Some made much of “Russians hacking Yahoo”. Now, you don’t hear as much about it. I’d say it’s because the Russian hackers ran a “roll-your-own” criminal enterprise… it wasn’t an official act by the FSB, after all. It just goes to show you that peevishly cutting contacts with someone for no good reason always ends badly. Both the USA and Russia have a common interest in catching cyber-crooks. Perhaps, we can return to sanity, God willing…
The naming of Dmitri Dokuchaev in both the Moscow cyber-arrests and the Yahoo suggests the USA and Russia may unwittingly be on the track of the same criminal gang. Earlier this year, reports appeared in the Russian media of a series of arrests of FSB officers and cyber-specialists, including Ruslan Stoyanov, an employee of Russia’s top cybersecurity company, Kaspersky Lab. Subsequently, it came out that some of them (at least) faced treason charges, for the case supposedly involved the USA, with Stoyanov supposedly charged with passing on Russian state secrets to Verigin, a US company. Following the arrests, numerous reports circulated speculating that these arrests were somehow connected to the hacking of John Podesta’s and the DNC’s computers. Some sections of the Western media made claims… strongly denied the Russia… that the individuals arrested were the ones who had carried out the hacking of John Podesta’s and the DNC’s computers. Others, rather more plausibly, speculated that those arrested were some of the informers who provided information to the USA that the US intelligence community used to support its claims of Russian responsibility for the Podesta and DNC hacks.
The case of the arrested FSB officers in Moscow has taken an extraordinary new twist with the US Department of Justice bringing charges against a group of four Russian cyber-criminals, who according to the US Department of Justice’s report, are being charged with:
the 2014 hack into the network of email provider Yahoo, the theft of information about at least 500 million Yahoo accounts and the use of that information to get the contents of accounts at Yahoo and other email providers.
What makes the Yahoo case interesting is that the Department of Justice is saying that two of the individuals charged are FSB officers. The Department of Justice identifies them as follows:
The defendants include two officers of the Russian Federal Security Service (FSB), an intelligence and law enforcement agency of the Russian Federation and two criminal hackers with whom they conspired to accomplish these intrusions. Dmitri Dokuchaev and Igor Sushchin, both FSB officers, protected, directed, facilitated, and paid criminal hackers to collect information through computer intrusions in the USA and elsewhere. They worked with co-conspirators Aleksei Belan and Karim Baratov to hack into computers of American companies providing email and internet-related services, to maintain unauthorised access to those computers, and to steal information, including information about users and the private contents of their accounts. The defendants targeted Yahoo accounts of Russian and US government officials, including cybersecurity, diplomatic, and military personnel. They also targeted Russian journalists; numerous employees of other providers whose networks the conspirators sought to exploit; and employees of financial services and other commercial entities.
Dmitri Dokuchaev, one of the FSB officers charged by the US Justice Department in the Yahoo hack, appears to be the same Dmitri Dokuchaev arrested in Moscow in the treason case, and whom the London Times described… obviously based on information obtained from British intelligence sources… as “a cyber-spy and former hacker”. The fact that the same man… Dmitri Dokuchaev… faces charges simultaneously in both cases, the one in Washington and the one in Moscow makes it at least possible that the two cases… the Yahoo case in Washington and the treason case in Moscow… are in some way connected, and may involve the same group of cyber-criminals. Importantly, the Department of Justice’s and the FBI’s claims about Dokuchaev and Sushchin, the two FSB officers charged in the Yahoo case, don’t necessarily point to them undertaking an intelligence operation on behalf of the Russian government. Though the wording isn’t completely clear, it isn’t inconsistent with Dokuchaev and Sushchin running a rogue operation for the purpose of self-enrichment. Here is what the Department of Justice report has to say about them:
Belan’s notorious criminal conduct and a pending Interpol Red Notice didn’t stop the FSB officers who, instead of detaining him, used him to break into Yahoo’s networks. Meanwhile, Belan used his relationship with the two FSB officers and his access to Yahoo to commit additional crimes to line his own pockets with money. For those not familiar with the FSB, it’s an intelligence and law enforcement agency and a successor to the USSR’s KGB. The FSB unit that the defendants worked for, the Centre for Information Security, AKA Center 18, is also the FBI’s point of contact in Moscow for cybercrime matters. The involvement and direction of FSB officers with law enforcement responsibilities makes this conduct that much more egregious. There are no free passes for foreign state-sponsored criminal behaviour.
