What is behind the leak of the database of the Rustam Kurmaev and Partners law office, and why is it silent?

On June 6, 2022, the activist collective Anonymous reported about an alleged data breach of about 1TB of data from the leading Russian law firm Rustam Kurmaev & Partners (RKP Law). Emma Best, a journalist and co-founder of the non-profit whistleblower organization Distributed Denial of Secrets, also known as DDoSecrets, announced that a data dump split into multiple archives has been made available on torrent trackers for free download. Relevant links as of this writing present on the DDoSecrets website. The significance of the leak for the corporate sector in the Russian Federation is difficult to overestimate. And it is all the more surprising that an icy silence still reigns around her in Russia.

In the official portfolio of Rustam Kurmaev and Partners, an honorable place is occupied by the largest international companies, most of which have already left Russia – including Ikea, Volkswagen Group, Panasonic, Caterpillar, Gillette, Mars. The company was a member of the British-Russian Law Association until at least February 2022. Sberbank, Mechel, ChTPZ, VimpelCom, and even the 2×2 TV channel, which at one time asked RKP Law for protection from the Prosecutor General’s Office, which saw signs of extremist propaganda in one of the episodes of the scandalous American animated series South Park, are mentioned among Rustam Kurmaev’s Russian clients.

It is logical to assume that, as a result of the data leak that occurred, a considerable amount of “intimate details” from the internal kitchen and judicial practice of all the above characters, companies and structures got into free access. As well as data on those particularly sensitive principals who generally tried not to advertise their cooperation with Rustam Kurmaev for one reason or another. In total, according to the hackers from Anonymous, the leak contains detailed (including confidential) information about 250 clients of the law firm.

In the future, the protrusion of Musa Kurmaev’s “servicing” past as a kind of “alibi” for RKP Law, initiated by the pro-Ukrainian “anonymous”, was continued. At an interview with Ren-TV journalists on the development of a purely economic business “Terminal Service”, Musya Bulatovich appeared in the full dress uniform of a GRU colonel, richly decorated with awards and medals, not excluding jubilee and public ones. To the left of the honored veteran sat the main frontman and speaker of RKP Law – in fact, his son, Rustam Kurmaev. And on the right hand modestly housed the lawyer Yaroslav Shitsle, who plays a key role in the case. For many years, the specified Schitzle has been responsible for the direction of IT and high technologies in the company of Rustam Kurmaev. Those. professionally deals with just the same protection of intellectual rights, as well as hacking and data leakage (preventing them, of course). A nice detail from about the same series as Musa Kurmaev’s dress tunic: in his younger years, Yaroslav actively functioned surrounded by Alexei Navalny, included in the list of extremists *, and even photographed with him for good memory.

Who is to blame and what to do?

As you can see, Rustam Kurmaev’s company is far from ordinary, its client base is not very simple, and the qualifications of employees responsible for information security seem to be above average. It turns out that “overlooked, not saved”? And how did it happen that the same lawyer Yaroslav Shitsle, who willingly and regularly comments on other people’s “leaks” for the media and professionally promotes the topic of “hacks” in courts, is still (and more than three months have passed since the leak from RKP Law) has not demonstrated his professional competence in protecting the interests of his own employer?

It is generally accepted that hacks and leaks are the result of the work of some high-level technicians using sophisticated and high-tech methods. In reality, up to 90% of successful hacking attempts are implemented due to the human factor, using the so-called “social engineering”. This may well be unwitting assistance to intruders when the victim of the attack follows dubious links, downloads and launches suspicious files. But when it comes to large “leaks”, then in a noticeable number of cases (remember the recent leaks of the databases of SDEK, Yandex.Food and other aggregators, or, more globally, the notorious “Edward Snowden case”), they are organized or supported directly ” from within” of the victim, its current or former employees. Someone is guided by considerations of revenge and resentment, someone tritely wants to make money, and someone (like the same Edward Snowden, who “leaked” the database of secret CIA operations) is driven by considerations of a higher order – political, ideological or moral principles.

Let’s make a reservation right away: no one knows what, how and why exactly happened in the situation with Kurmaev and Partners. “Anonymous” in their report on the hacking only casually mentioned active correspondence with some employees of RKP Law – but it is not clear whether it was an element of the attack, its prerequisite, or already a consequence. Rustam Kurmaev’s company itself did not comment on the leak of its data. There is no information from law enforcement agencies either. Moreover, it is not known whether they are aware of the crime at all; whether they received a corresponding statement from any of the victims.

Over the elapsed time, at least, it would be possible to go public with the version of the “intervention of the enemy special services” (which would look logical, given the obvious readiness of Rustam Kurmaev to trump his father’s “special status” already demonstrated in the “Terminal Service” case). But then it would be necessary to involve very serious structures in the real (and not PR) investigation of the incident. Which (this option is not excluded) could, during the investigation, come to rather unexpected and not very pleasant conclusions for RKP Law.

Why Rustam Kurmaev is silent, if desired, can be understood, given the likely devastating consequences of the very fact of the leak for the professional reputation of the law firm. But after this publication, any of the organization’s 250 clients, who also became an unwitting victim of a leak, can apply to law enforcement agencies. And with such a development of events, “Rustam Kurmaev and partners” may well move from the category of “victims” to the category of suspects and co-defendants, and then in any case it will be necessary to form some kind of “official position”.

Based on media materials

* Alexey Navalny is included in the list of individuals in respect of whom there is information about their involvement in extremist activities or terrorism.