Tags

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Karim Baratov’s only getting five years in jail out of an apparent maximum possible of 39 1/2 years. “As part of his plea agreement, Baratov not only admitted to agreeing and attempting to hack at least 80 webmail accounts on behalf of one of his FSB co-conspirators, but also to hacking more than 11,000 webmail accounts in total from in or around 2010 until his March 2017 arrest by Canadian authorities….” https://www.justice.gov/opa/pr/international-hacker-hire-who-conspired-and-aided-russian-fsb-officers-sentenced-60-months

For those not familiar with the FSB, it is an intelligence and law enforcement agency and a successor to the Soviet Union’s KGB. The FSB unit that the defendants worked for, the Center for Information Security, aka Center 18, is also the FBI’s point of contact in Moscow for cyber-crime matters. The involvement and direction of FSB officers with law enforcement responsibilities makes this conduct that much more egregious. There are no free passes for foreign state-sponsored criminal behavior“. (Acting Asst. AG Mary McCord, US DOJ, March 15, 2017).

The FSB officer defendants, Dmitry Dokuchaev and Igor Sushchin, protected, directed, facilitated and paid criminal hackers to collect information through computer intrusions in the U.S. and elsewhere. In the present case, they worked with co-defendants Alexsey Belan and Karim Baratov to obtain access to the email accounts of thousands of individuals. (US DOJ, March 15, 2017)

Russian President “Putin was a KGB foreign intelligence officer for 16 years, rising to the rank of lieutenant colonel before retiring in 1991 to enter politics … rising quickly through the ranks and becoming Acting President on 31 December 1999, when Yeltsin resigned.https://en.wikipedia.org/wiki/Vladimir_Putin

See more here: https://miningawareness.wordpress.com/2017/03/20/us-grand-jury-indicted-officers-of-the-russian-security-service-fsb-for-cybercrimes-trump-relaxed-sanctions-against-fsb-re-it-cyber-products-trump-advisor-flynn-paid-to-speak-by-russias-kasper/

There are a lot of hints in this indictment about who was hacked and why:

From at least in or about 2014 up to and including at least in or about December 2016, officers of the Russian Federal Security Service (“FSB”), an intelligence and law enforcement agency of the Russian Federation (“Russia”) headquartered in Lubyanka Square, Moscow, Russia, and a successor service to the Soviet Union’s Committee of State Security (“KGB”), conspired together and with each other to protect, direct, facilitate, and pay criminal hackers to collect information through computer intrusions in the United States and elsewhere. The FSB officers, defendants DMITRY DOKUCHAEV, IGOR SUSHCHIN, and others known and unknown to the Grand Jury, directed the criminal hackers, defendants ALEXSEY BELAN, KARIM BARATOV, and others known and unknown to the Grand Jury ( collectively, the “conspirators”), to gain unauthorized access to the computers of companies providing webmail and internet-related services located in the Northern District of California and elsewhere, to maintain unauthorized access to those computers, and to steal information from those computers, including information regarding, and communications of, the providers’ users.

2. In some cases, the conspirators sought unauthorized access to information·of predictable interest to the FSB. For example, as described in more detail below, the conspirators sought access to the Yahoo, Inc. (“Yahoo”) email accounts-of Russian journalists; Russian and U.S. government officials; employees of a prominent Russian cybersecurity company; and numerous employees of U.S., Russian, and other foreign webmail and internet-related service providers whose networks the conspirators sought to further exploit.

3. In other cases, the conspirators sought access to accounts of employees of commercial entities, including executives and other managers of a prominent Russian investment banking firm (the “Russian Financial Firm”); a French transportation company; U.S. financial services and private equity firms; a Swiss bitcoin wallet and banking firm; and a U.S. airline

6. When the FSB officers, SUSHCHIN and DOKUCHAEV, learned that a target of interest had email accounts at webmail providers other than Yahoo, including through information gained from the Yahoo intrusion, they would task BARATOV to access the target’s account at the other providers.

