Endpoint
3/15/2017
06:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

DoJ Indicts Russian FSB Officers and Cybercriminals in Yahoo Breach

Russian intelligence officials hired renowned cybercriminals to do their bidding in massive hacks that compromised Yahoo, Gmail, and other email accounts of millions of people in the US, Russia, elsewhere.

The increasingly blurred line between the Russian government and that nation's notorious cybercrime underground was exposed in a very public way today as the US Department of Justice announced indictments of two FSB officers as well as two infamous Russian cybercriminals for their roles in the massive breach of Yahoo as well as other related hacks.

DoJ's indictments charge that Russian nationals and agents of Russian intelligence agency FSB Dmitry Aleksandrovich Dokuchaev, 33, and Igor Anatolyevich Sushchin, 43, allegedly hired one of the FBI's Most Wanted cybercriminals, Alexsey Alexseyevich Belan, aka "Magg," 29, a Russian national and resident, as well as with Canadian and Kazakh national Karim Baratov, aka "Kay," "Karim Taloverov" and "Karim Akehmet Tokbergenov," 22 , to hack Yahoo systems and steal information from some 500 million Yahoo accounts.

They then used some of that stolen information to access accounts from Yahoo, Google, and other webmail services, as well as emails of Russian journalists, US and Russian government officials, and employees at a Russian investment banking firm, US financial services and private equity firms, a US airline, a Swiss bitcoin wallet firm, a US cloud storage company, the International Monetary Fund, and "employees of a prominent Russian cybersecurity company," as well as other victims, the DoJ said. Many of the victims were high-level executives and officials.

The FSB agents worked for Russia's Center for Information Security, aka Center 18, which is the FBI's direct point of contact for cybercrime investigations and cases, which makes the indictments even more extraordinary than they already are. "The involvement and direction of FSB officers with law enforcement responsibilities makes this conduct that much more egregious. There are no free passes for foreign state-sponsored criminal behavior," Acting Assistant Attorney General Mary McCord said in a press briefing today announcing the indictments.

While DoJ's McCord said the indictments do not allege any connection to US investigations into Russia's hacking and tampering in the US presidential election, the case ultimately could have wider tentacles than it appears on the surface. APT29 aka Cozy Bear is the cyber espionage arm of the FSB, and was named by the US intel community as a perpetrator - along with the Russian military (coined APT28/Fancy Bear) - in hacks and data dumps related to the 2016 US presidential election. APT28/Fancy Bear was behind the hack and ultimate dumping of Gmail messages of Clinton campaign manager John Podesta, for example.

"I don't know if the Yahoo hack was a springboard per se" to the DNC and other election-related hacks, says John Bambenek, threat systems manager of Fidelis Cybersecurity, which assisted in the DNC breach investigation. "If the FSB has people hacking Yahoo, the same kind of people [with the same skillsets] are hacking other people's emails. If it's not the same guys, it's people who work in the same office or next door," he says. "At the end of the day, if these two FSB officials indicted weren't involved in the DNC operation, they [likely] know who was."

Then there's the indictment of Dokuchaev, who was recently charged by Russian officials with cyber-treason, as was his supervisor, Sergei Mikhailov, for allegedly working with the CIA - charges by Russian officials that came in the wake of the Obama administration and intelligence community going public with its findings that Russia had interfered with the 2016 presidential election with hacking, online leaks of stolen information, and fake news articles.

Former FSB officer Dmitry Aleksandrovich Dokuchayev, 'Patrick Nag'
Source: FBI
Former FSB officer Dmitry Aleksandrovich Dokuchayev, "Patrick Nag" Source: FBI

Security experts who investigate breaches and study cyber espionage and cybercrime gangs long have warned of a growing connection between nation-states and cybercriminals in their respective nations, especially in Russia, where the cyber underground can be a lucrative gig for a talented hacker.

Former US Attorney Ed McAndrew, who served for 10 years as a cybercrime prosecutor and National Security Cyber Specialist for the DoJ, says it's the first publicly available indictment that confirms the Russian FSB's collusion with Russian cybercriminals.

"They [the FSB] do it for plausible deniability and obfuscation, primarily," says McAndrew, who is co-chair of law firm Ballard Spahr's Privacy and Data Security Group. The intel agencies basically offer cover and protection to the cybercriminals and often allow them to make a little extra income on the side via the work, he says.

"They get a commission on behalf of FSB, but the FSB is also quite aware that these guys [cybercriminals] have multiple objectives," he says. "They may do intel-gathering work of the FSB, but at the same time they will engage in their own financial gain, like spam campaigns or redirecting traffic to collect commissions, and theft of credit cards," as in this case, he says.

Acting Assistant Attorney General McCord said federal investigators are seeing more nation-states working with cybercriminals, and not just with Russia. "We are certainly seeing more and more use by nation-states of criminal hackers to carry out some of their intentions."

