The city was under siege. Hackers had knocked out its electricity and oil production, caused an explosion at a gas station and dropped a shipping container on a barge at the port. The carnage was contained, though, occuring in a model city, an ersatz modern metropolis in miniature. It was make-believe cyberwar—a contest between “red team” hackers and “blue team” defenders—set up in a conference venue at a Moscow hotel, and watched over by Yury Maksimov, the 43-year-old majority owner of Positive Technologies, which had hosted the competition for a decade.
Just a month before the exercise at Positive’s well-known May Hack Days conference, Maksimov—whom Forbes Russia recently estimated to be worth half a billion—had been getting ready to take his Moscow-based company public, possibly on an American exchange. With his 55% stake—and the company valued at $2.5 billion by banks working on an initial public offering, according to publicly released figures—Maksimov stood to become a billionaire when the IPO rolled out. “Being a billionaire is more than just money. In this world it’s a clear-cut sign of success, of one’s capability and power,” Maksimov says. It would be “confirmation of my success and an investment in my future success.”
But the IPO plans were dashed in April (at least temporarily) when Positive Technologies and five other companies were slapped with sanctions by the U.S. Treasury Department, which accused them of supporting Russian intelligence agencies conducting “dangerous and disruptive cyberattacks.” Maksimov’s company stood out because it was the only one with an international reputation, thanks in large part to partnerships with such companies as Microsoft, IBM and Samsung and just above $60 million in publicly reported revenue in 2020. (The company tells Forbes that total revenues, including those of its nonlisted entities, are roughly $77 million.)
The Treasury Department also asserted that the Positive Hack Days conference had been used as a kind of recruitment fair for Russian military intelligence. While the department offered few specifics, the most damning assertions against Positive were contained in a March report from the Atlantic Council, an influential Washington D.C. think tank. Though it didn’t mention Positive by name, the report referred to an entity with the cryptonym ENFER, confirmed as being Positive by two cybersecurity industry experts, speaking on the condition of anonymity, with knowledge of the report. (Previous links were reported by independent journalist Kim Zetter. The Atlantic Council said it couldn’t comment on the true identity of Enfer.) The report said Enfer had developed digital spy tools for the FSB, a successor agency to the Russian KGB, including developing technologies to geo-locate phones by exploiting weaknesses in the global telecom infrastructure. The report also said that after Enfer investigated an attack by a Western country on a Russian government network between 2014 and 2015, it repurposed the malware “for use in other intrusions.”
Maksimov flatly denies the Treasury Department and Atlantic Council allegations. Speaking from Positive’s Moscow office, dressed in striped T-shirt and jeans, he asserts that his business has been embroiled in a geopolitical war: “We have never participated in any attacks directed at companies or states.”
Maksimov doesn’t dispute that his company does work for Russia’s Ministry of Defense and FSB, but he asserts that Positive provides only defensive services to the agencies. “They [the Ministry of Defense] can call us and ask us to hack their defenses,” he says, to help find weaknesses in its own networks, not others’. Just 1.5% of Positive’s business comes from military and law enforcement customers, he adds, contending that most of its revenue is from 320 of the largest private companies in Russia, including Sberbank and Lukoil. “In the U.S., Homeland Security and the FBI also have defense concerns, and we’d be happy to serve them as well,” Maksimov says.
His claims of innocence don’t sway American security experts. James Lewis, a former political advisor at the State Department and senior vice president at the Center for Strategic and International Studies, says Russian cyber companies have no choice but to do the bidding of the government and its security apparatus. “It is impossible to work in this space and not have a relationship with the Russian security services,” Lewis says in an email. “The security services work closely with hackers,” he says. “Russian corruption means there are fewer legitimate business opportunities in technology than in the U.S. Here, you can go to Silicon Valley. There, you have far fewer choices.”
What sets Russian contractors apart from American counterparts is a willingness to act “more like a proxy entity,” carrying out hacking campaigns on their own, rather than simply provide tools for cyberattacks, adds Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council and one of the authors of the Enfer report.
“There is a great deal of hand-wringing, deliberation and debate about how to proceed with this type of sanction,” says a former senior FBI official with knowledge of the government’s investigation into Positive. “This is not something that is taken lightly. When the U.S. government . . . makes a determination like this, they have high confidence that there are individuals within these specific companies that are working either on behalf of the Russian intelligence services, have an active relationship with them, or are essentially enabled to engage in activity.”
Maksimov acknowledges that the sanctions have damaged the company’s plans for an IPO by making it highly unlikely American investors can participate. According to the Treasury, U.S. entities or individuals are prohibited from making “any contribution or provision of funds” to the sanctioned parties, which included a handful of other Russian businesses. “They have certainly impacted our IPO plans,” he says. “Because American funds very often participate in IPOs and have a penchant for high-tech investment, and obviously they won’t be on the roster.” Meanwhile, Microsoft has removed Positive from its partnership program that provides advance information on software vulnerabilities, telling the AP in April that it was compliant with all sanctions.
An IBM spokesperson told Forbes that it, too, was complying with the sanctions, saying its work with Positive was limited to product integration. Given the sanctions, it is no longer cooperating with Positive on those integrations, adding: “Positive Technologies was provided standard information so its vulnerability scanning product could communicate with the IBM QRadar security tool. Positive Technologies has never been involved in QRadar or any other IBM product development, nor has IBM used or distributed any of its products.”
Positive is still trying to determine if it can work in any capacity with American businesses and is in discussions with the U.S. Office of Foreign Assets Control to try to address the allegations, he says. “We have nothing to hide,” Maksimov says.
The company still hopes to move forward with an IPO next spring. But Maksimov says he fears that the U.S., where the biggest chunk of the $130 billion cybersecurity market is located, is now off-limits.
He has tried for years to break out of Russia and into the lucrative American market unsuccessfully—and this isn’t his first setback in that effort. In 2014, Positive was piling most of its marketing money into establishing a U.S. business, but then Russia annexed Crimea, causing Americans to fear doing business with any Russian organization, including his, he says. Even before that, Maksimov says there was an “undercurrent of tension and some suspicion,” in the U.S.