When BARATOV was successful, as was often the case, his handling FSB officer, DOKUCHAEV, paid him a bounty.

7. For example, SUSHCHIN, DOKUCHAEV, and BARATOV sought access to the Google, Inc. (“Google”) webmail accounts of:

a. an assistant to the Deputy Chairman of the Russian Federation;
b. an officer of the Russian Ministry of Internal Affairs;
c. a physical training expert working in the Ministry of Sports of a Russian republic; and
d. others, including additional examples described below.
[…]
KARIM BARATOV, also known as “Kay,” “Karim Taloverov” and “Karim Akehmet “Tokbergenov,” was a Canadian national and resident. He was a criminal hacker and associate of DOKUCHAEV. BARATOV assisted DOKUCHAEV by carrying out his hacking assignments.

BARATOV’s photograph is attached as Exhibit D.
[…]
The Google and Other Account Intrusions

42. During the same period that DOKUCHAEV, SUSHCHIN, and BELAN were committing intrusions into the Yahoo computer network and the accounts of individual Yahoo users, DOKUCHAEV and SUSHCHIN were directing BARATOV to access individual accounts provided by Google, the Russian Webmail Provider, and other webmail providers. For example, the conspirators sought unauthorized access to the accounts of:

a. An assistant to the Deputy Chairman of the Russian Federation;

b. A managing director, a former sales officer, and a researcher, all of whom worked for a major Russian cyber security firm;

c. An officer of the Russian Ministry of Internal Affairs assigned to that Ministry’s “Department K,” its “Bureau of Special Technical Projects,” which investigates cyber, high technology, and child pornography crimes;

d. A physical training expert working in the Ministry of Sports of a Russian republic; and

e. A Russian official who was both Chairman of a Russian Federation Council committee and a senior official at a major Russian transport corporation.

43. In some cases, DOKUCHAEV and SUSHCHIN identified target accounts based on information obtained through unauthorized access to Yahoo’s network and its users’ accounts. For example, on or about October 9, 2014, the conspirators accessed records for account * * * * * * as@yahoo.com in the AMT, associated with the CEO of a metals industry holding company in a country bordering Russia. Using the AMT, they changed the Yahoo user’s recovery email account to an account controlled by DOKUCHAEV; then, approximately five minutes later, DOKUCHAEV falsely verified the change by clicking on an email link automatically generated by Yahoo. DOKUCHAEV then changed the account password. The next day, on or about October 10, 2014, DOKUCHAEV asked BARATOV to gain access to ******as@gmail.com, the account that had served as ******as@yahoo.com’s recovery email account until DOKUCHAEV’s change the day before.

44. Also on or about October 9, 2014, DOKUCHAEV sought unauthorized access to account ********ov@yahoo.com, belonging to a prominent banker and university trustee in a country bordering Russia. DOKUCHAEV changed the recovery account to one DOKUCHAEV controlled and changed the victim account password. Then, on or about October 10, 2014, DOKUCHAEV tasked BARATOV with gaining unauthorized access to ********ov@gmail.com, the account that had served as. ********ov@yahoo.com’s recovery email account until DOKUCHAEV’s change the day before.

45. In other instances, the conspirators used their unauthorized access to Yahoo’s network to obtain additional information about individuals who controlled accounts at other webmail providers to which the conspirators sought unauthorized access. For example,

a. On or about February 25, 2016, the conspirators gained unauthorized access to information in the AMT regarding a Yahoo account belonging to an International Monetary Fund official. One week later, on or about March 2, 2016, the conspirators gained access to that account by minting a cookie. That same day, the conspirators searched within that Yahoo user account for a particular Google account belonging to a managing director of a finance and banking company in a country bordering Russia.

