Baratov, Belan, cyber-crime, cyber-security, data breaches, Dmitry Dokuchaev, DOJ, FBI, foreign state-sponsored criminal behavior, FSB, Grand Jury, hacking related sanctions, homeland security, Igor Sushchin, Information technology, international law enforcement partners, internet security, Interpol, IT Products, IT Updates, journalists, Kaspersky, KGB, law enforcement, Malicious Cyber-Enabled Activities, Michael Flynn, National Security, National Security Advisor, Putin, Russia, Russia election hacking, Russian Federation, Russian sanctions, Ukraine, Yahoo, Yahoo hacking case
“For those not familiar with the FSB, it is an intelligence and law enforcement agency and a successor to the Soviet Union’s KGB. The FSB unit that the defendants worked for, the Center for Information Security, aka Center 18, is also the FBI’s point of contact in Moscow for cyber-crime matters. The involvement and direction of FSB officers with law enforcement responsibilities makes this conduct that much more egregious. There are no free passes for foreign state-sponsored criminal behavior“. (Acting Asst. AG Mary McCord, US DOJ, March 15, 2017).
The FSB officer defendants, Dmitry Dokuchaev and Igor Sushchin, protected, directed, facilitated and paid criminal hackers to collect information through computer intrusions in the U.S. and elsewhere. In the present case, they worked with co-defendants Alexsey Belan and Karim Baratov to obtain access to the email accounts of thousands of individuals. (US DOJ, March 15, 2017)
Russian President “Putin was a KGB foreign intelligence officer for 16 years, rising to the rank of lieutenant colonel before retiring in 1991 to enter politics … rising quickly through the ranks and becoming Acting President on 31 December 1999, when Yeltsin resigned.” https://en.wikipedia.org/wiki/Vladimir_Putin
On February 2nd, the Trump administration lifted sanctions which blocked the Russian FSB from getting the latest Information Technology (IT) products/ updates [Update: while some cyber-sanctions went into place ca April 2015, it appears that the FSB itself may not have been sanctioned until Dec. 2016, though we are still searching for a list.]. Access to updates, etc., due to the lifting of sanctions facilitates Russian hacking of the US and Europe. The Trump administration seems to be effectively inviting Russia’s security services (FSB) to do more hacking.
According to UK Business Insider “Mike Flynn was paid by Russia’s top cybersecurity firm while he still had top-secret-level security clearance“, by Natasha Bertrand, Mar. 16, 2017, 5:38 PM, “Flynn was paid for his work with both companies while he still had top-secret-level security clearance, a year after he was fired as head of the Defense Intelligence Agency, The Wall Street Journal’s Shane Harris reported.”
According to Bloomberg, the day after Trump was elected, “the FSB, Russia’s main intelligence agency, targeted the personal emails of hundreds of people, including national security experts, military officers and former White House officials, according to data provided by cyber security researchers who are tracking the spying and who asked not to be identified because of the risks of retaliation.” https://www.bloomberg.com/news/articles/2017-03-06/russian-hackers-said-to-seek-hush-money-from-liberal-u-s-groups
Since it was a Grand Jury, it would have probably been close to impossible for the Trump administration to snuff out the indictment. This sounds like the grand jury may have been working on the case for a year. “Grand jury — a group of citizens who listen to the government present evidence of criminal activity by an individual or individuals in order to determine whether there is enough evidence to justify filing an indictment charging the individual or individuals with a crime. Federal grand juries are made up of sixteen to twenty-three persons and serve for about a year, sitting one or two days a week.” http://www.fjc.gov/federal/courts.nsf/autoframe?openagent&nav=menu1&page=/federal/courts.nsf/page/221 “A grand jury may compel the production of documents and compel sworn testimony of witnesses to appear before it.” https://en.wikipedia.org/wiki/Grand_jury
From the US DOJ: “U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts FSB Officers Protected, Directed, Facilitated and Paid Criminal Hackers. A grand jury in the Northern District of California has indicted four defendants, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal offenses in connection with a conspiracy, beginning in January 2014, to access Yahoo’s network and the contents of webmail accounts. The defendants are Dmitry Aleksandrovich Dokuchaev, 33, a Russian national and resident; Igor Anatolyevich Sushchin, 43, a Russian national and resident; Alexsey Alexseyevich Belan, aka “Magg,” 29, a Russian national and resident; and Karim Baratov, aka “Kay,” “Karim Taloverov” and “Karim Akehmet Tokbergenov,” 22, a Canadian and Kazakh national and a resident of Canada.
