The increasingly blurred line between the Russian government and that nation's notorious cybercrime underground was exposed in a very public way today as the US Department of Justice announced indictments of two FSB officers as well as two infamous Russian cybercriminals for their roles in the massive breach of Yahoo as well as other related hacks.
DoJ's indictments charge that Russian nationals and agents of Russian intelligence agency FSB Dmitry Aleksandrovich Dokuchaev, 33, and Igor Anatolyevich Sushchin, 43, allegedly hired one of the FBI's Most Wanted cybercriminals, Alexsey Alexseyevich Belan, aka "Magg," 29, a Russian national and resident, as well as with Canadian and Kazakh national Karim Baratov, aka "Kay," "Karim Taloverov" and "Karim Akehmet Tokbergenov," 22 , to hack Yahoo systems and steal information from some 500 million Yahoo accounts.
They then used some of that stolen information to access accounts from Yahoo, Google, and other webmail services, as well as emails of Russian journalists, US and Russian government officials, and employees at a Russian investment banking firm, US financial services and private equity firms, a US airline, a Swiss bitcoin wallet firm, a US cloud storage company, the International Monetary Fund, and "employees of a prominent Russian cybersecurity company," as well as other victims, the DoJ said. Many of the victims were high-level executives and officials.
The FSB agents worked for Russia's Center for Information Security, aka Center 18, which is the FBI's direct point of contact for cybercrime investigations and cases, which makes the indictments even more extraordinary than they already are. "The involvement and direction of FSB officers with law enforcement responsibilities makes this conduct that much more egregious. There are no free passes for foreign state-sponsored criminal behavior," Acting Assistant Attorney General Mary McCord said in a press briefing today announcing the indictments.
While DoJ's McCord said the indictments do not allege any connection to US investigations into Russia's hacking and tampering in the US presidential election, the case ultimately could have wider tentacles than it appears on the surface. APT29 aka Cozy Bear is the cyber espionage arm of the FSB, and was named by the US intel community as a perpetrator - along with the Russian military (coined APT28/Fancy Bear) - in hacks and data dumps related to the 2016 US presidential election. APT28/Fancy Bear was behind the hack and ultimate dumping of Gmail messages of Clinton campaign manager John Podesta, for example.
"I don't know if the Yahoo hack was a springboard per se" to the DNC and other election-related hacks, says John Bambenek, threat systems manager of Fidelis Cybersecurity, which assisted in the DNC breach investigation. "If the FSB has people hacking Yahoo, the same kind of people [with the same skillsets] are hacking other people's emails. If it's not the same guys, it's people who work in the same office or next door," he says. "At the end of the day, if these two FSB officials indicted weren't involved in the DNC operation, they [likely] know who was."
Then there's the indictment of Dokuchaev, who was recently charged by Russian officials with cyber-treason, as was his supervisor, Sergei Mikhailov, for allegedly working with the CIA - charges by Russian officials that came in the wake of the Obama administration and intelligence community going public with its findings that Russia had interfered with the 2016 presidential election with hacking, online leaks of stolen information, and fake news articles.
Security experts who investigate breaches and study cyber espionage and cybercrime gangs long have warned of a growing connection between nation-states and cybercriminals in their respective nations, especially in Russia, where the cyber underground can be a lucrative gig for a talented hacker.
Former US Attorney Ed McAndrew, who served for 10 years as a cybercrime prosecutor and National Security Cyber Specialist for the DoJ, says it's the first publicly available indictment that confirms the Russian FSB's collusion with Russian cybercriminals.
"They [the FSB] do it for plausible deniability and obfuscation, primarily," says McAndrew, who is co-chair of law firm Ballard Spahr's Privacy and Data Security Group. The intel agencies basically offer cover and protection to the cybercriminals and often allow them to make a little extra income on the side via the work, he says.
"They get a commission on behalf of FSB, but the FSB is also quite aware that these guys [cybercriminals] have multiple objectives," he says. "They may do intel-gathering work of the FSB, but at the same time they will engage in their own financial gain, like spam campaigns or redirecting traffic to collect commissions, and theft of credit cards," as in this case, he says.
Acting Assistant Attorney General McCord said federal investigators are seeing more nation-states working with cybercriminals, and not just with Russia. "We are certainly seeing more and more use by nation-states of criminal hackers to carry out some of their intentions."