Then, on or about March 24, 2016, DOKUCHAEV tasked BARATOV with gaining unauthorized access to that Google account.

b. In another example, on or about March 2, 2016, the conspirators searched a Yahoo account belonging to an advisor to a senior official in a country bordering Russia, for “************va@gmail.com,” an email account belonging to a prominent business woman from that country. Then, on or about March 24, 2016, DOKUCHAEV tasked BARATOV with gaining access to the same, searched-for Google account, ************va@gmail.com.

46. SUSHCHIN also identified accounts to target that were associated with the Russian Financial Firm. For example, in or around April 2015, SUSHCHIN sent DOKUCHAEV a list of email accounts associated with Russian Financial Firm personnel and family members to target, including Google accounts. During these April 2015 communications, SUSHCHIN identified a Russian Financial Firm employee to DOKUCHAEV as the “main target.” Also during these April 2015 communications, SUSHCHIN forwarded to DOKUCHAEV an email sent by that “main target’s” wife to a number of other Russian Financial Firm employees. SUSHCHIN added the cover note “this may be of some use.”

In another example, between in or about December 2015 and May 2016, SUSHCHIN directed DOKUCHAEV, who in turn directed BARATOV, to obtain unauthorized access to the Google and other accounts of Victims A and Band their family (discussed in paragraph 34.b above).

47. During the conspiracy DOKUCHAEV tasked BARATOV with obtaining unauthorized access to at least 80 identified email accounts, including at least 50 identified Google accounts.

48. BARATOV knowingly and with intent to defraud sought unauthorized access to Google and other accounts on behalf of DOKUCHAEV and SUSHCHIN through techniques such as spear phishing. He created and maintained multipie email accounts for the purpose of sending spear phishing emails to victims that he targeted at DOKUCHAEV and SUSHCHIN’s behest.

49. When BARATOV successfully obtained unauthorized access to a victim’s account, he notified DOKUCHAEV and provided evidence of that access. He then demanded payment-generally approximately U.S. $100-via online payment services.

50. Once DOKUCHAEV sent BARATOV a payment,’ BARATOV provided DOKUCHAEV with valid, illicitly obtained account credentials permitting DOKUCHAEV, SUSHCHIN, and others known and unknown to thereafter access the victim’s account without further assistance from BARATOV.

All in violation of Title 18, United States Code, Section 1030(b)….

79. Specifically, BARATOV sought and gained unauthorized access to Google and other webmail provider accounts as requested by DOKUCHAEV, sometimes after DOKUCHAEV’s discussions with SUSHCHIN. BARATOV provided the means of unauthorized access in the form of valid, but illicitly obtained passwords, to DOKUCHAEV. DOKUCHAEV then paid BARATOV for providing DOKUCHAEV with such information, thereby enabling unauthorized access to the requested email accounts. In total, DOKUCHAEV paid BARATOV money and other things of value aggregating at least $1,000 for unauthorized email account access during a one-year period, from April 17, 2015 through April 17, 2016….

OVERT ACTS

80. In furtherance of the conspiracy and to effect its illegal objects, BARATOV, DOKUCHAEV, and SUSHCHIN committed the following acts:

a. On or about October 10, 2014, DOKUCHAEV sent BARATOV a request for unauthorized access to ******as@gmail.com and ********ov@gmail.com.

b. On or about October 10, 2014, DOKUCHAEV sent BARATOV a request for unauthorized access to more than 30 Google accounts, not including the two described in the preceding paragraph.

c. On or about December 26, 2014, BARATOV sent DOKUCHAEV the password for
*******17@gmail.com, to which account DOKUCHAEV had tasked BARATOV to gain unauthorized access.

d. On or about January 2, 2015, BARATOV sent DOKUCHAEV the password for *****201 l@gmail.com, to which account DOKUCHAEV had tasked BARATOV to gain unauthorized access.

e. On or about July 6, 2015, BARATOV sent DOKUCHAEV the password for *****77@gmail.com, to which account DOKUCHAEV had tasked BARATOV to gain unauthorized access.

