Home Source code Arrested Russian hacker Pavel Sitnikov seeks to open a new chapter

Arrested Russian hacker Pavel Sitnikov seeks to open a new chapter


Editor’s note: In December 2020, The Record released a interview between Recorded Future’s Dmitry Smilyanets and Russian hacker Pavel Sitnikov about ransomware, cybercrime and his self-proclaimed connection to notorious hacking group APT28, or Fancy Bear.

Since then, Sitnikov’s fortunes have changed: he was stopped last May by Russian authorities, who accused him of spreading malware through his Telegram channel called Freedomf0x. His home was raided and he faced up to five years in prison for allegedly sharing source code for the banking trojan Anubis on Freedomf0x.

Sitnikov, who says “everything ended well” for him after paying a fine, spoke with Smilyanets about the incident and how he is navigating a new career in the legal cybersecurity industry. “My life after the end of the trial, which lasted a whole year, has fundamentally changed,” he said. The conversation was conducted in Russian via Telegram and was translated into English with the help of linguists from Recorded Future’s Insikt group. The interview below has been lightly edited for clarity.

Dmitry Smilyanets: Pavel, not much time has passed since our last interview, but some events have happened since then that I really want to understand. I will start with the most important question. In May 2021 you were arrested and a few months ago you were sentenced under article 273 of the Criminal Code of the Russian Federation [covering the creation, use and dissemination of harmful computer viruses]. Tell me in detail what happened.

Pavel Sitnikov: Cheers! Early in the morning of May 20, 2021, six agents of the Moscow Criminal Investigation Department and FSB employees of Velikoluksky [Federal Security Service] office came to my apartment. I was anticipating this turn of events, because I had been warned by some people I know six months before.

The officers read the arrest warrant for my arrest and further search. The mandate read as follows: [they were investigating me for] distribution of Anubis malware. It really surprised me. During the search, and talking to them, they made it clear to me that they were here for a totally different reason, and [the accusation of the Anubis distribution] was only a pretext for my arrest.

They said that my case was being handled by the highest level and was related to a leak of personal information of COVID-19 patients in Moscow from the Department of Information Technology (DIT) of the Moscow Mayor’s office. Then I was taken to Moscow to the Main Investigative Department, where they interrogated me all day until night. This is how I celebrated my 39th birthday.

DS: You were then summoned for questioning after the Group-IB offices were searched. How does the IB Group situation affect you?

PS: They called me for an interrogation, but it wasn’t an interrogation, they just asked me to sign some stupid paper. It seemed to me that it was specially intended for the media; ) Several of our media wrote about me about this problem the day I was called. I was proudly silent because I didn’t really understand why they needed me, they didn’t explain to me on the phone and they didn’t explain to my lawyer either.

DS: How did this story end with the DIT Moscow database? Have the culprits been punished?

PS: Everything ended well for me, I did not harm anyone by my actions (according to Article 273 of the Criminal Code), and I was simply fined. All that to say, I’m not a criminal; ) Regarding the leak of the DIT [database]no one has been punished and never will be!

DS: How has your life changed since the verdict? And in general, how is it even possible that you were arrested – I thought Fancy Bear was above the law? It looks like you’re either not a “real bear” or you’re very guilty of something.

PS: My life after the end of the trial, which lasted a whole year, fundamentally changed. I changed my mind about my previous actions. Now I have my own cybersecurity company, I work strictly legally “in white [hat]field. I no longer have to prove anything to anyone like I used to, using radical methods of transmitting information. Regarding the allegation that I am considered a member of Fancy Bear: This was in 2016, the first time I came out of the shadows I was invited to meet hackers from Moscow DC [DEF CON]. At the meeting, from the start, we decided that at the conference, I would be introduced as “the one” from Fancy Bear who hacked Hillary Clinton. I accepted, it was fun.

Then I changed all my forum and social media profiles to appear affiliated with APT28. After a short time, other foreign intelligence agencies started to believe it, and many people from abroad contacted me. I maintained my reputation because there was this thought at the conference that I was part of the dreaded APT28 group, but deceiving virtually every intelligence community in the world was absolutely unbelievable. And that’s how this story was born : )

Sitnikov at the event where he was featured as a Fancy Bear affiliate.