This appears to suggest that the Department of Justice believes that Dokuchaev and Sushchin recruited Belan to carry out illegal hacks of US companies on behalf of the FSB and that Belan used the protection this gave him to carry out more illegal hacks to enrich himself and them. However, it’s equally or perhaps more likely that Dokuchaev and Sushchin were Belan’s accomplices in a series of crimes carried out on their own initiative. After all, it’s hardly unusual for criminals to enlist the services of corrupt law enforcement officers to help them carry out their crimes. Such a thing undoubtedly happens in Russia, just as it happens in most other places. What the FBI itself says about him strongly suggests that Dokuchaev (at least) was a corrupt FSB officer involved in a rogue operation. Here’s the information the FBI provided about his activities, which appeared in the Most Wanted Notice the FBI issued about him:
• Conspiring to Commit Computer Fraud and Abuse
• Accessing a Computer Without Authorisation for the Purpose of Commercial Advantage and Private Financial Gain
• Damaging a Computer Through the Transmission of Code and Commands
• Economic Espionage
• Theft of Trade Secrets
• Access Device Fraud
• Aggravated Identity Theft
• Wire Fraud
The words “purpose of commercial advantage and private financial gain” point clearly to a rogue criminal operation and not an official state-sponsored one. What the FBI has to say about Dokuchaev’s alleged accomplice Igor Sushchin in its Most Wanted Notice about him strongly suggests that the FBI’s knowledge of the case still has gaps:
Sushchin has Russian citizenship and is known to hold a Russian passport. Sushchin is alleged to be a Russian Federal Security Service (FSB) Officer of unknown rank. In addition to working for the FSB, he is alleged to have served as Head of Information Security for a Russian company, providing information about employees of that company to the FSB. He was last known to be in Moscow, Russia.
These comments about Sushchin cast doubt on whether Sushchin really is an FSB officer. The FBI says that Sushchin is simultaneously an officer of the FSB and the head of information security at a Russian company. Moonlighting in the private sector was a common practice for FSB officers in the chaotic 1990s. It’s hardly conceivable today. It seems more likely that Sushchin is head of information security for a Russian company, but that because of his relationship with Dokuchaev, the FBI supposes him to be an FSB officer. Its Most Wanted Notice about Sushchin shows that the FBI doesn’t know that Sushchin actually is an FSB officer. It merely guesses he is, and on the facts that the FBI itself provides, it’s probably wrong. To add to the uncertainty there is a question mark about Dokuchaev’s own role within the FSB. According to reports in Russia, Dokuchaev isn’t a conventional FSB officer at all, but he’s rather a notorious former hacker and cyber-criminal blackmailed by the FSB into working for them. Here is what the Moscow-based Moscow Times has to say about him:
Major Dmitri Dokuchaev, one of four cyber-security experts arrested by the Kremlin on charges of treason, has allegedly been revealed as an infamous Russian hacker. Dokuchaev worked as a hacker under the alias “Forb” until Russia’s Federal Security Service (FSB) threatened to jail him, an unverified source told the RBC newspaper. “Forb” gave an interview to the Russian newspaper Vedomosti in 2004, revealing that he specialised in “hacking on request” and stealing money from bank cards… an occupation which he said could earn him anywhere between 5,000 to 30,000 USD (286,100 to 1.717 million Roubles. 34,540 to 207,250 Renminbi. 327,390 to 1.965 million INR. 6,669 to 40,010 CAD. 6,502 to 39,010 AUD. 4,650 to 27,900 Euros. 4,033 to 24,200 UK Pounds) a month. He also claimed that he had carried out a successful attack on US government infrastructure. The FSB ultimately traced Dokuchaev to the card thefts, and threatened to prosecute the hacker unless he agreed to work for the agency, the source alleged.
If what the Moscow Times article says is true (and the story looks well-sourced) then Dokuchaev’s criminal past makes it even more plausible that what he engaged in was a rogue criminal operation not officially sanctioned by the FSB. Recruiting a notorious cyber-criminal to track down other cyber-criminals is a strange idea, but hardly unique in the world of law-enforcement. Possibly the FSB, lacking its own trained cyber-specialists as a result of the crisis of the 1990s, looked to people like Dokuchaev to fill its ranks quickly. If so, then, this has now come back to bite it, with another FSB officer… Sergei Mikhailov, the deputy head of the FSB’s security information centre (the FSB department for which the US Justice Department says Dokuchaev worked), who may have been Dokuchaev’s superior and line manager… seemingly also implicated in Dokuchaev’s activities.