Former President Barack Obama in late December issued wide-ranging sanctions including some against the GRU and FSB, as well as against four GRU officers and three companies that allegedly supported the operations, in response to the Russian hacking and disinformation campaign during the US presidential election. The sanctions included Belan, who was already on the FBI's Cyber Most Wanted list at the time, and the US formally ejected 35 Russian intelligence operatives from the United States and imposed sanctions on nine entities and individuals: Russia's two leading intelligence services (the GRU and the FSB), four individual GRU officers, and three other organizations.

Today's indictments aren't the first by the US Department of Justice: the department in 2014 indicted five members of the Chinese military for allegedly hacking and stealing trade secrets of major American steel, solar energy, and other manufacturing companies, including Alcoa, Westinghouse Electric, and US Steel.

Spies & Crooks

FSB officers Dokuchaev and Sushchin allegedly instructed and paid cybercriminals including Belan and Baratov to hack into systems and steal information from US and other targets. Belan and Baratov specifically were commissioned to steal email account access of thousands of people. Belan, who was indicted by the US in September of 2012 and again in June 2014 for various hacking crimes, was arrested in June 2013 but managed to escape to Russia before being extradited to the US. He was then harbored by the FSB officers to avoid detection by the US and other law enforcement entities.

Starting around November and December 2014, Belan, under the direction of the indicted FSB officials, pilfered a backup copy of some of Yahoo's user database full of usernames, recovery email accounts, phone numbers, and other sensitive information needed to create account authentication Web browser cookies for some 500 million Yahoo user accounts. Belan also hacked into Yahoo's Account Management Tool for the FSB: that's Yahoo's internal tool for updating and logging changes to user accounts. With the Yahoo database and account management tools at their disposal, Belan, Dokuchaev and Sushchin looked for Yahoo email "accounts of interest" and created cookies for them so they could access some 6,500 targeted email accounts.

Belan double-dipped as well, stealing credit card numbers and gift cards from Webmail accounts, and pilfered contacts from some 30 million exposed accounts in order to wage spam campaigns. He also engaged in search engine fraud via Yahoo to make money.

The FSB officers later hired Baratov to steal more than 80 email accounts they needed that were not Yahoo accounts. He was arrested in Canada on March 14 by local authorities.

Vitali Kremez, director of research at Flashpoint, says another intriguing aspect to this case is how indicted FSB officer Dokuchaev had such close ties to the cyber underground in Russia.

"Dokuchaev was an active member in the underground, even after joining the FSB," he notes, shining a light further on how Russian nation-states work closely with the cybercrime world. He even had a hacker nickname, "forb," and had been arrested in 2012 in Greece for hacking an ecommerce site with health insurance information. He returned to Russia thereafter, according to Kremez.

Belan has a reputation for his Web hacking skills, while Karem is known for his email penetration hacking services, notes Kremez.

Like in the US, government jobs in Russia don't pay as well as the private sector, and Russia's well-established and entrenched cybercrime realm is especially lucrative. "They live a very lavish lifestyle," so many are attracted to cybercrime rather than cyber espionage, he notes. "The lines are very blurry a this point" between state actors and cybercriminal activity, he says.

They also employ many of the same hacking tools, and access them from the same places, according to one source with knowledge of the attack groups. "There's always been a lot of evidence that these FSB actors are working with criminal elements" and this case demonstrates that, according to the source, who requested anonymity.

This case likely is the tip of the iceberg in the Russian hacking machine's activities against US interests. "This is the beginning of a true avalanche of information on PawnStorm/Fancy Bear that will be [revealed] in hearings soon," says Tom Kellermann, CEO of Strategic Cyber Ventures.

But like the 2014 indictments by the DoJ of the Chinese military officers for cyber espionage activity – which were the first-ever such indictments of nation-state actors by the US – the Russian indictments aren't likely to do much more than send a political message. Experts certainly don't expect Russia to extradite any of the suspects.

"The whole indictment looks like a deterrent" or a warning, notes Flashpoint's Kremez.

Even so, it's a different approach by US officials. "It's very unprecedented. We've never seen a Russian agent so publicly outed by the US government."

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/16/2017 | 1:50:46 PM
Re: One part is suspicious
Yes, it depends on whether he really was a CIA informant, etc. 
jries921
50%
50%
jries921,
User Rank: Ninja
3/16/2017 | 1:47:42 PM
Re: One part is suspicious
I'd be very surprised if he were out on bail.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/16/2017 | 12:14:12 PM
Re: One part is suspicious
It's interesting that he's basically "double indicted." And yet he may still remain free. 
jries921
50%
50%
jries921,
User Rank: Ninja
3/16/2017 | 11:44:18 AM
One part is suspicious
I can think of exactly one reason why the US Justice Department would indict a man accused of being a CIA informant by his own government and it's not a good one.

Obviously, I hope I'm wrong.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.