One of the four alleged “criminal conspirators” arrested after being indicted by a federal grand jury in the Northern District of California on charges of computer hacking, economic espionage and other criminal offenses at the alleged behest of two Russian Federal Security Service (FSB) officers, Dmitry Aleksandrovich Dokuchaev, and Igor Anatolyevich Sushchin, could potentially put FSB intelligence and cyber hacking capabilities into Western hands.
Dokuchaev, 33, a Russian national and resident, and Sushchin, 43, a Russian national and resident, allegedly worked with Alexsey Alexseyevich Belan, aka “Magg,” 29, a Russian national and resident, and Karim Baratov, aka “Kay,” “Karim Taloverov” and “Karim Akehmet Tokbergenov,” 22, a Canadian and Kazakh national and a resident of Canada.
On March 10, the US obtained a “provisional arrest” warrant on charges being brought by US authorities pursuant to Canada’s extradition agreement. Baratov subsequently was arrested last week by a Toronto police fugitive squad.
In its request for the provisional warrant, The FBI stated, "Baratov … has ties to foreign government officials who … have demonstrated their willingness to offer sanctuary to at least one of Baratov’s co-conspirators after he fled a Western nation where he was a subject of extradition proceedings," and that he poses a “danger to the community because he has a demonstrated history of hacking into numerous victims’ email accounts and his hacker-for-hire activities continue to the present time." The US added, “Given the serious nature of his conduct, the public impact of his hacking-for-hire conduct, his substantial earnings as a result of the unlawful hacking, and his ties to foreign intelligence officers with nation state resources at their disposal, he should be arrested on an urgent basis and detained.”
“Even assuming that Baratov does not receive assistance from his known and unknown Russian government conspirators, he possesses the skills and financial resources to flee justice,” the court filings said, pointing out that while Baratov has no apparent “legitimate employment,” US and Canadian law enforcement authorities this week alleged in documents filed with an Ontario court that Baratov poses an “extremely high flight risk” partly because of his alleged ties the FSB, but also because of the $210,000 the filings said he has in an online account.
Furthermore, US law enforcement officials found among his social media accounts a Facebook page where he’s standing next to a 2009 Aston Martin and a 2013 Mercedes both of which Ontario authorities said are registered in his name. He also appears to have previously owned a Lamborghini.
A bail hearing for Baratov – whose attorney is fighting his client’s extradition — has been scheduled for April 5.
Senior Counterintelligence officials told Homeland Security Today Baratov could provide US and Western counterintelligence and cybersecurity services with “valuable information on the FSB,” as one said on anonymity because of the sensitivity of the matter.
Indeed. According to DOJ, “Some victim accounts were of predictable interest to the FSB, a foreign intelligence and law enforcement service, such as personal accounts belonging to Russian journalists; Russian and US government officials; employees of a prominent Russian cybersecurity company; and numerous employees of otherproviders whose networks the conspirators sought to exploit. However, other personal accounts belonged to employees of commercial entities, such as a Russian investment banking firm, a French transportation company, US financial services and private equity firms, a Swiss bitcoin wallet and banking firm and a US airline.”
“Hacking into any of these entities or personal accounts is exactly what FSB looks for, and does, at part of its international espionage and intelligence collection activities,” another one of the officials said.
According to the indictment, FSB officer defendants Dokuchaev and Sushchin “protected, directed, facilitated and paid criminal hackers to collect information through computer intrusions in the US and elsewhere. In the present case, they worked with co-defendants Alexsey Belan and Karim Baratov to obtain access to the email accounts of thousands of individuals.”
DOJ said, “Belan had been publicly indicted in September 2012 and June 2013 and was named one of FBI’s Cyber Most Wanted Criminals in November 2013. An Interpol Red Notice seeking his immediate detention ha[d] been lodged (including with Russia) since July 26, 2013,” and eventually was “arrested in a European country on a request from the US in June 2013, but was able to escape to Russia before he could be extradited.”
Some counterintelligence authorities said they suspect he may have received help from the FSB or “in-country” FSB “assets" to facilitate his escape.
