THE FOURTH MAN
Did a Mole-Who-Must-Not-Be-Named Leak Plot to Elect Trump?
A brave lawyer defending people the Russian government accuses of treason says the case of cyber experts charged with working for the CIA is about the toughest he’s seen.
MOSCOW—For the first time in his two decades defending people accused of treason, Ivan Pavlov has come across a case he says he truly has trouble getting his head around. Everything about it is a guessing game for the defense lawyer, including the charges against his client, whose name he is not allowed to mention in public.
Speaking at his office in St. Petersburg, under a photograph of President Barack Obama shaking his hand, Pavlov, 46, explained to The Daily Beast that the arrest in Russia last December of accused cyber spies is heavy with high-profile politics.
“This is a dangerous case for everybody, including the FSB investigators, attorneys and journalists,” said Pavlov.
To get a sense of just how fraught it may be, let us go back to January. By then, allegations by the American intelligence community about Russian meddling in the American elections had been building for several months. President Obama had warned Putin, eyeball to eyeball, to stop. Two reports had been issued publicly by the U.S. intelligence services in October and in December, but in guarded and less than explicit language as America’s spooks tried to protect the methods and especially the sources that had led them to their conclusions.
As candidate and as president-elect, Donald Trump had received several classified briefings in August, November and afterward but, in public at least, Trump rejected the conclusion that Russia had interfered in the election he won, calling it fake news and the work of disgruntled losers.
Then on January 6, two weeks before Trump’s inauguration, the American intelligence community issued a much more explicit declassified report based on a much more detailed classified one pulled together from the coordinated reporting and analysis of the FBI, CIA, and NSA.
The key conclusions fingered Russian President Vladimir Putin directly, and because there’s been so much obfuscation by the White House, not to mention the Kremlin, they are worth repeating at some length:
“We assess Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the U.S. presidential election. Russia’s goals were to undermine public faith in the U.S. democratic process, denigrate Secretary [Hillary] Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump. We have high confidence in these judgments ...
“Moscow’s influence campaign followed a Russian messaging strategy that blends covert intelligence operations—such as cyber activity—with overt efforts by Russian Government agencies, state-funded media, third-party intermediaries, and paid social media users or ‘trolls.’...”
On the specific issues of hacking, as opposed to the broader effort to influence the elections, in late December 2016 the U.S. Federal Bureau of Investigation together with the Department of Homeland Security distributed a report (PDF) that described the core Russian operation known by various aliases including the fanciful names “Cozy Bear” and “Fancy Bear.” The report updated in February also noted that one technical tool, a malware program used in the attack, had been created originally by a Ukrainian programmer—potentially a very important point as the plot thickened.
The assessment overall was as damning as such documents can be, and in it the U.S. intelligence community had claimed to know the decision making at the very highest level of the Russian government: Putin himself.
The Russian government denied all the allegations and has never acknowledged officially or unofficially that it was involved in this alleged multifaceted campaign about which the FBI and CIA seem to have no doubt.
But in the meantime any intelligence officer reading a document liked the January 6 assessment would surmise that it implicated one or more moles inside the upper levels of the Russian government.
Then, at the end of January, the news broke: Russia’s most secret law enforcement agency had arrested one of its own top officers, and that had happened in the middle of an official meeting. Like a scene out of some Brian de Palma movie, FSB officers grabbed their colleague and put a bag over his head—and afterward they made no effort to keep what they had done a secret.
Two top Federal Security Service officials, Sergei Mikhailov (who’d had the bag over his head) and Dmitry Dokuchayev, both from the FSB cyber intelligence department, were accused officially of state treason for passing confidential information to the CIA, according to the Interfax news agency.
But what sort of information? There was certainly no mention in the Kremlin leaks that these two might have exposed Putin’s direct order to undermine the American elections. Far from it. The crimes described by the news reports in Moscow related to hacking operations with no apparent ties to Trump or U.S. politics.
Also arrested was Ruslan Stoyanov, the head of the cybercrime investigation team at Kaspersky Lab, Russia’s major cybersecurity and anti-virus provider.
