As Air Force One touched down in Brussels last year for Donald Trump’s disastrous first meeting with America’s NATO allies, one of the Russian military hackers who helped put Trump in office was at a conference center in Moscow, surrounded by Russia’s top hacking talent, and likely on the prowl for new recruits.
The event, called “Positive Hacks Days,” is an annual computer security conference run by the respected Moscow-based firm Positive Technologies. Like other hacker cons it’s a mix of deep technical presentations and late-night parties, with some contests, workshops, and drinking games thrown in.
In 2017, the event’s sixth year, the theme of the two-day gathering was "The Enemy Inside.” The conference featured a competition called “The Standoff” that saw dozens of hackers working in teams to cripple a simulated metropolitan city, attacking its telecom infrastructure, rail lines and electrical grid.
For some attendees, that exercise—an echo of the coordinated cyber attacks on Kiev five months before—must have felt like just another day at the office.
A review of online registration records for Positive Hack Days reveals the conference as one of the few venues where indicted members of Russia’s “Fancy Bear” hacking team have left public traces of their existence outside the halls of Russia’s Main Intelligence Directorate, the GRU.
“Either they went there to recruit, or they went there to learn,” said computer security expert and author Bruce Schneier. “My guess is it’s a combination of both.”
In 2017 the conference was attended by one Anatoliy Sergeyevich Kovalev, who listed his affiliation as Moscow State Technical University. The university has an economics professor with the same first and last name, but a different patronymic. The name is an exact match, however, for a defendant charged in the election interference indictment as a military officer in the GRU’s Unit 74455.
Six months prior to the conference, Kovalev was busily deploying malware and conducting reconnaissance against the U.S. election infrastructure, according to Mueller. He posed as an election systems vendor to send over 100 malware-laced emails to officials in multiple counties throughout the swing-state of Florida. Before that, in July 2016, he stole 500,000 voter records from a state board of elections office, likely Illinois. And in October that year, according to Mueller, he probed county election office systems in Georgia, Iowa, and Florida looking for vulnerabilities as the election drew near.
To catch Positive Hack Days at its moment of peak John le Carré, you have to roll back the clock to well before the election, back to the Spring of 2014, a time when Fancy Bear was known primarily for intrusions in Eastern Europe.
Held that year in a technology complex and event center called Digital October about a mile from the Kremlin, the 2014 attendee list included two of the GRU officers charged with breaching the Democratic National Committee, as well as two other key figures in Russia’s intricate web of cyber intrigue.
Pavel Vyacheslavovich Yershov was one of the attendees that year. A GRU officer by that name is charged in Robert Mueller’s indictment with conspiracy, identity theft and money laundering for allegedly configuring Russia’s notorious X-Agent malware for the DNC intrusion, and provisioning the covert infrastructure used to funnel the Democrats’ emails back to Moscow, before they were handed off to Wikileaks for publication.
Yershov’s boss, according to the indictment, was one Dmitriy Sergeyevich Badin, a military officer in the GRU’s Unit 26165 who served as the Assistant Head of Department for Russia’s geopolitical hacking operation. A man by that name also attended the Positive Hacks Days conference in 2014. (Badin’s attendance was first reported by Radio Free Europe). Neither Yershov nor Badin listed an affiliation when they registered. Badin came back in 2015.
People who’ve attended Positive Hack Days describe it as a slick, well-managed affair that grew from a small corporate event of about 500 people to an electric mix of thousands of suits and hardcore security hackers, mostly from within Russia. “The first one of these in 2011, it was held in a nightclub with a glass floor and lights coming on from underneath,” said security engineer Tyler Nighswander. “It was well put together.”
Nighswander led a competitive hacking team from Carnegie Mellon University called Plaid Parliament of Pwning (PPP). Positive Technologies invited the team to Moscow to participate at the conference’s Capture the Flag competition, in which participants try to crack each other’s servers and ward off attacks from their opponents. In the inaugural 2011 event, PPP won the first-place prize of $5,000—in $100 bills.
“They literally handed you cash,” said Nighswander. “It was in a briefcase with a tiny envelope flopping around.”
The 2014 conference was the last attended by Nighswander and the CMU team, in part, he said, because the organizers stopped paying for the team’s transatlantic flights, and in part because it just started to feel like a bad idea “with all the news of Russian hackers.”
Bruce Schneier keynoted Positive Hack Days in 2012, and he recalls that event as a “standard hacker conference” with some nice touches. “The neatest thing they had was a dumpster diving competition,” said Schneier, an adjunct lecturer at Harvard Kennedy School. “They had this giant Plexiglas dumpster, and you’d dive inside and look for stuff. And I’m pretty sure they had an ATM machine available for hacking.”