f. On or about August 1, 2015, BARATOV sent DOKUCHAEV a second password for *****201l@gmail.com, an account for which BARATOV had sent DOKUCHAEVa password on or about January 2, 2015, and, to which account DOKUCHAEV had tasked BARATOV to gain unauthorized access

g. On or about September 30, 2015, BARATOV sent DOKUCHAEV the password for
*******um@gmail.com, to which account DOKUCHAEV had tasked BARATOV to
gain unauthorized access.

h. On or about November 16, 2015, DOKUCHAEV sent BARATOV a request for
unauthorized access to ****br@gmail.com and ****ov@gmail.com.

I. On or about November 17, 2015, BARATOV sent DOKUCHAEV the password for
****ov@gmail.com, to which account DOKUCHAEV had tasked BARATOV to gain
unauthorized access.

J. On or aboutNovember 17, 2015, DOKUCHAEV paid BARATOV U.S. $104.20.

k. On or about December 3, 2015, BARATOV sent DOKUCHAEV the password for
********13@gmail.com, to which account DOKUCHAEV had tasked BARATOV to
gain unauthorized access.

1. On or about March 24, 2016, DOKUCHAEV sent BARATOV a request for unauthorized access to ***********va@gmail.com.

m. On or about March 25, 2016, BARATOV sent DOKUCHAEV the password for
********21@gmail.com, to which account DOKUCHAEV had tasked BARATOV to
gain unauthorized access.

All in violation of Title 18, United States Code, Sections I029(b)(2).
COUNT THIRTY-NINE: 18 U.S.C. § 1349- Conspiracy to Comm}t Wire Fraud

81. Paragraphs 1 through 11, 14 through 50, 54, and 80, and the factual allegations set forth in paragraph 7 4 of this Indictment are hereby re-alleged and incorporated by reference as if set forth in full herein.

82. From at least in or about January 2014, until December 1, 2016, in the Northern District of California and elsewhere, the defendants, DMITRY DOKUCHAEV, IGOR SUSHCHIN and KARIMBARATOV, together with others known and unknown to the Grand Jury, conspired to devise a scheme and artifice to defraud and to obtain property from Google account users by means of materially false and fraudulent pretenses, representations, and promises, and did knowingly transmit and cause to be transmitted by means of wire communication in interstate and foreign commerce, writings, signs, signals, pictures, and sounds, namely transmitting malicious computer code, illicitly obtained credentials, and fraudulent messages, for the purpose of executing and attempting to execute the scheme and artifice, in violation of Title 18, United States Code, Section 1343.

83. Specifically, DOKUCHAEV and SUSHCHIN identified email accounts to which they wanted access. DOKUCHAEV then directed BARATOV to attempt to gain unauthorized access to at least 80 email accounts, including at least 50 Google accounts. BARATOV attempted to obtain access credentials for the accounts through “spear phishing.” BARATOV, when successful, sent DOKUCHAEV the passwords for the accounts.

84. Upon successfully gaining the credentials for a tasked account, BARATOV informed DOKUCHAEV that he could be paid for his work in Russian rubles, U.S. dollars, Ukrainian hryvnia, or Euros through online payment services. DOKUCHAEV then paid BARATOV using these means.

All in violation of Title 18, United States Code, Section 1349.

COUNTS FORTY THROUGH FORTY-SEVEN: 18 U.S.C. § 1028A(a)(l)-Aggravated Identity Theft

85. Paragraphs 1 through 50 and 80 of this Indictment are hereby re-alleged and incorporated by reference as if set forth in full herein.

86. On or about the dates set forth below, in the Northern District of California and elsewhere, the defendants,

DMITRY DOKUCHAEV and KARIM BARATOV, during and in relation to the crimes of Conspiracy to Commit Computer Fraud, in violation of 18 U.S.C.