And then there was Pavlov’s unnamed client: the Fourth Man.
Now, months have passed, and the office of the U.S. Director of National intelligence, responding to a query for this story, declined to comment in any fashion about the December arrests in Russia or the status of the those who were jailed. Obviously if any of those arrested were indeed working with U.S. intelligence, the American government would not want to confirm that.
After the initial burst of publicity the FSB continues to stay quiet about the details of Pavlov’s client’s charges, and the other three as well, creating a thick curtain of secrecy around the crime. Even for the agency that is the successor of the infamous KGB, that is an unusually long silence.
Pavlov had to sign a gag order before he was allowed to represent his client. Now he and his colleagues, an association of lawyers called Team 29, refer to the Fourth Man simply as “Him.” But Pavlov hints at a world of cyberespionage even murkier and more dangerous than that of spy and counterspy.
“I can tell you something about this case: I believe that the FSB keeps Russia’s top cybersecurity experts under arrest so nobody can interview them, use them—or harm them,” said Pavlov. “It looks like authorities plan to keep the investigation low key at least until after the [Russian] presidential elections next year.”
“If he were not locked in prison, my client could have been murdered by now,” Pavlov said, without elaboration.
The secrecy annoys Team 29, which Pavlov founded in 2015 as an informal association of lawyers and journalists fighting against the Russian government’s increasing reluctance to release information amid fears of traitors and spies.
The name “29” comes from the number of an article in Russia’s constitution that says: “Everyone shall have the right to freely look for, receive, transmit, produce and distribute information by any legal way.”
The lawyers teamed up soon after the FSB ordered the deportation of Pavlov’s ex-wife, American citizen Jennifer Gaspar, “as a threat to national security.”
The reason is a secret.
“My wife worked for the Hermitage museum; I am convinced that the FSB deported her to hurt me, their opponent,” Pavlov said.
He explained to The Daily Beast why his mission in Russia is so important: “If before Russia’s conflict with Ukraine there were a couple of treason cases a year, now we count up to 15 state treason cases a year,” Pavlov said. “Our job is to educate people about their rights, so not all talented and skillful Russians flee the country.”
For six months, Team 29 has been visiting the Fourth Man at Lefortovo prison, trying to guess from such materials as have been revealed to them how much material remains hidden.
Was their client accused of selling secrets to the CIA or to FBI? Was he a spy helping to hack emails of the Democratic National Committee? That’s a secret.
Meanwhile one of the arrested FSB officers, Dokuchayev, has been indicted in the United States for economic espionage and a massive hacking of Yahoo accounts.
In Russia, many wonder how it is possible that Russia’s leading officials responsible for cybersecurity could have been passing state secrets abroad. The Daily Beast asked Dmitry Artimovich, considered one of the “hacker elite” in Russia and an expert at ChronoPay, a Russian company specialized for online payments. There are not many experts as knowledgeable as Artimovich when it comes to spam, spearphishing, botnets, and other kinds of cyber attacks.
The Daily Beast asked what people like Pavlov’s secret client might have been up to?
Their motivation might have been career growth, the suspects must have shared too much information about Russian hackers with American special services under Obama’s administration, creating an impression that Russia’s hackers are the most dangerous in the world, Artimovich suggested.
Artimovich had his own reasons not to like the kontora, or “the office,” the nickname for the FSB. In 2013, the security service’s cyber department investigated Artimovich for executing a distributed denial of service attack meant to shut down the website of Aeroflot, Russia's major national airline. The programmer was sentenced to two years and six months in a corrective labor colony, and it was a harrowing experience.
“A guy in my cell tried to recruit me for the FSB,” says Artimovich. “He threatened me that otherwise I would not come out of prison, if I do not work with them.” But Artimovich says he turned down the offer.
Now, Artimovich offers alternative explanations regarding the arrests last December. He does not believe the order for the attack on the American democratic institutions was coming from the Kremlin and suggests that is a “myth created by the American special services.”
At a technical level, Artimovich says he is skeptical about the malware described in the U.S. reports. “The virus collecting passwords from only one system cannot be described as a cyber-weapon," he says.