Former President Barack Obama in late December issued wide-ranging sanctions including some against the GRU and FSB, as well as against four GRU officers and three companies that allegedly supported the operations, in response to the Russian hacking and disinformation campaign during the US presidential election. The sanctions included Belan, who was already on the FBI's Cyber Most Wanted list at the time, and the US formally ejected 35 Russian intelligence operatives from the United States and imposed sanctions on nine entities and individuals: Russia's two leading intelligence services (the GRU and the FSB), four individual GRU officers, and three other organizations.
Today's indictments aren't the first by the US Department of Justice: the department in 2014 indicted five members of the Chinese military for allegedly hacking and stealing trade secrets of major American steel, solar energy, and other manufacturing companies, including Alcoa, Westinghouse Electric, and US Steel.
Spies & Crooks
FSB officers Dokuchaev and Sushchin allegedly instructed and paid cybercriminals including Belan and Baratov to hack into systems and steal information from US and other targets. Belan and Baratov specifically were commissioned to steal email account access of thousands of people. Belan, who was indicted by the US in September of 2012 and again in June 2014 for various hacking crimes, was arrested in June 2013 but managed to escape to Russia before being extradited to the US. He was then harbored by the FSB officers to avoid detection by the US and other law enforcement entities.
Starting around November and December 2014, Belan, under the direction of the indicted FSB officials, pilfered a backup copy of some of Yahoo's user database full of usernames, recovery email accounts, phone numbers, and other sensitive information needed to create account authentication Web browser cookies for some 500 million Yahoo user accounts. Belan also hacked into Yahoo's Account Management Tool for the FSB: that's Yahoo's internal tool for updating and logging changes to user accounts. With the Yahoo database and account management tools at their disposal, Belan, Dokuchaev and Sushchin looked for Yahoo email "accounts of interest" and created cookies for them so they could access some 6,500 targeted email accounts.
Belan double-dipped as well, stealing credit card numbers and gift cards from Webmail accounts, and pilfered contacts from some 30 million exposed accounts in order to wage spam campaigns. He also engaged in search engine fraud via Yahoo to make money.
The FSB officers later hired Baratov to steal more than 80 email accounts they needed that were not Yahoo accounts. He was arrested in Canada on March 14 by local authorities.
Vitali Kremez, director of research at Flashpoint, says another intriguing aspect to this case is how indicted FSB officer Dokuchaev had such close ties to the cyber underground in Russia.
"Dokuchaev was an active member in the underground, even after joining the FSB," he notes, shining a light further on how Russian nation-states work closely with the cybercrime world. He even had a hacker nickname, "forb," and had been arrested in 2012 in Greece for hacking an ecommerce site with health insurance information. He returned to Russia thereafter, according to Kremez.
Belan has a reputation for his Web hacking skills, while Baratov is known for his email penetration hacking services, notes Kremez.
Like in the US, government jobs in Russia don't pay as well as the private sector, and Russia's well-established and entrenched cybercrime realm is especially lucrative. "They live a very lavish lifestyle," so many are attracted to cybercrime rather than cyber espionage, he notes. "The lines are very blurry a this point" between state actors and cybercriminal activity, he says.
They also employ many of the same hacking tools, and access them from the same places, according to one source with knowledge of the attack groups. "There's always been a lot of evidence that these FSB actors are working with criminal elements" and this case demonstrates that, according to the source, who requested anonymity.
This case likely is the tip of the iceberg in the Russian hacking machine's activities against US interests. "This is the beginning of a true avalanche of information on PawnStorm/Fancy Bear that will be [revealed] in hearings soon," says Tom Kellermann, CEO of Strategic Cyber Ventures.
But like the 2014 indictments by the DoJ of the Chinese military officers for cyber espionage activity – which were the first-ever such indictments of nation-state actors by the US – the Russian indictments aren't likely to do much more than send a political message. Experts certainly don't expect Russia to extradite any of the suspects.
"The whole indictment looks like a deterrent" or a warning, notes Flashpoint's Kremez.
Even so, it's a different approach by US officials. "It's very unprecedented. We've never seen a Russian agent so publicly outed by the US government."
- Clinton Campaign Tested Staffers With Fake Phishing Emails
- Kaspersky Lab Incident Investigations Head Arrested In Russia For 'Treason'
- Putin Directed Cyberattack, Propaganda Operation To Influence US Election