“Instead of acting on theUS government’s Red Notice and detaining Belan after his return, Dokuchaev and Sushchin subsequently used him to gain unauthorized access to Yahoo’s network,” DOJ said.
DOJ said these alleged breaches arose out of the FSB’s connection with a plot that began in January 2014 to access Yahoo’s network, where more than 500 million Yahoo information was stolen by the defendants; more than 30 million Yahoo accounts for which account contents were accessed without authorization to facilitate a spam campaign; and at least 18 additional users at other webmail providers whose accounts were accessed without authorization.”
As alleged in the indictment, the conspiracy began at least as early as 2014 and, even though the conspirators lost their access to Yahoo’s networks in September 2016, they continued to utilize information stolen from the intrusion up to and including at least December 2016.
"Identification of individual Russian hackers is largely symbolic, but is significant nonetheless,” Robert Cattanach, a partner at the international law firm Dorsey & Whitney who previously worked as a trial attorney for DOJ and was special counsel to the Secretary of the Navy, told Homeland Security Today. “There’s probably little likelihood the identified hackers will ever face justice in the United States [since] The US has no extradition treaty with Russia.”
Still, he noted, “disclosure by the department of justice is nonetheless very significant for a number of reasons. First, it demonstrates the US can track with particularity the source of hacks even through the myriad of devices and systems used to cover their trail,” and, "Second, it also underscores the very cozy relationship between Russian state security apparatus and for-hire Russian hackers. Not only have individual hackers operated with impunity inside Russia, but US security officials increasingly suspect they are tacitly encouraged by the Russian government, which can then leverage their techniques and intrusions to obtain sensitive information.”
Cattanachadded that, "Yahoo has long suspected that the breaches were state-sponsored, but this confirms that scenario and offers a modicum of solace to an embattled Yahoo.”
DOJ said, “The defendants used unauthorized access to Yahoo’s systems to steal information from about at least 500 million Yahoo accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, US and Russian government officials and private-sector employees of financial, transportation and other companies.”
One of the defendants exploited his access to Yahoo’s network for his personal financial gain by searching Yahoo user communications for credit card and gift card account numbers, “redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign,” DOJ stated.
“Cyber crime poses a significant threat to our nation’s security and prosperity, and this is one of the largest data breaches in history,” said Attorney General Jeff Sessions. “But thanks to the tireless efforts of US prosecutors and investigators, as well as our Canadian partners, we have identified four individuals, including two Russian FSB officers, responsible for unauthorized access to millions of users’ accounts. The United States will vigorously investigate and prosecute the people behind such attacks to the fullest extent of the law.”
“Today, we continue to pierce the veil of anonymity surrounding cyber crimes,” added FBI Director James Comey, who said, “We are shrinking the world to ensure that cyber criminals think twice before targeting US persons and interests.”
“The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cybercrime matters, is beyond the pale,” said Acting Assistant Attorney General Mary McCord of the National Security Division. “Once again, DOJ and FBI have demonstrated that hackers around the world can and will be exposed and held accountable. State actors may be using common criminals to access the data they want, but the indictment shows that our companies do not have to stand alone against this threat. We commend Yahoo and Google for their sustained and invaluable cooperation in the investigation aimed at obtaining justice for, and protecting the privacy of their users.”
Executive Assistant Director Paul Abbate of the FBI’s Criminal, Cyber, Response and Services Branch said, “This is a highly complicated investigation of a very complex threat [which] underscores the value of early, proactive engagement and cooperation between the private sector and the government.”
"The Justice Department[‘s] indictment of two Russian-government agents in the Kremlin’s cyber division is a watershed moment in our efforts to counter state-directed cyber hacking campaigns. Without doubt, the tactics utilized in the Yahoo plot are a roadmap to how the Kremlin carries out its cyber hacking campaigns,” said Rep. Bennie G. Thompson (D-MS), ranking member of the House Committee on Homeland Security.
Thompson called on “Attorney General Sessions to prioritize the investigation of the cyber hacking campaign against our political institutions during the 2016 election with an eye to indicting whoever in Vladimir Putin’s government directed this unprecedented attack on our democracy.”