DS: An interesting report came out recently that clearly links you to ZERODAY TECHNOLOGIES (0DT) LLC and their product, Fronton. Are you in botnets now? [Editor’s Note: The report describes the company’s ties to the Russian government and criminal underground groups. Nisos, the company behind the report, said: “We assess that [Sitnikov] probably has a deep understanding of the functionality of the Fronton framework. »]

PS: When my trial started, I was officially unemployed. My lawyer recommended that I get a job because it is a plus in the eyes of the court. During the first month after my arrest, the head of 0DT LLC, Ruslan, contacted me and offered all kinds of help. I applied to be employed, on the condition that for the duration of the trial I would simply be listed as an employee and could only provide consulting services. As for the Fronton system, everything happened long before me. From what I know, the Fronton development is a cover for the security forces to “sip” money from the budget. Almost immediately after my conviction and the lifting of restrictions on my freedoms and certain actions, I left 0DT LLC and started my own cybersecurity company.

DS: Your Freedomf0x Telegram channel has more than 30,000 subscribers, what do you hope to achieve by leveraging this channel??

PS: I gave the Freedomf0x channel to an unknown actor a few years before my arrest. But I’m still a content ideologue – I just write my thoughts in information security discussions, Freedomf0x admins constantly monitor all of this and adhere to my opinion. The channel was created for the Russian public because not everyone can afford to pay for the material that is published. [the channel posts paywalled material that its users can access].

DS: What are you currently working on?

PS: Now I am trying to understand how the legal information security industry works in Russia. My first impression is that nobody needs anything here until they get fucked. I develop several projects; one is a project related to protest software (exposing vulnerabilities in open source) and a project related to AML (anti-money laundering) in cryptocurrency. I am really looking forward to the first contract in order to pay for the licenses of the FSTEC FSB [the Russian Federal Service for Technical and Export Control, FSB arm], without them many things cannot be done. I have a large pool of different specialists. In the future, I plan to get into Red Team development [offensive security] tools. Right now in Russia everything is on standby, we are surviving, so to speak!

DS: Pavel, I want to know your opinion on military operations in cyberspace. We see dozens of groups on both sides of the conflict in Ukraine. What group do you belong to?

PS: In my opinion, it’s not a war, it’s a conspiracy! Groups on both sides are just propaganda for the media! I don’t know how it is with information security in Ukraine (in a past life I remember it was very bad), but in Russia they are deplorable, if it’s a real war, so let’s say all of Moscow’s critical infrastructure can be laid within 24 hours; )

“I’m trying to understand how the legal information security industry works in Russia. My first impression is that nobody needs anything here until they get fucked.

—Pavel Sitnikov

A few years ago, my friend and I conducted a study, and during one night we penetrated almost all critical nodes of the Moscow network, without touching anything. On both sides, they are children, easily manipulated not by money, but by notions of patriotism, nationalism, and other -isms: ) They are supervised by ideologues from the special services. One thing I can say to these young people: “all this will end one day, but the traces will remain, think about it! I, and many colleagues in the field, are neutral on everything that’s going on, we’re waiting for this shitshow to end.

DS: Are KillNet or XakNet serious threats to the global community? Or are they skids? Who directs them?

PS: Killnet, Xaknet and the others, as I said above, are a front for major world changes. Yes, the majority of them are children, but there are also professionals. They can pose a threat, but they will never use it. They are again led by groups of ideologues, political scientists and propagandists of the special services.

DS: How has Ukraine’s digital infrastructure suffered over the past three months? And in Russia?

PS: As for Ukraine’s digital infrastructure, honestly, I don’t know. I don’t think he suffered more than before the war. In Russia, everything was attacked before the war, it’s just that now everything is published openly to everyone.

DS: Are there enough information security specialists in Russia to successfully repel many attacks against the Russian Federation’s digital infrastructure?

PS: All the information security we have is designed to “sip” budgets and I’m more than sure that will never change. But even if 1,000 specialists remain in Russia, with proper treatment and proper funding, everything will be fine.

DS: Recently, the Conti ransomware group attacked Costa Rica, after which the President declared a state of emergency in the country. Why do you think this act of cyberterrorism was committed against a sovereign state?

PS: Conti is supervised by serious guys in power. An act of vandalism with Costa Rica again serves as a cover for important events in the global redistribution of spheres of influence! This is all straight out of the “Conducting Sabotage Activities” manual; )

DS: Will we see more coordinated cyberattacks against countries?

PS: On the Russian side, you will not see them. It’s as they say in the “kitchen”, these groups serve as “APT [advanced persistent threat group] mix”. They [APT groups] will be covered in ransomware and thieves.

DS: Do you want to tell me a secret?

PS: Yes, I always dreamed of serving in the special services, but they did not take me because I am a mess and a tyrant. But everyone still thinks I’m a lieutenant colonel in the FSB : )

A mission-oriented, Russian-speaking intelligence analyst with a type A personality. Dmitry has twenty years of experience and expertise in cybercrime activities, including as a former member of an elite hacking organization based in Russia.