Two Russian Federal Security Service (FSB) officers were indicted Wednesday for what the Justice Department said amounted to directing and facilitating a massive hack on Yahoo in 2014 that compromised roughly 500 million accounts using a relatively simple method of attack.
The indictment was the first time the US had charged Russian government officials with cyber crimes, offering the clearest sign yet that Russian intelligence officials are recruiting people to engage in criminal hacking — both for personal financial gain and to spy on targets ranging from Russian journalists to private-sector employees in the American financial and transportation sectors.
“The defendants [Dmitry Dokuchaev and Igor Anatolyevich Sushchin, of the FSB, and Alexsey Alexseyevich Belan and Karim Baratov] used unauthorized access to Yahoo’s systems to steal information from about at least 500 million Yahoo accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies. One of the defendants also exploited his access to Yahoo’s network for his personal financial gain, by searching Yahoo user communications for credit card and gift card account numbers, redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign.”
The Soufan Group, a strategic security firm that specializes in intelligence, law enforcement, and policy analysis, wrote Thursday that, while the targets of intelligence agencies and cyber criminal networks “are usually very different,” Russia has “increasingly blurred the lines between cyber-espionage and cyber crime in an unprecedented manner.”
“Examples of the convergence of malicious cyber activity by Russia include the hacking of Western political parties and groups, the curiously selective and well-timed releases by WikiLeaks — which is widely believed to be a Russian proxy — and theft from purely commercial entities such as Yahoo,” the firm wrote. “The US is hoping that the high-profile [indictments] will serve as notice to the Russian government that it has overstepped the long-accepted boundaries of espionage by purposefully veering into criminality.”
Experts aren’t surprised by this convergence. They say hiring elite criminal hackers has allowed Russian intelligence agencies like the FSB and the GRU (Russia’s military intelligence arm) both to improve their foreign espionage capabilities and keep potentially rogue hackers under government control.
Brandon Valeriano, a researcher at Cardiff University specializing in international relations and cyber coercion, said the Russians “want to maintain their control over the hackers, but they are also willing to take advantage of whatever capabilities these hackers might have.”
Ian Bremmer, president of the political risk firm Eurasia Group, largely agreed.
“Cyber crime and state espionage go hand in hand in this system,” Bremmer said in an email. “Russia has employed cyber criminals for state ends for as long as they have been hacking. This is the case for the most visible incidents like taking down government websites, but it’s also true for corporate espionage and private information theft.”
“Private hackers are a source of talent, for one thing, as well as a degree of separation and deniability between state organs and end users,” Bremmer added.
The New York Times’ Andrew Kramer reported on this phenomenon in December, writing that “for more than three years, rather than rely on military officers working out of isolated bunkers, Russian government recruiters have scouted a wide range of programmers, placing prominent ads on social media sites, offering jobs to college students and professional coders, and even speaking openly about looking in Russia’s criminal underworld for potential talent.”
“If you graduated from college, if you are a technical specialist, if you are ready to use your knowledge, we give you an opportunity,” one of these ads read, according to the Times.
As Leonid Bershidsky, founding editor of the Russian business daily publication Vedomosti, wrote in January, the dramatic arrests of two high-level FSB officers — Sergei Mikhailov, the deputy head of the FSB’s Information Security Center, and Major Dmitry Dokuchaev, a highly skilled hacker who had been recruited by the FSB — on treason charges in December offers a glimpse into “how security agencies generally operate in Putin’s Russia.”
At the time of their arrest, Dokuchaev (who was one of the Russian officials indicted for the Yahoo breach) and Mikhailov had been trying to cultivate a Russian hacking group known as “Shaltai Boltai” — or “Humpty Dumpty” — that had been publishing stolen emails from Russian officials’ inboxes, according to Russian media reports.
“The FSB team reportedly uncovered the identities of the group’s members — but, instead of arresting and indicting them, Mikhailov’s team tried to run the group, apparently for profit or political gain,” Bershidsky wrote. Shaltai Boltai complied, Bershidsky wrote, because it wanted to stay afloat, and didn’t mind taking orders from “government structures.”
“We get orders from government structures and from private individuals,” Shaltai Boltai’s alleged leader said in a 2015 interview. “But we say we are an independent team. It’s just that often it’s impossible to tell who the client is. Sometimes we get information for intermediaries, without knowing who the end client is.”
It appears that Dokuchaev and Mikhailov got caught running this side project with Shaltai Boltai — which was still targeting high-level Russian officials — when the FSB began surveilling Mikhailov. Officials targeted Mikhailov after receiving a tip that he might have been leaking information about Russian cyber activities to the FBI, according to the Novaya Gazeta.
Short of working against Russian interests, hackers “can pursue whatever projects they want, as long as their targets are outside of Russia and they follow orders from the top when needed,” said Bremmer, of Eurasia Group. The same goes for FSB officers, who are tactically allowed to “run private security operations involving blackmail and protection,” according to Bershidsky.
US intelligence agencies have concluded that the hack on the Democratic National Committee during the 2016 election was likely one such “order from the top” — a directive issued by Russian President Vladimir Putin and carried out by hackers hired by the GRU and the FSB.
It is still unclear if the Yahoo breach was directed by FSB officials at the instruction of the Kremlin, like the DNC hack, or if it was one of those “private security operations” Bershidsky alluded to that some Russian intelligence officers do on the side.
Bremmer said that it’s possible the Yahoo breach was not done for state ends, especially given the involvement of Dokuchaev, who was already caught up in Shaltai Baltai’s operations to steal and sell information for personal financial gain.
“The FSB had sought to acquire [Shaltai Boltai] as much to control a valuable commodity as to control the hackers’ activities,” Bremmer said. It is possible, and likely, however, that the FSB targeted certain accounts in the data breach in the name of collecting valuable intelligence.
“It could still be a commercial operation with FSB ties,” Bremmer said, referring to the Yahoo breach. “With the caveat that any sensitive information would be retained by security officials.”
In any case, as internet governance consultant Maria Farrell wrote late last year, “In [Putin’s] world, power is vertical. Someone is always pulling the strings.”