Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3/15/2017
06:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

DoJ Indicts Russian FSB Officers and Cybercriminals in Yahoo Breach

Russian intelligence officials hired renowned cybercriminals to do their bidding in massive hacks that compromised Yahoo, Gmail, and other email accounts of millions of people in the US, Russia, elsewhere.

The increasingly blurred line between the Russian government and that nation's notorious cybercrime underground was exposed in a very public way today as the US Department of Justice announced indictments of two FSB officers as well as two infamous Russian cybercriminals for their roles in the massive breach of Yahoo as well as other related hacks.

DoJ's indictments charge that Russian nationals and agents of Russian intelligence agency FSB Dmitry Aleksandrovich Dokuchaev, 33, and Igor Anatolyevich Sushchin, 43, allegedly hired one of the FBI's Most Wanted cybercriminals, Alexsey Alexseyevich Belan, aka "Magg," 29, a Russian national and resident, as well as with Canadian and Kazakh national Karim Baratov, aka "Kay," "Karim Taloverov" and "Karim Akehmet Tokbergenov," 22 , to hack Yahoo systems and steal information from some 500 million Yahoo accounts.

They then used some of that stolen information to access accounts from Yahoo, Google, and other webmail services, as well as emails of Russian journalists, US and Russian government officials, and employees at a Russian investment banking firm, US financial services and private equity firms, a US airline, a Swiss bitcoin wallet firm, a US cloud storage company, the International Monetary Fund, and "employees of a prominent Russian cybersecurity company," as well as other victims, the DoJ said. Many of the victims were high-level executives and officials.

The FSB agents worked for Russia's Center for Information Security, aka Center 18, which is the FBI's direct point of contact for cybercrime investigations and cases, which makes the indictments even more extraordinary than they already are. "The involvement and direction of FSB officers with law enforcement responsibilities makes this conduct that much more egregious. There are no free passes for foreign state-sponsored criminal behavior," Acting Assistant Attorney General Mary McCord said in a press briefing today announcing the indictments.

While DoJ's McCord said the indictments do not allege any connection to US investigations into Russia's hacking and tampering in the US presidential election, the case ultimately could have wider tentacles than it appears on the surface. APT29 aka Cozy Bear is the cyber espionage arm of the FSB, and was named by the US intel community as a perpetrator - along with the Russian military (coined APT28/Fancy Bear) - in hacks and data dumps related to the 2016 US presidential election. APT28/Fancy Bear was behind the hack and ultimate dumping of Gmail messages of Clinton campaign manager John Podesta, for example.

"I don't know if the Yahoo hack was a springboard per se" to the DNC and other election-related hacks, says John Bambenek, threat systems manager of Fidelis Cybersecurity, which assisted in the DNC breach investigation. "If the FSB has people hacking Yahoo, the same kind of people [with the same skillsets] are hacking other people's emails. If it's not the same guys, it's people who work in the same office or next door," he says. "At the end of the day, if these two FSB officials indicted weren't involved in the DNC operation, they [likely] know who was."

Then there's the indictment of Dokuchaev, who was recently charged by Russian officials with cyber-treason, as was his supervisor, Sergei Mikhailov, for allegedly working with the CIA - charges by Russian officials that came in the wake of the Obama administration and intelligence community going public with its findings that Russia had interfered with the 2016 presidential election with hacking, online leaks of stolen information, and fake news articles.

Former FSB officer Dmitry Aleksandrovich Dokuchayev, 'Patrick Nag'
Source: FBI
Former FSB officer Dmitry Aleksandrovich Dokuchayev, "Patrick Nag" Source: FBI

Security experts who investigate breaches and study cyber espionage and cybercrime gangs long have warned of a growing connection between nation-states and cybercriminals in their respective nations, especially in Russia, where the cyber underground can be a lucrative gig for a talented hacker.

Former US Attorney Ed McAndrew, who served for 10 years as a cybercrime prosecutor and National Security Cyber Specialist for the DoJ, says it's the first publicly available indictment that confirms the Russian FSB's collusion with Russian cybercriminals.

"They [the FSB] do it for plausible deniability and obfuscation, primarily," says McAndrew, who is co-chair of law firm Ballard Spahr's Privacy and Data Security Group. The intel agencies basically offer cover and protection to the cybercriminals and often allow them to make a little extra income on the side via the work, he says.

"They get a commission on behalf of FSB, but the FSB is also quite aware that these guys [cybercriminals] have multiple objectives," he says. "They may do intel-gathering work of the FSB, but at the same time they will engage in their own financial gain, like spam campaigns or redirecting traffic to collect commissions, and theft of credit cards," as in this case, he says.

Acting Assistant Attorney General McCord said federal investigators are seeing more nation-states working with cybercriminals, and not just with Russia. "We are certainly seeing more and more use by nation-states of criminal hackers to carry out some of their intentions."