The defendants used unauthorized access to Yahoo’s systems to steal information from about at least 500 million Yahoo accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies. One of the defendants also exploited his access to Yahoo’s network for his personal financial gain, by searching Yahoo user communications for credit card and gift card account numbers, redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign.” https://www.justice.gov/opa/pr/us-charges-russian-fsb-officers-and-their-criminal-conspirators-hacking-yahoo-and-millions
And, yet, the Trump Administration relaxed Obama’s “Executive Order (E.O.) 13694 of April 1, 2015 (“Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”), as amended by E.O. 13757 of December 28, 2016 (“Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities”),“. As of February 2nd, the Trump administration authorized “Requesting, receiving, utilizing, paying for, or dealing in licenses, permits, certifications, or notifications issued or registered by the Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a. FSB) for the importation, distribution, or use of information technology products in the Russian Federation,…,” thus allowing them to have access to the most recent updates-IT products: https://www.treasury.gov/resource-center/sanctions/Programs/Documents/cyber_gl1.pdf [Depending on if the sanctions on the FSB went into effect in 2014 or Dec. 2016/Jan. 2017, they may not have had time to make an impact before Trump undermined them.]
According to this, Flynn was paid by them to speak in Washington DC, which is almost more bizarre than if it were Russia. (When he spoke at an RT event in Russia, he sat next to Putin, however.) “Kaspersky Lab explains the fee paid to Trump’s former security adviser“, 17.03.2017: https://en.crimerussia.com/gromkie-dela/kaspersky-lab-explains-the-fee-paid-to-trump-s-former-security-adviser https://en.wikipedia.org/wiki/Kaspersky_Lab
“Acting Assistant Attorney General Mary B. McCord Delivers Remarks at Press Conference Announcing Charges Against Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo
Department of Justice, Washington, DC 20530 United States ~ Wednesday, March 15, 2017
Remarks as Prepared for Delivery
Good morning and thank you all for being here. I am joined today by FBI Executive Assistant Director Paul Abbate, U.S. Attorney for the Northern District of California Brian Stretch and Office of International Affairs Director Vaughn Ary.
We are here to announce a major law enforcement action related to one of the largest data breaches in U.S. history.
Today, we are announcing the indictment of four individuals responsible for the 2014 hack into the network of email provider Yahoo, the theft of information about at least 500 million Yahoo accounts and the use of that information to obtain the contents of accounts at Yahoo and other email providers.
The defendants include two officers of the Russian Federal Security Service (FSB), an intelligence and law enforcement agency of the Russian Federation and two criminal hackers with whom they conspired to accomplish these intrusions.
Dmitry Dokuchaev and Igor Sushchin, both FSB officers, protected, directed, facilitated and paid criminal hackers to collect information through computer intrusions in the United States and elsewhere.
They worked with co-conspirators Alexsey Belan and Karim Baratov to hack into computers of American companies providing email and internet-related services, to maintain unauthorized access to those computers and to steal information, including information about individual users and the private contents of their accounts.
The defendants targeted Yahoo accounts of Russian and U.S. government officials, including cyber security, diplomatic and military personnel. They also targeted Russian journalists; numerous employees of other providers whose networks the conspirators sought to exploit; and employees of financial services and other commercial entities.
Belan has been indicted twice before in the United States for three intrusions into e-commerce companies that victimized millions of customers, and he has been one of the FBI’s most wanted cyber criminals for more than three years.
Belan’s notorious criminal conduct and a pending Interpol Red Notice did not stop the FSB officers who, instead of detaining him, used him to break into Yahoo’s networks.
Meanwhile, Belan used his relationship with the two FSB officers and his access to Yahoo to commit additional crimes to line his own pockets with money.
Specifically, Belan used his access to Yahoo to search for and steal financial information, such as gift card and credit card numbers, from users’ email accounts.
He also gained access to more than 30 million Yahoo accounts, whose contacts were then stolen to facilitate an email spam scheme.
With these charges, the Department of Justice is continuing to send the powerful message that we will not allow individuals, groups, nation states or a combination of them to compromise the privacy of our citizens, the economic interests of our companies, or the security of our country.
For those not familiar with the FSB, it is an intelligence and law enforcement agency and a successor to the Soviet Union’s KGB. The FSB unit that the defendants worked for, the Center for Information Security, aka Center 18, is also the FBI’s point of contact in Moscow for cyber-crime matters.
