What is behind the leak of the database of the Rustam Kurmaev and Partners law office, and why are they silent about it?
On June 6, 2022, the activist collective Anonymous reported about an alleged data breach of about 1TB of data from the leading Russian law firm Rustam Kurmaev & Partners (RKP Law). Emma Best, journalist and co-founder of a nonprofit whistleblower organization Distributed Denial of Secrets, also known as DDoSecrets, announced that the data dump, split into several archives, was posted on torrent trackers for free download. The relevant links at the time of this writing are available on the DDoSecrets website. The significance of the leak for the corporate sector in the Russian Federation is difficult to overestimate. And it is all the more surprising that an icy silence still reigns around her in Russia.
Terabyte of other people’s secrets
Who became the next victim of the mysterious “Anonymous”? “Rustam Kurmaev and partners» positions itself as a law office from the TOP-10 rating of the best law firms in Russia according to Forbes magazine. The main areas of activity are corporate conflicts, bankruptcy procedures and, quote, “interaction with government agencies“. Among other specializations, “anti-corruption expertise” is regularly mentioned. And that sounds pretty ambiguous, given that the law firm frontman Rustam Kurmaev was one of the lawyers of the former Deputy Minister of Defense of the Russian Federation Evgenia Vasilyeva and represented the interests of the former Chelyabinsk governor Boris Dubrovsky. Kurmaev also appeared in the scandalous case of an investment company Baring Vostokwhere he defended Vagan Abrahamyan – business partner of an American Michael Calvey and (according to the court) his accomplice in embezzlement by fraud 2.5 billion rublesfrom Vostochny Bank.
Kurmaev and Vasilyeva. Source smotrim.ru, author: VGTRK
In the official portfolio of Rustam Kurmaev and Partners, a place of honor is occupied by the largest international companies, most of which have already left Russia, including Ikea, Volkswagen Group, Panasonic, Caterpillar, Gillette, Mars. The company was a member of the British-Russian Law Association until at least February 2022. Among the Russian principals of Rustam Kurmaev are mentioned Mechel, CHTPZ, VimpelCom and even TV channel 2×2who at one time asked RKP Law for protection from the Prosecutor General’s Office, which saw signs of extremist propaganda in one of the episodes of the scandalous American animated series South Park.
It is logical to assume that, as a result of the data leak that occurred, a considerable amount of “intimate details” from the internal kitchen and judicial practice of all the above characters, companies and structures got into free access. As well as data on those particularly sensitive principals who generally tried not to advertise their cooperation with Rustam Kurmaev for one reason or another. In total, according to the hackers from Anonymous, the leak contains detailed (including confidential) information about 250 clients of the law firm.
Sensitive Information
There is no need to look far for examples of what kind of information as a result of leaks from RKP Law could become available to an unlimited number of people. Of the current high-profile cases of Rustam Kurmaev and Partners, the so-called case “Service Terminal”directed against several major players in the Russian fuel market. In short, in a dispute between small companies Terminal Service and Viacard, hundreds of billions of rubles can be recovered from “third parties” – owners of gas stations in several Russian regions, including OOO SO Tvernefteprodukt, LLC TD NM (filling stations Neftmagistral), OOO Tatneft-AZS-Zapad, Surgutneftegaz.
RKP Law supports the claims in this dispute company “Viacard”, which about 6 years ago accused its former partners of violating the integrity of the computer system that processed the processing of tens of thousands of fuel cards for many years. Under this pretext, the reality of the sale of thousands of tons of automotive fuel was ultimately called into question, the money for which (as well as fines and “penalties” for hacking and “infringement of intellectual rights”, in total already more than 28 billion rubles) wards of Rustam Kurmaev and are trying to recover. And not from its former partner, the Terminal Service company, which essentially acted as a technical intermediary and never held such amounts in its hands, but from real suppliers.
In the course of working on the case, RKP Law lawyers probably came across a significant amount of documents and data on specific mechanisms for the functioning of the Russian fuel market, supply logistics, production volumes, etc., including those that domestic oilmen themselves would prefer under other circumstances be silent. The celebrating public is unlikely to be interested in this, but competitors, journalists and all sorts of “narrow specialists” will surely captivate. There will be something to profit from in the data of RKP Law and employees of foreign intelligence services, to whom “anonymous hackers” generally helped a lot, because otherwise they would have to explain how this or that information was obtained.
alarm bells
In August-September 2022, the parties in the Service Terminal case managed to exchange a series of mutual claims and accusations, by a strange coincidence, far beyond the scope of a purely economic conflict. In particular, political scientist known for his ultra-patriotic views Sergey Markov, having analyzed the development of events in the framework of the “Terminal Service” case, ultimately suspected the actions of “Rustam Kurmaev and partners” nothing less than elements of a “hybrid war” allegedly directed against the entire Russian fuel and energy sector. Personally, Rustam Kurmaev was remembered not only for many years of trusting relationships with large foreign clients, but also for 15 years of cooperation with a lawyer Andrey Goltsblatafter the start of the NWO in Ukraine, hastily relocated to London.