Section 1030(b), Unauthorized Access to Computers, in violation of 18 U.S.C. Section 1030(a)(2), Conspiracy to Commit Fraud and Related Activity in’ Connection with Access Devices, in violation of 18 U.S.C. Section 1029(b)(2), and Conspiracy to Commit Wire Fraud, in violation of 18 U.S.C. Section

1349, did knowingly transfer, possess, and use, without lawful authority, the means of identification of another person.

COUNT ON OR ABOUT IDENTIFICATION OF ANOTHER PERSON
FORTY December 26, 2014 BARATOV sent DOKUCHAEV the password and email address for *******17~gmail.com.
FORTY-ONE January 2, 20 15 BARATOV sent DOKUCHAEV the password and email
address for *****20ll@gmail.com.
FORTY-TWO July 6, 2015 BARA TOY sent DOKUCHAEV the password and email address for *****77@gmail.com.
FORTY-THREE August 1, 2015 BARA TOY sent DOKUCHAEV the password and email address for *****201l@gmail.com. FORTY-FOUR September 30, 2015 BARATOV sent DOKUCHAEV the password and email address for *******um@gmail.com.
FORTY-FIVE November 17, 2015 BARA TOV sent DOKUCHAEV the password and email address for ****ov@gmail.com. FORTY-SIX December 3, 2015 BARATOV sent DOKUCHAEV the password and email address for ********13@gmail.com. FORTY-SEVEN March 25, 2016 BARATOV sent DOKUCHAEV the password and email address for ********21@gmail.com.

FIRST FORFEITURE ALLEGATION: 18 U.S.C. § § 982(a)(2)(B) & 1030(i) and G)
87. The allegations contained in paragraphs one to eleven and Counts One and Eleven
through Twenty-Four are hereby re-alleged and incorporated by reference for the purpose of alleging
forfeiture pursuant to Title 18, United States Code, Sections 982(a)(2)(B) and 1030(i) and (j).

88. Upon conviction of any of the offenses in violation of Title 18, United States Code,
Section 1030 as set forth in Counts One and Eleven through Twenty-Four of this Indictment, defendants

DMITRY DOKUCHAEV, ALEXSEY BELAN, IGOR SUSHCHIN, and KARIM BARATOV,
shall forfeit to the United States of America:

a. pursuant to Title 18, United States Code, Sections 982(a)(2)(B), any property
constituting, or derived from, proceeds obtained directly or indirectly as a result of said violations; and

b. pursuant to Title 18, United States Code, Sections 1030(i) and (j), any property
constituting, or derived from, proceeds obtained directly or indirectly as a result of said violations, and any property used to commit or facilitate the commission of said violation or conspiracy thereto.

89. The property subject to forfeiture shall include, but not be limited to the following:
a. All funds which constitute proceeds that are held on deposit in PayPal account number xxxxxxxxxxxxxxx9844, held by BARATOV in the name of “Elite Space Corporation”;

b. All funds which constitute proceeds that are held on deposit in PayPal account number xxxxxxxxxxxxxxx2639, held by DOKUCHAEV;

c. a grey Aston Martin DBS, license plate identification “MR KARIM”; and

d. a black Mercedes Benz C54, license plate identification “CAWE693.”

90. If, as a result of any act or omission of the defendants, any of said property:

a. cannot be located upon the exercise of due diligence;

b. has been transferred or sold to or deposited with, a third person;

c. has been placed beyond the jurisdiction of the Court;

d. has been substantially diminished in value; or

e. has been commingled with other property Which without difficulty cannot be subdivided; any and all interest defendants have in any other property (not to exceed the value of the above forfeitable property), including but not limited to a grey Aston Martin DBS, license plate identification “MR KARIM,” and a black Mercedes Benz C54, license plate identification “CAWE693,” shall be forfeited to the United States, pursuant to Title 21, United States Code, Section 853(p) and as incorporated in Title 28, United States Code, Sections 2323(b )….