The involvement and direction of FSB officers with law enforcement responsibilities makes this conduct that much more egregious. There are no free passes for foreign state-sponsored criminal behavior.
Through the work of the National Security Division, the FBI and U.S. Attorney’s Offices around the country, we continue to pursue national security cyber threats, using all available tools to investigate malicious activity and attribute it to the country, agency and even individuals involved.
When possible, and supported by the evidence, we intend to charge those individuals and bring them to justice.
As I wrap up, I am also pleased to announce that a fourth co-conspirator charged in the indictment, Karim Baratov, was arrested just yesterday in Canada on a U.S. government provisional arrest warrant.
I’d like to thank all of those who worked diligently to bring the investigation to this point, including the men and women of the National Security Division, the FBI, the U.S. Attorney’s Office for the Northern District of California and the Criminal Division’s Office of International Affairs for their tireless work.
I’d also like to thank Yahoo and Google, whose customers were targeted, and who cooperated with us. It is very important for corporations around the country to know, when you are going against the resources and backing of a nation state, it is not a fair fight, and it is not a fight you are likely to win alone. But you do not have to go it alone. We can put the full capabilities of the United States behind you to make cases like this, but we cannot do it without your help.
At this time, I’d like to introduce FBI Executive Assistant Director Paul Abbate, who will provide additional details on today’s announcement.
Topic: Counterintelligence and Export Control
National Security Division (NSD)
Speaker: Acting Assistant Attorney General for National Security Mary B. McCord”
Did Yahoo or users depend on Kapersky for security and did Kapersky enable the hacking?
[Update: While cyber-sanctions were called for as of April 2015, it appears that sanctions were (rather stupidly) not issued against the FSB until December 2016 or January 2017. The Trump administration did away with these important sanctions on February 2, 2017. In this context, blah, blah about cyber-security at the Russian hearing on Monday are somewhat silly. While access to IT products can be had by some Russians living in the US or Europe and copies might be made, pirated copies are not as good. Undermining these sanctions allows the FSB to spread the latest US IT products about widely, meaning that more can work more easily on hacking these products. And, spread they will. When Russia arrested Greenpeace activists, there were lots of Russian government visits to our blog site. If they give so much attention to an unimportant blogger, imagine the attention to important people. It may be worth noting that the person who signed the lifting of the sanctions used to work for a firm with an office in Russia]
In early February, when Michael Flynn was still Trump National Security Advisor the US Eased Sanctions on the FSB. As excerpted from RFERL.org:
“U.S. Treasury Eases License Sanctions On Russia’s FSB
February 02, 2017 Mike Eckel, Carl Schreck WASHINGTON — … The directive, issued on February 2 by the department’s Office of Foreign Assets Control, comes as the agency, the Federal Security Service (FSB), is under close scrutiny for its alleged interference in last year’s U.S. presidential election.
U.S. intelligence agencies concluded in a report last month that Moscow sought to influence the election won by Republican Donald Trump by breaching computer servers and political-party e-mail accounts, as well as through propaganda. http://www.rferl.org/a/28217875.html. Eight days prior to the report’s release, then-President Barack Obama announced new sanctions against the agency, along with Russia’s military intelligence agency (GRU) and several related entities, in retaliation for the alleged hacking. http://www.rferl.org/a/us-russia-new-sanctions-over-hacking/28204378.html
Still, the decision comes at a time of heightened scrutiny about the FSB, the GRU, and other Russian security agencies and their purported activities in the United States.
The new administration also faces persistent concerns over Trump’s past statements that he wants to improve relations with Moscow that were badly strained over the conflicts in Ukraine and Syria.
In Moscow, there was no immediate official response to the announcement, but Nikolai Kovalyov, a lawmaker and former FSB director, said it was an indication that the Trump administration wanted to work more closely with Russia on fighting terrorism and other matters.” http://www.rferl.org/a/u-s-eases-sanction-fsb-russia/28275715.html.
More of the US DOJ Press Release excerpted toward the top of this blog:
“U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts FSB Officers Protected, Directed, Facilitated and Paid Criminal Hackers
A grand jury in the Northern District of California has indicted four defendants, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal offenses in connection with a conspiracy, beginning in January 2014, to access Yahoo’s network and the contents of webmail accounts. The defendants are Dmitry Aleksandrovich Dokuchaev, 33, a Russian national and resident; Igor Anatolyevich Sushchin, 43, a Russian national and resident; Alexsey Alexseyevich Belan, aka “Magg,” 29, a Russian national and resident; and Karim Baratov, aka “Kay,” “Karim Taloverov” and “Karim Akehmet Tokbergenov,” 22, a Canadian and Kazakh national and a resident of Canada.