This is a tangled web. However, if we put together what is known about the case in Moscow with what is now known about the case in Washington, then, it’s at least possible that this is a case of two parallel investigations into the activities of the same gang. Belan and Dokuchaev would presumably be the ringleaders, but it seems that Dokuchaev succeeded in involving at least one other person (Mikhailov) within the FSB as well. Supporting the theory that the treason case in Moscow and the Yahoo case in Washington are the products of two parallel investigations into the activities of the same gang, is a report carried by TASS of the comments of a lawyer familiar with the Moscow case. The lawyer reportedly said the following:
The CIA isn’t mentioned in the case. Only the country is mentioned. Yes, the talk is about America, not about the CIA.
When I previously discussed this comment in an article written on 2 February 2017, I assumed it referred to the passing of classified information to the US intelligence community, if not to the CIA itself. I overlooked the fact that the lawyer’s comment has no hint of this. Instead, the lawyer merely said, “the talk is about America”. His words are equally consistent with data theft from the USA as with information transfer to the USA. It’s likely that both took place. If the cases in Moscow and Washington involve the activities of the same gang of cyber-criminals, then, it seems that they were equally happy to steal information from the USA and to steal information from Russia and sell it to the USA. That would explain the claim about the passing of classified information to Verigin, with which Stoyanov is charged, which is presumably what lies behind the treason charges. However, in any case, the motive for the gang’s activities would have been the same… the classic criminal one… to make money. As it happens, the US Justice Department confirmed in its report the fact that the gang was targeting Russians as well as Americans:
The defendants targeted Yahoo accounts of Russian and US government officials, including cybersecurity, diplomatic, and military personnel. They also targeted Russian journalists; numerous employees of other providers whose networks the conspirators sought to exploit; and employees of financial services and other commercial entities.
Much is murky about this affair. Although the known facts do suggest that the arrests in Moscow and the charges in Washington concern the same gang or at least the same people, that isn’t yet absolutely certain, and it could be that Dokuchaev, who figures so prominently in both cases, spread his net wide and involved more than one gang in his activities. However, if the two cases do involve the same gang, then, unfortunately, it’s all too clear from the information trickling out of both Washington and Moscow that the relevant law enforcement agencies of the USA and Russia aren’t cooperating with each other and are completely uninformed and possibly even unaware of each other’s investigations. If so, then, that’s regrettable, since it can only increase the chance that the two investigations would work against each other and at cross-purposes, as in fact actually seems to be the case.
At this point, however, one can make a few points with confidence. Firstly, it’s clear that the Moscow arrests have absolutely nothing to do with the hacking of the computers of John Podesta and the DNC. The case in Moscow is a criminal investigation into the activities of a gang of cyber-criminals, who practised criminal activity for financial gain. They may be and probably are the same gang the US Justice Department and the FBI say is behind the Yahoo hack. Regardless, all the stories claiming that the Moscow case somehow has connections to the DNC and Podesta leaks are wrong. Secondly, the claims in the Russian media that the arrests in Moscow had something to do with the Shaltay Boltai hacking group are also clearly wrong. In that case, the confusion is understandable. It seems there’s a wholly separate investigation into the Shaltay Boltai group going on as well. Unsurprisingly, some journalists in Moscow have confused the two, failing to realise that they are two wholly distinct investigations into two different groups of people. Thirdly, if the investigations in Washington and Moscow are, indeed, parallel investigations into the activities of the same gang, then, this shows the huge damage done by the severing of contacts between the US and Russian law enforcement agencies carried out by the Obama administration.
Instead of pooling information to track down and prosecute the same gang of cyber-criminals, they’re conducting two wholly separate and rival investigations in two different countries, which quite possibly involve the same gang. The result is that neither investigation is getting all the facts. Worse, the potential for conflict and misunderstanding between Washington and Moscow increased. Both Washington and Moscow seem to be convinced that what looks to be the same gang was working for the intelligence agencies of the other side. The result is that the USA and Russia are blaming each other for the gang’s activities whilst protesting… correctly… their own innocence.
Perhaps, one day, if Trump finally comes through with his proposed détente with Russia, we’d avoid this sort of muddle and recrimination. If so, then, coöperation between the law enforcement agencies of the two countries would be a further important step in reducing misunderstandings and improving relations. However, until that happens, the sort of confusion, misunderstanding, and exchange of blame and recriminations we’re now seeing will continue unabated.
17 March 2017