Founder of Cybersecurity Company Says His Firm Was Sanctioned Because He was Born in Russia
The US Treasury sanctioned five companies accusing them of helping the Russian government hack. But the founder of one of those companies vehemently denied the accusations.
Tuesday, the US government imposed new sanctions on three Russian individuals and five companies, including some cybersecurity companies accused of helping Vladimir Putin’s military and intelligence services carry out cyberattacks against American targets.
“The entities designated today have directly contributed to improving Russia’s cyber and underwater capabilities through their work with the FSB and therefore jeopardize the safety and security of the United States and our allies,” Treasury Secretary Steven Mnuchin said in a statement.
But one of the security companies named in the new sanctions, ERPScan, denied having anything to do with the Russian government in an email to Motherboard.
“The only issue is that I and some of my peers were born in Russia, oh, cmon, I’m sorry but I can’t change it,” ERPScan’s founder Alexander Polyakov told me. “We don’t have any ties to Russian government.”
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
ERPScan is mostly known for its product that hunts for vulnerabilities in companies’ systems provided by SAP, a popular German enterprise software maker. Cyber Defense Magazine gave ERPScan an award this year for “best product” in its artificial intelligence and machine learning category.
Polyakov said he was “embarrassed” by the news and defended his company.
“We helped multiple software companies to make their systems secure by helping to fiх over 600 vulnerabilities in their products always following responsive disclosure and helping research community,” he wrote in his email. “We published our research on over 100 security conferences worldwide.”
The US Treasury Department, the agency responsible for the sanctions, said that ERPScan was a “subsidiary of Digital Security.” Polyakov, however, claimed that as of 2014, ERPScan is a “private company registered in the Netherlands” and that it has no connections “with other companies listed in this document.”
Yet, Polyakov used to work for Digital Security before 2014, and Digital Security is registered as the trademark owner of ERPScan, as of 2013. When asked what he’s planning to do now, Polyakov simply answered: “You gotta fight for your right.”
The Treasury Department declined to comment and pointed to its press release.
Another sanctioned company, Embedi, echoed some of the arguments made by Plyakov.
"The news came to us as an unpleasant surprize. We never worked for Russian government, but indeed we have some former Russian researchers in our Research Team (some of them are former employees of Digital Security)," Alex Kruglov, Embedi's head of marketing, told Motherboard in an email. "It is the only reason we can figure out to be added to a sanctions list."
Additional reporting by Joseph Cox.
This story has been updated to add Embedi's comments.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.