The defendants used unauthorized access to Yahoo’s systems to steal information from about at least 500 million Yahoo accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies. One of the defendants also exploited his access to Yahoo’s network for his personal financial gain, by searching Yahoo user communications for credit card and gift card account numbers, redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign.
The charges were announced by Attorney General Jeff Sessions of the U.S. Department of Justice, Director James Comey of the FBI, Acting Assistant Attorney General for National Security Mary McCord, U.S. Attorney Brian Stretch for the Northern District of California and Executive Assistant Director Paul Abbate of the FBI’s Criminal, Cyber, Response and Services Branch.
“Cyber crime poses a significant threat to our nation’s security and prosperity, and this is one of the largest data breaches in history,” said Attorney General Sessions. “But thanks to the tireless efforts of U.S. prosecutors and investigators, as well as our Canadian partners, today we have identified four individuals, including two Russian FSB officers, responsible for unauthorized access to millions of users’ accounts. The United States will vigorously investigate and prosecute the people behind such attacks to the fullest extent of the law.”
“Today we continue to pierce the veil of anonymity surrounding cyber crimes,” said Director Comey. “We are shrinking the world to ensure that cyber criminals think twice before targeting U.S. persons and interests.”
“The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cybercrime matters, is beyond the pale,” said Acting Assistant Attorney General McCord.
“Once again, the Department and the FBI have demonstrated that hackers around the world can and will be exposed and held accountable. State actors may be using common criminals to access the data they want, but the indictment shows that our companies do not have to stand alone against this threat. We commend Yahoo and Google for their sustained and invaluable cooperation in the investigation aimed at obtaining justice for, and protecting the privacy of their users.”
“This is a highly complicated investigation of a very complex threat. It underscores the value of early, proactive engagement and cooperation between the private sector and the government,” said Executive Assistant Director Abbate. “The FBI will continue to work relentlessly with our private sector and international partners to identify those who conduct cyber-attacks against our citizens and our nation, expose them and hold them accountable under the law, no matter where they attempt to hide.”
“Silicon Valley’s computer infrastructure provides the means by which people around the world communicate with each other in their business and personal lives. The privacy and security of those communications must be governed by the rule of law, not by the whim of criminal hackers and those who employ them. People rightly expect that their communications through Silicon Valley internet providers will remain private, unless lawful authority provides otherwise. We will not tolerate unauthorized and illegal intrusions into the Silicon Valley computer infrastructure upon which both private citizens and the global economy rely,” said U.S. Attorney Stretch.
“Working closely with Yahoo and Google, Department of Justice lawyers and the FBI were able to identify and expose the hackers responsible for the conduct described today, without unduly intruding into the privacy of the accounts that were stolen. We commend Yahoo and Google for providing exemplary cooperation while zealously protecting their users’ privacy.”
Summary of Allegations
According to the allegations of the Indictment:
The FSB officer defendants, Dmitry Dokuchaev and Igor Sushchin, protected, directed, facilitated and paid criminal hackers to collect information through computer intrusions in the U.S. and elsewhere. In the present case, they worked with co-defendants Alexsey Belan and Karim Baratov to obtain access to the email accounts of thousands of individuals.
Belan had been publicly indicted in September 2012 and June 2013 and was named one of FBI’s Cyber Most Wanted criminals in November 2013. An Interpol Red Notice seeking his immediate detention has been lodged (including with Russia) since July 26, 2013. Belan was arrested in a European country on a request from the U.S. in June 2013, but he was able to escape to Russia before he could be extradited.
Instead of acting on the U.S. government’s Red Notice and detaining Belan after his return, Dokuchaev and Sushchin subsequently used him to gain unauthorized access to Yahoo’s network. In or around November and December 2014, Belan stole a copy of at least a portion of Yahoo’s User Database (UDB), a Yahoo trade secret that contained, among other data, subscriber information including users’ names, recovery email accounts, phone numbers and certain information required to manually create, or “mint,” account authentication web browser “cookies” for more than 500 million Yahoo accounts.
Belan also obtained unauthorized access on behalf of the FSB conspirators to Yahoo’s Account Management Tool (AMT), which was a proprietary means by which Yahoo made and logged changes to user accounts. Belan, Dokuchaev and Sushchin then used the stolen UDB copy and AMT access to locate Yahoo email accounts of interest and to mint cookies for those accounts, enabling the co-conspirators to access at least 6,500 such accounts without authorization.