Anonymous telegram channels that immediately came to the defense of RKP Law did not find anything better than to blame the long-standing and firmly included in all possible sanctions lists Sergei Markov (and along with him and other opponents in the “Service Terminal” case) in working for the Ukrainian special services. At the same time, the fact that the founder of the law office is an “honored veteran of the special services” was especially emphasized. Musya Bulatovich Kurmaev(father of Rustam Kurmaev). And therefore, they say, any suspicions regarding any actions of “Kurmaev and partners” should be considered deliberately malicious and almost criminal. It’s funny, but the stuffing of the relevant accusations against Sergei Markov came from platforms that take just the same distinct pro-Ukrainian position.
Kurmaev and Shitsle on the air of Ren-TV. Source: Emergency call 112 (Ren TV, 09/05/2022), ed. Ren-TV
In the future, the protrusion of Musa Kurmaev’s “servicing” past as a kind of “alibi” for RKP Law, initiated by the pro-Ukrainian “anonymous”, was continued. At an interview with Ren-TV journalists on the development of a purely economic business “Terminal Service”, Musya Bulatovich appeared in the full dress uniform of a GRU colonel, richly decorated with awards and medals, not excluding jubilee and public ones. To the left of the honored veteran sat the main frontman and speaker of RKP Law – in fact, his son, Rustam Kurmaev. And on the right hand modestly housed a lawyer Yaroslav Shitsleplaying a key role in the case. For many years, the specified Schitzle has been responsible for the direction of IT and high technologies in the company of Rustam Kurmaev. Those. professionally deals with just the same protection of intellectual rights, as well as hacking and data leakage (preventing them, of course). A nice detail from about the same series as Musa Kurmaev’s ceremonial tunic: in his younger years, Yaroslav actively functioned surrounded by extremists included in the list Alexei Navalny*and even took pictures with him for a good memory.
Alexei Navalny and Yaroslav Shitsle
Who is to blame and what to do?
As you can see, Rustam Kurmaev’s company is far from ordinary, its client base is not very simple, and the qualifications of employees responsible for information security seem to be above average. It turns out that “overlooked, not saved”? And how did it happen that the same lawyer Yaroslav Shitsle, who willingly and regularly comments on other people’s “leaks” for the media and professionally promotes the topic of “hacks” in courts, is still (and more than three months have passed since the leak from RKP Law) has not demonstrated his professional competence in protecting the interests of his own employer?
It is generally accepted that hacks and leaks are the result of the work of some high-level technicians using sophisticated and high-tech methods. In reality, up to 90% of successful hacking attempts are implemented due to the human factor, using the so-called “social engineering”. This may well be unwitting assistance to intruders when the victim of the attack follows dubious links, downloads and launches suspicious files. But if we are talking about large “leaks”, then in a noticeable number of cases (recall the recent CDEK database leaks, Yandex.Food and other aggregators, or, more globally, the notorious “Edward Snowden case”) they are organized or supported directly “from within” the victim, his current or former employees. Someone is guided by considerations of revenge and resentment, someone tritely wants to make money, and someone (like the same Edward Snowden, who “leaked” the database of secret CIA operations) is driven by considerations of a higher order – political, ideological or moral principles.
Let’s make a reservation right away: no one knows what, how and why exactly happened in the situation with Kurmaev and Partners. “Anonymous” in their report on the hacking only casually mentioned active correspondence with some employees of RKP Law – but it is not clear whether it was an element of the attack, its prerequisite, or already a consequence. Rustam Kurmaev’s company itself did not comment on the leak of its data. There is no information from law enforcement agencies either. Moreover, it is not known whether they are aware of the crime at all; whether they received a corresponding statement from any of the victims.
Over the elapsed time, at least, it would be possible to go public with the version of the “intervention of the enemy special services” (which would look logical, given the obvious readiness of Rustam Kurmaev to trump his father’s “special status” already demonstrated in the “Terminal Service” case). But then it would be necessary to involve very serious structures in the real (and not PR) investigation of the incident. Which (this option is not excluded) could, during the investigation, come to rather unexpected and not very pleasant conclusions for RKP Law.
Why Rustam Kurmaev is silent, if desired, can be understood, given the likely devastating consequences of the very fact of the leak for the professional reputation of the law firm. But after this publication, any of the organization’s 250 clients, who also became an unwitting victim of a leak, can apply to law enforcement agencies. And with such a development of events, “Rustam Kurmaev and partners” may well move from the category of “victims” to the category of suspects and co-defendants, and then in any case it will be necessary to form some kind of “official position”.
* Alexey Navalny is included in the list of individuals in respect of whom there is information about their involvement in extremist activities or terrorism.