After Trump won the elections, Russian hackers who used to travel freely around Europe before started to be grabbed by law enforcement. One example is Pyotr Levashov, who was arrested on a U.S. warrant four months ago in Spain. They were picked up one after another.
Artimovich suggests that Mikhailov and his associates provided data to the U.S. on Russian hackers at a time when there was cooperation with Washington, and that now looked “unpatriotic.”
“In 2010 our company ChronoPay informed the FSB leadership that Mikhailov was passing personal information about Russian citizens to the U.S. agencies, [so] the FSB leadership must have been aware of what Mikhailov’s department was doing, but they did nothing to stop them,” says Artimovich.
“Since the arrests, the entire FSB management has been distant from their case,” says Artimovich.
Sergei Markov, a member of the Russian Public Chamber thinks that Mikhailov and other suspects were responsible for cyber attacks in the cyber war with the U.S.
“One thing is clear: that the roots of their treason, of their espionage, stretch far beyond Russia’s border,” Markos told The Daily Beast. “This case has a high political price, I do not think we should share any details with Trump’s critics before the [U.S.] elections for Congress [in November 2018],” Markov explained.
Team 29’s strategy is to turn the most absurd cases into a joke, since “the only thing the state system cannot stand is when you laugh at them,” says Pavlov.
Last year the attorney started a campaign in support of his client Oksana Sevastidi, a 46-year-old mother of seven. In March 2016 Sevastidi had been sentenced for high treason by a secret court in Krasnodar for sending two text messages back in 2008 about Russian movements in the direction of Georgia’s breakaway region of Abkhazia.
“It is absurd for a nuclear power to sentence a market vendor for seven years for state treason,” Pavlov told The Daily Beast.
In March, President Putin pardoned Sevastidi.
But by then there was a long line of convicts charged with treason and extremism asking Team 29 to help them.
Recently Pavlov came to Moscow to meet two more women whose freedom he had won. Annik Kesyan and Marina Dzhadzhgava had served several years for treason for sending messages about Russian army movement in 2008. President Putin pardoned Kesyan and Dzhadzhgava, after Team 29 attracted public attention to their cases.
But Pavlov’s cybersecurity treason case is stuck.
The Kremlin has kept denying any intrusion in the U.S. elections and blamed the reports about Russian hackers on Russophobia. Trump in the immediate wake of the January 6 report conceded grudgingly that Russia had interfered in the U.S. elections, but has since gone back to his allegations of “fake news.”
The level of bitterness about this among veterans of counterintelligence like former Director of National Intelligence James Clapper is palpable. Speaking of Trump at the Aspen Security Forum last month, Clapper said, “I sometimes wonder whether … what he's about is making Russia great again.”
President Putin, for his part, has said he believes that U.S. president Donald Trump agreed with Russia’s denial, which would reinforce the idea that Trump is rejecting the conclusions made by U.S. intelligence agencies and choosing to believe Moscow instead.
Irina Borogan, a Russian independent expert on cybersecurity and cyber wars, told The Daily Beast that it is impossible at a technical level to have any exact attribution about the attacks being ordered by the Kremlin.
“The technical expertise identifies general pieces of coding, the methods of the attack, of botnet, hacker groups,” Borogan said. In this particular case, she said, it might be clear that “the attack was ordered by the Russian Federation, but they did not sign: ‘Moscow, the Kremlin.”
That’s another reason that the positive identification by the U.S. intelligence of Putin as the person who directed the interference in the U.S. elections would seem to be related to human intelligence gathering rather than technical means. But it is also possible that in this dark and dirty game, the four arrested in December were mere scapegoats.
Like many other people in Russia, Borogan, the author of The Red Web about Russia’s attack on internet freedoms, cannot wait to hear what sort of state secrets Pavlov’s client allegedly passed abroad. “We see a uniquely dumb secrecy, which gives us a sense that the suspects are actually not guilty of treason,” Borogan told The Daily Beast.
Spencer Ackerman and Christopher Dickey also contributed to this article.