cybercriminals Cash Out Ransoms at Moscow’s Tallest Tower

©2021 Bloomberg L.P.