But security conferences, wherever they’re held, are a logical recruiting ground for intelligence agencies, Schneier noted. In 2012, then-NSA chief Gen. Keith Alexander donned jeans and a black tee shirt to deliver an overt recruitment pitch in a memorable keynote at the Def Con convention in Las Vegas.
So it’s no surprise that the GRU’s offensive hacking team would show up at Positive Hack Days. Nor were they the only alleged spies at the conference. Another registered attendee in 2014, Ruslan Stoyanov, headed the investigations team at Kaspersky Lab, the controversial Russian cyber security firm whose products were recently banned from U.S. government networks.
In December 2016, Stoyanov was one of four men arrested by Russia’s FSB, the successor agency to the KGB, and thrown in prison on charges of treason. Even now the details remain murky, but according to Russian media reports the men are accused of passing information to U.S. officials.
Two other defendants in that treason case are FSB officers. One of those officers, Dmitry Dokuchayev, was also indicted in the U.S. last year in connection with a multi-year-long intrusion at Yahoo beginning in early 2014. Dokuchayev may have been too busy with the FSB’s king-sized hack of Yahoo to make it to the 2014 Positive Hack Days, but he was a registered attendee the following year.
There was one final figure in this stew of state-sponsored espionage and geopolitical gamesmanship. A young security researcher named Alisa Andreevna Shevchenko, who was one of the Russians sanctioned by the Obama administration in retaliation for the GRU’s 2016 election interference campaign.
Shevchenko, sometimes known as Alisa Esage, ran a boutique cybersecurity firm called Esage Lab, and later ZOR Security, an acronym for “Digital Weapons and Defense.” She delivered an hour-long talk at the 2014 conference detailing her experience with an arcane semi-automated research method called “fuzzing” that, properly done, can rapidly locate software security holes.
Aside from being one of the few women hackers at the conference, Shevchenko stood out for a bravura performance in a Positive Hack Days completion called Critical Infrastructure Attack, a precursor to 2017’s full-on city sabotage contest.
A toy village served as centerpiece of the competition, with a model train running a circuit around tiny roads, street lights, a robotic construction crane, and two nuclear power plant cooling towers. Undergirding the toy town was a very real industrial control system, built from the same hardware and code found in factories, electrical substations and real nuclear plants in Europe and the United States.
The goal of the competition was to discover previously-unknown vulnerabilities, “zero days” in the parlance, and report them to the vendors so they could be fixed. By the end of the contest, Shevchenko had uncovered multiple zero days in industrial control software made by the European multinational Schneider Electric, a major supplier whose products are embedded in control systems around the world.
Shevchenko won first place. In a press release, Positive Technologies dubbed her “the Russian Lisbeth Salander,” after the eponymous anti-hero in The Girl With the Dragon Tattoo, and Shevchenko enjoyed a celebrity turn in the Russian media, including a profile in Russian Forbes. When Schneider Electric issued advisories and software patches for the security holes nearly a year later, the U.S. Department of Homeland Security publicly thanked Shevchenko for uncovering and reporting the bugs.
That history made it all the more puzzling when, in December 2016, Shevchenko’s small company appeared on the list of Russian entities sanctioned over the election interference. Others on the list included the top brass at the GRU, and known criminal hackers from the Russian underground already wanted in the U.S. for conventional cybercrime. The only explanation given for the inclusion of Shevchenko’s ZOR security was the terse assertion that the firm “provided the GRU with technical research and development.”
In press interviews and on Twitter, Shevchenko insisted she was baffled by her inclusion. “My company never worked with the government,” she told a Forbes reporter. “It never had the necessary licenses to do so in the first place. And I personally tried to stay as far away as possible from anything remotely suspicious, as I'm naturally a cosmopolitan person, and an introverted single woman. I wouldn't want any job that would put me in danger or restrictions."
To this day, U.S. officials haven’t said why they believe Shevchenko worked with the GRU’s hackers, or what she allegedly gave them. (Shevchenko didn’t respond to inquiries from The Daily Beast for this story.) But now we know she was at the same place at the same time as the GRU official who managed the computer intrusions that helped upturn the global order, not to mention one of the hands-on-the-keyboard hackers who made it happen.
Whether that means anything or not is unclear. In a conference with 2,000 people, it’s possible Shevchenko never even met Badin and Yershov, regardless of how it looks from the outside. Appearances can be deceiving, nowhere more so than a hacker conference.
“The weirdest thing is, they gave me this beautiful leather steampunk external hard drive, leather bound with knobs and dials,” said Schneier. “It looked fantastic. I’ve never plugged it into anything.”