93. The property subject to forfeiture shall include, but not be limited to all funds which constitute proceeds that are held on deposit in PayPal account number xxxxxxxxxxxxxxx2639, held by DOKUCHAEV.

94. If, as a result of any act or omission of the defendants, any of said property:

a. cannot be located upon the exercise of due diligence;
b. has been transferred or sold to or deposited with, a third person;
c. has been placed beyond the jurisdiction of the Court;
d. has been substantially diminished in value; or
e. has been commingled with other property which without difficulty cannot be subdivided; any and all interest defendants have in any other property (not to exceed the value of the above forfeitable property), including but not limited to a grey Aston Martin DBS, license plate identification “MR KARIM,” and a black Mercedes Benz C54, license plate identification “CAWE693,” shall be forfeited to the United States, pursuant to Title 21, United States Code, Section 853(p) and as incorporated in Title 28, United States Code, Sections 2323(b )…

THIRD FORFEITURE ALLEGATION: 18 U.S.C. § §981(a)(l)(C), 982(a)(2)(B) and 1029(c)(l)(C) and 28 U.S.C. § 2461(c)

95. The allegations contained in paragraphs one to eleven and Counts Ten and Twenty-Five through Thirty-Eight are hereby re-alleged and incorporated by reference for the purpose of alleging forfeiture pursuant to Title 18, United States Code, Sections ( a)(2)(B) and 1029( c )(1 )(C) and Title 28, United States Code, Section 246l(c).

96. Upon conviction of any of the offenses in violation of Title 18, United States Code, Sections 1029 and 1349 as set forth in Counts Ten and Twenty-Five through Thirty-Eight of this Indictment, defendants

DMITRY DOKUCHAEV,
ALEXSEY BELAN,
IGOR SUSHCHIN, and
KARIM BARATOV,
shall forfeit to the United States of America:
a. pursuant to Title 18, United States Code, Section 981 ( a)(l )(C) and Title 28, United States Code, Section 2461(c), any property, real or personal, which constitutes or is derived from proceeds traceable to these violations;

b. pursuant to Title 18, United States Code, Section 982(a)(2)(B), any property constituting or derived from proceeds obtained directly or indirectly as a result of these violations;

c. pursuant to Title 18, United States Code, Section 1029(c)(l)(C), any personal property used or intended to be used to commit a violation of Title 18, United States Code, Section 1029.

97. The property subject to forfeiture shall include, but not be limited to the following:
a. All funds which constitute proceeds that are held on deposit in PayPal account number xxxxxxxxxxxxxxx9844 held by BARA TOV in the name of’ Elite Space Corporation”;
b. All funds which constitute proceeds that are held on deposit in PayPal account number xxxxxxxxxxxxxxx2639, held by DOKUCHAEV;
c. a grey Aston Martin DBS, license plate identification “MR KARIM”; and
d. a black Mercedes Benz C54, license plate identification “CAWE693 .”

98. If, as a result of any act or omission of the defendants, any of said property:
a. cannot be located upon the exercise of due diligence;
b. has been transferred or sold to or deposited with, a third person;
c. has been placed beyond the jurisdiction of the Court;
d. has been substantially diminished in value; or
e. has been commingled with other property which without difficulty cannot be subdivided; any and all interest defendants have in any other property (not to exceed the value of the above forfeitable property), including but not limited to a grey Aston Martin DBS, license plate identification
MR KARIM,” and a black Mercedes Benz C54, license plate identification “CA WE693,” shall be forfeited to the United States, pursuant to Title 21, United States.Code, Section 853(p) and as incorporated in Title 28, United States Code, Sections 2461 ( c ).

A TRUE BILL

Chief, Criminal Division BARBARA J. VALLIERE

DATED: 2 /28 /17

BRIAN J. STRETCH
United States Attorney .” Read the entire indictment here: https://www.justice.gov/opa/press-release/file/948201/download