Some victim accounts were of predictable interest to the FSB, a foreign intelligence and law enforcement service, such as personal accounts belonging to Russian journalists; Russian and U.S. government officials; employees of a prominent Russian cybersecurity company; and numerous employees of other providers whose networks the conspirators sought to exploit. However, other personal accounts belonged to employees of commercial entities, such as a Russian investment banking firm, a French transportation company, U.S. financial services and private equity firms, a Swiss bitcoin wallet and banking firm and a U.S. airline.
During the conspiracy, the FSB officers facilitated Belan’s other criminal activities, by providing him with sensitive FSB law enforcement and intelligence information that would have helped him avoid detection by U.S. and other law enforcement agencies outside Russia, including information regarding FSB investigations of computer hacking and FSB techniques for identifying criminal hackers.
Additionally, while working with his FSB conspirators to compromise Yahoo’s network and its users, Belan used his access to steal financial information such as gift card and credit card numbers from webmail accounts; to gain access to more than 30 million accounts whose contacts were then stolen to facilitate a spam campaign; and to earn commissions from fraudulently redirecting a subset of Yahoo’s search engine traffic.
When Dokuchaev and Sushchin learned that a target of interest had accounts at webmail providers other than Yahoo, including through information obtained as part of the Yahoo intrusion, they tasked their co-conspirator, Baratov, a resident of Canada, with obtaining unauthorized access to more than 80 accounts in exchange for commissions. On March 7, the Department of Justice submitted a provisional arrest warrant to Canadian law enforcement authorities, requesting Baratov’s arrest. On March 14, Baratov was arrested in Canada and the matter is now pending with the Canadian authorities.
An indictment is merely an accusation, and a defendant is presumed innocent unless proven guilty in a court of law.
The FBI, led by the San Francisco Field Office, conducted the investigation that resulted in the charges announced today. The case is being prosecuted by the U.S. Department of Justice National Security Division’s Counterintelligence and Export Control Section and the U.S. Attorney’s Office for the Northern District of California, with support from the Justice Department’s Office of International Affairs.
Defendants: At all times relevant to the charges, the Indictment alleges as follows:
* Dmitry Aleksandrovich Dokuchaev, 33, was an officer in the FSB Center for Information Security, aka “Center 18.” Dokuchaev was a Russian national and resident.
* Igor Anatolyevich Sushchin, 43, was an FSB officer, a superior to Dokuchaev within the FSB, and a Russian national and resident. Sushchin was embedded as a purported employee and Head of Information Security at a Russian investment bank.
* Alexsey Alexseyevich Belan, aka “Magg,” 29, was born in Latvia and is a Russian national and resident. U.S. Federal grand juries have indicted Belan twice before, in 2012 and 2013, for computer fraud and abuse, access device fraud and aggravated identity theft involving three U.S.-based e-commerce companies and the FBI placed Belan on its “Cyber Most Wanted” list. Belan is currently the subject of a pending “Red Notice” requesting that Interpol member nations (including Russia) arrest him pending extradition. Belan was also one of two criminal hackers named by President Barack Obama on Dec. 29, 2016, pursuant to Executive Order 13694, as a Specially Designated National subject to sanctions.
* Karim Baratov, aka “Kay,” “Karim Taloverov” and “Karim Akehmet Tokbergenov,” 22. He is a Canadian and Kazakh national and a resident of Canada.
Victims: Yahoo; more than 500 million Yahoo accounts for which account information about was stolen by the defendants; more than 30 million Yahoo accounts for which account contents were accessed without authorization to facilitate a spam campaign; and at least 18 additional users at other webmail providers whose accounts were accessed without authorization.
Time Period: As alleged in the Indictment, the conspiracy began at least as early as 2014 and, even though the conspirators lost their access to Yahoo’s networks in September 2016, they continued to utilize information stolen from the intrusion up to and including at least December 2016.” Read more here: https://www.justice.gov/opa/pr/us-charges-russian-fsb-officers-and-their-criminal-conspirators-hacking-yahoo-and-millions It was apparently Italy which let him lose, suggesting a Russian-Italian organized crime link.
“Grand jury is a legal body empowered to conduct official proceedings and investigate potential criminal conduct, and determine whether criminal charges should be brought. A grand jury may compel the production of documents and compel sworn testimony of witnesses to appear before it.” https://en.wikipedia.org/wiki/Grand_jury
EMPHASIS ADDED THROUGHOUT.