Russian Tech Firm Holds Hacking Conference Amid U.S. Sanctions

Firm continues to identify security vulnerabilities with U.S. companies after being sanctioned and is pushing for import substitution in the Russian tech sector

The Positive Hack Days conference, seen here in 2018, went forward despite U.S. sanctions on its organizer. (Source: Positive Hack Days)

By Abigail Buhrman

Wednesday, June 2, 2021

The show went on at a large international information security conference despite its organizer falling under U.S. sanctions for assisting Russian intelligence services with malicious cyber operations.  

Positive Hack Days, held annually in Moscow, marked its 10th anniversary last month with roundtables, presentations from security experts, master classes and hands-on workshops. At the center of the multi-day event is a 30-hour cyberbattle called The Standoff that pits two teams against each other in a mock hacking incident involving model infrastructure. The best teams are awarded special prizes, such as an all expenses paid trip to watch and meet one of Russia’s premier auto racing teams.

The model city used for The Standoff, the main event of the Positive Hack Days conference. (Source: Social media)

In this year’s Standoff, the attacker side “dealt severe blows” to all the companies in the model city, leading to a power outage triggered by a hack into a substation, disruption of oil production and the fall of a container onto a barge, according to a press release from the event.

FSB Facilitator: A month before the conference, the U.S. Treasury Department sanctioned Positive Technologies, the event’s organizer, for providing support services to the Federal Security Service (FSB) and other Russian government clients. Positive Technologies was designated under a broad new executive order signed April 15 by President Joe Biden to counter actions by the Russian government and its intelligence services, the White House said in a fact sheet. Five other organizations operating in the technology sector were also sanctioned for their support of Russian intelligence, the Treasury said.

Following the designation, Positive Technologies issued a statement on its website calling the U.S. claims “groundless.” The company also sent an open letter to the research community, thanking them for their support. Yuriy Maksimov, the majority owner and director general of Positive Technologies, said in an extensive interview in early May with the Russian media outlet RBC that he preferred to think of the sanctions as “a mistake.”

“Any organization can buy our product, and it is simply illegal to restrict these opportunities in the territory of Russia for individual organizations (including government or law enforcement agencies,” Maksimov said. “The desire to be invulnerable to accusations of cooperation with the special services when playing in the international business arena just makes Russian companies be very, very careful.”  

Large-scale conventions hosted by Positive Technologies act as recruiting grounds for Russian intelligence services, the Treasury said at the time it imposed the sanctions. Though the Treasury did not name Positive Hack Days, The Daily Beast published an investigation in 2018 about a number of the event’s previous participants, some of whom were exact name matches to Russian intelligence officers. 

IPO plans press ahead: The company is pressing ahead with plans for an initial public offering (IPO) next year, executives told Reuters at the most recent Positive Hack Days conference. Managing Director Denis Baranov said the company wrote to the Treasury to lay out the company’s opposition to the U.S. sanctions, but it hadn’t as yet heard a response, Reuters reported.

Positive Technologies was founded in the early 2000s by Yuriy Maksimov, his brother Dmitry — who wrote code for the company’s first product, the vulnerability scanner XSpider — and his friend Evgeniy Kireev. Both Dmitry Maksimov and Kireev maintain minority ownership stakes in Positive Technologies through a holding company. The holding company also owns two other firms in Russia and Kazakhstan, both named Positive Technologies.

The sanctioned Positive Technologies produces a suite of information security software of its own, such as network traffic analysis software, firewall software and malware detection scanners; it also offers to conduct security assessments, forensic investigations and penetration testing for its clients. 

Software patcher for U.S. and EU Industry: The company also has identified and fixed more than 250 vulnerabilities in products from large U.S. and European manufacturers, according to its website. In 2020 alone, Positive Technologies found more than 18,000 vulnerabilities in software of various manufacturers, the company said on April 20 in a retrospective covering 2019 through early 2021. Industrial sector companies faced a 91 percent increase in attacks in 2020 compared to a year earlier, most involving variants of ransomware, the company said in a report released Wednesday.

On its website, Positive Technologies names a number of U.S. and Western firms as its technology partners, which the company says gives its researchers access to unique hardware, software and resources in exchange for improving product security. 

Despite the sanctions, Positive Technologies last month announced that it had identified vulnerabilities in hardware firewalls and a cloud costing analysis product manufactured by two large U.S.-based firms. Both U.S. companies issued their own advisories about the vulnerabilities and released updates to address them, acknowledging the work by Positive Technologies employees in their statements. 

Another U.S. software firm, which fixed a vulnerability identified in one of its products by Positive Technologies in March, published information on how to add a scanner made by the Russian company to the patched product, a cached version of the U.S. firm’s website shows. The information had been removed from the U.S. company’s website as of this writing.  

Maksimov said in the interview with RBC that the sanctions “do not directly affect” their business, as the Russian, European and U.S. business lines have already been separated commercially; he noted that the U.S. business amounted to “practically zero.” “Each line has its own set of services and products, its own development,” he said. “Only one legal entity from a group of companies in Russia fell under the sanctions … Thus, we can work with our partners without the participation of our sanctioned legal entity.” 

Positive Technologies has affiliated companies in Switzerland and the U.K., corporate records show. Positive Technologies Holding AG, a Switzerland-based cybersecurity provider for the telecommunications industry, was “spun out” from the telecom division of Positive Technologies in 2019, its website said. Though it is unclear whether the parent was the sanctioned Positive Technologies in Russia, there is overlap among the current and former leadership of both the sanctioned Positive Technologies and the Swiss firm, according to a Kharon review of its website and employee social media accounts.

Both Yuriy Maksimov and his friend Kireev have loaned millions of pounds in recent years to PT Global Solutions Ltd, the U.K. company’s 2019 disclosures show, enough to ensure the company “has adequate resources to continue its operations for the foreseeable future,” according to the disclosures. PT Global Solutions is ultimately owned by Positive Technologies Holding, records show.