Former President Barack Obama in late December issued wide-ranging sanctions including some against the GRU and FSB, as well as against four GRU officers and three companies that allegedly supported the operations, in response to the Russian hacking and disinformation campaign during the US presidential election. The sanctions included Belan, who was already on the FBI's Cyber Most Wanted list at the time, and the US formally ejected 35 Russian intelligence operatives from the United States and imposed sanctions on nine entities and individuals: Russia's two leading intelligence services (the GRU and the FSB), four individual GRU officers, and three other organizations.

Today's indictments aren't the first by the US Department of Justice: the department in 2014 indicted five members of the Chinese military for allegedly hacking and stealing trade secrets of major American steel, solar energy, and other manufacturing companies, including Alcoa, Westinghouse Electric, and US Steel.

Spies & Crooks

FSB officers Dokuchaev and Sushchin allegedly instructed and paid cybercriminals including Belan and Baratov to hack into systems and steal information from US and other targets. Belan and Baratov specifically were commissioned to steal email account access of thousands of people. Belan, who was indicted by the US in September of 2012 and again in June 2014 for various hacking crimes, was arrested in June 2013 but managed to escape to Russia before being extradited to the US. He was then harbored by the FSB officers to avoid detection by the US and other law enforcement entities.

Starting around November and December 2014, Belan, under the direction of the indicted FSB officials, pilfered a backup copy of some of Yahoo's user database full of usernames, recovery email accounts, phone numbers, and other sensitive information needed to create account authentication Web browser cookies for some 500 million Yahoo user accounts. Belan also hacked into Yahoo's Account Management Tool for the FSB: that's Yahoo's internal tool for updating and logging changes to user accounts. With the Yahoo database and account management tools at their disposal, Belan, Dokuchaev and Sushchin looked for Yahoo email "accounts of interest" and created cookies for them so they could access some 6,500 targeted email accounts.

Belan double-dipped as well, stealing credit card numbers and gift cards from Webmail accounts, and pilfered contacts from some 30 million exposed accounts in order to wage spam campaigns. He also engaged in search engine fraud via Yahoo to make money.

The FSB officers later hired Baratov to steal more than 80 email accounts they needed that were not Yahoo accounts. He was arrested in Canada on March 14 by local authorities.

Vitali Kremez, director of research at Flashpoint, says another intriguing aspect to this case is how indicted FSB officer Dokuchaev had such close ties to the cyber underground in Russia.

"Dokuchaev was an active member in the underground, even after joining the FSB," he notes, shining a light further on how Russian nation-states work closely with the cybercrime world. He even had a hacker nickname, "forb," and had been arrested in 2012 in Greece for hacking an ecommerce site with health insurance information. He returned to Russia thereafter, according to Kremez.

Belan has a reputation for his Web hacking skills, while Baratov is known for his email penetration hacking services, notes Kremez.

Like in the US, government jobs in Russia don't pay as well as the private sector, and Russia's well-established and entrenched cybercrime realm is especially lucrative. "They live a very lavish lifestyle," so many are attracted to cybercrime rather than cyber espionage, he notes. "The lines are very blurry a this point" between state actors and cybercriminal activity, he says.

They also employ many of the same hacking tools, and access them from the same places, according to one source with knowledge of the attack groups. "There's always been a lot of evidence that these FSB actors are working with criminal elements" and this case demonstrates that, according to the source, who requested anonymity.

This case likely is the tip of the iceberg in the Russian hacking machine's activities against US interests. "This is the beginning of a true avalanche of information on PawnStorm/Fancy Bear that will be [revealed] in hearings soon," says Tom Kellermann, CEO of Strategic Cyber Ventures.

But like the 2014 indictments by the DoJ of the Chinese military officers for cyber espionage activity – which were the first-ever such indictments of nation-state actors by the US – the Russian indictments aren't likely to do much more than send a political message. Experts certainly don't expect Russia to extradite any of the suspects.

"The whole indictment looks like a deterrent" or a warning, notes Flashpoint's Kremez.

Even so, it's a different approach by US officials. "It's very unprecedented. We've never seen a Russian agent so publicly outed by the US government."

Related Content:

Save

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
jries921
50%
50%
jries921,
User Rank: Ninja
3/16/2017 | 11:44:18 AM
One part is suspicious
I can think of exactly one reason why the US Justice Department would indict a man accused of being a CIA informant by his own government and it's not a good one.

Obviously, I hope I'm wrong.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/16/2017 | 12:14:12 PM
Re: One part is suspicious
It's interesting that he's basically "double indicted." And yet he may still remain free. 
jries921
50%
50%
jries921,
User Rank: Ninja
3/16/2017 | 1:47:42 PM
Re: One part is suspicious
I'd be very surprised if he were out on bail.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/16/2017 | 1:50:46 PM
Re: One part is suspicious
Yes, it depends on whether he really was a CIA informant, etc. 
Cybersecurity Team Holiday Guide: 2019 Gag Gift Edition
Ericka Chickowski, Contributing Writer,  12/2/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.