Analysis, Latest, News, Report Russia

The Moscow cyber-crime arrests and the Yahoo hack: was the same gang involved?

The naming of Dmitry Dokuchaev in both the Moscow cyber-arrests and the Yahoo suggests the US and Russia may unwittingly be on the track of the same criminal gang.

Earlier this year reports appeared in the Russian media of a series of arrests of Russian FSB officers and cyber specialists, including one Ruslan Stoyanov, an employee of  Russia’s top cyber security company, the Kaspersky Lab.

Subsequently it became known that some of them at least had been charged with treason, in a case that supposedly involved the US, with Stoyanov supposedly charged with passing on Russian state secrets to Verigin, a US company.

Following the arrests numerous reports circulated speculating that these arrests were somehow connected to the hacking of John Podesta’s and the DNC’s computers.

Some sections of the Western media made claims – strongly denied by the Russians – that the individuals arrested were the ones who had carried out the hacking of John Podesta’s and the DNC’s computers.

Others, rather more plausibly, speculated that those arrested were some of the informers who had provided information to the US which was used by the US intelligence community to support its claims of Russian responsibility for the Podesta and DNC hacks.

The case of the arrested FSB officers in Moscow has now taken an extraordinary new twist with the US Department of Justice bringing charges against a group of four Russian cyber criminals, who according to the the Department of Justice’s report, are being charged with

…..the 2014 hack into the network of email provider Yahoo, the theft of information about at least 500 million Yahoo accounts and the use of that information to obtain the contents of accounts at Yahoo and other email providers.

What makes the Yahoo case interesting is that the Department of Justice is saying that two of the individuals who have been charged are FSB officers.  The Department of Justice identifies them as follows

The defendants include two officers of the Russian Federal Security Service (FSB), an intelligence and law enforcement agency of the Russian Federation and two criminal hackers with whom they conspired to accomplish these intrusions.

Dmitry Dokuchaev and Igor Sushchin, both FSB officers, protected, directed, facilitated and paid criminal hackers to collect information through computer intrusions in the United States and elsewhere.

They worked with co-conspirators Alexsey Belan and Karim Baratov to hack into computers of American companies providing email and internet-related services, to maintain unauthorized access to those computers and to steal information, including information about individual users and the private contents of their accounts.

The defendants targeted Yahoo accounts of Russian and U.S. government officials, including cyber security, diplomatic and military personnel. They also targeted Russian journalists; numerous employees of other providers whose networks the conspirators sought to exploit; and employees of financial services and other commercial entities.

(bold italics added)

Dmitry Dokuchaev, one of the FSB officers being charged by the US Justice Department in connection with the Yahoo hack, appears to be the same Dmitry Dokuchaev who has been arrested in Moscow in the treason case, and who The London Times has described – obviously on the basis of information obtained from British intelligence sources – as “a cyber-spy and former hacker”.

The fact that the same man  – Dmitry Dokuchaev – has been charged simultaneously in both cases, the one in Washington and the one in Moscow, makes it at least possible that the two cases – the Yahoo case in Washington and the treason case in Moscow – are in some way connected, and may involve the same group of cyber-criminals.

Importantly, the Department of Justice’s and the FBI’s claims about Dokuchaev and Sushchin, the two FSB officers charged in the Yahoo case, do not necessarily point to them undertaking an intelligence operation on behalf of the Russian government.   Though the wording is not completely clear, it is not inconsistent with Dokuchaev and Sushchin running a rogue operation for the purpose of self-enrichment.  Here is what the Department of Justice report has to say about them

Belan’s notorious criminal conduct and a pending Interpol Red Notice did not stop the FSB officers who, instead of detaining him, used him to break into Yahoo’s networks.

Meanwhile, Belan used his relationship with the two FSB officers and his access to Yahoo to commit additional crimes to line his own pockets with money…..

For those not familiar with the FSB, it is an intelligence and law enforcement agency and a successor to the Soviet Union’s KGB. The FSB unit that the defendants worked for, the Center for Information Security, aka Center 18, is also the FBI’s point of contact in Moscow for cyber-crime matters.

The involvement and direction of FSB officers with law enforcement responsibilities makes this conduct that much more egregious. There are no free passes for foreign state-sponsored criminal behavior.

This appears to suggest that the Department of Justice believes that Dokuchaev and Sushchin recruited Belan to carry out illegal hacks of US companies on behalf of the FSB, and that Belan used the protection this afforded him to carry out more illegal hacks to enrich himself and them.

However it is equally or perhaps more likely that Dokuchaev and Sushchin were Belan’s accomplices in a series of crimes carried out on their own initiative.  It is after all hardly unusual for criminals to enlist the services of corrupt law enforcement officers to help them carry out their crimes.  Such a thing undoubtedly happens in Russia, just as it happens in most other places.

That Dokuchaev at least was a corrupt FSB officer involved in a rogue operation is strongly suggested by what the FBI itself says about him.  Here is the information the FBI has provided about his activities which appears in the Most Wanted Notice the FSB has issued about him.

Conspiring to Commit Computer Fraud and Abuse; Accessing a Computer Without Authorization for the Purpose of Commercial Advantage and Private Financial Gain; Damaging a Computer Through the Transmission of Code and Commands; Economic Espionage; Theft of Trade Secrets; Access Device Fraud; Aggravated Identity Theft; Wire Fraud

(bold italics added)

The words “purpose of commercial advantage and private financial gain” point clearly to a rogue criminal operation rather than an official state-sponsored one.

That the FBI’s knowledge of the case still has gaps is strongly suggested by what the FBI has to say about Dokuchaev’s alleged accomplice Igor Sushchin in its Most Wanted Notice about him

Sushchin has Russian citizenship and is known to hold a Russian passport.  Sushchin is alleged to be a Russian Federal Security Service (FSB) Officer of unknown rank.  In addition to working for the FSB, he is alleged to have served as Head of Information Security for a Russian company, providing information about employees of that company to the FSB.  He was last known to be in Moscow, Russia.

 (bold italics added)

These comments about Sushchin cast doubt on whether Sushchin really is an FSB officer.

The FBI says that Sushchin is simultaneously an officer of the FSB and the head of information security at a Russian company.  Moonlighting in the private sector was a common practice for FSB officers in the chaotic 1990s.  It is hardly conceivable today.

It seems more likely that Sushchin is the head of information security for a Russian company but that because of his relationship with Dokuchaev the FBI supposes him to be an FSB officer.  Its Most Wanted Notice about Sushchin shows that the FBI does not know for a fact that Sushchin actually is an FSB officer.  It merely guesses he is, and on the facts the FBI itself provides it is probably wrong.

To add to the uncertainty there is a question mark about Dokuchaev’s own role within the FSB.  According to reports in Russia, Dokuchaev is not a conventional FSB officer at all but is rather a notorious former hacker and cyber-criminal who was blackmailed by the FSB into working for them.  Here is what the Moscow based Moscow Times has to say about him

Major Dmitry Dokuchaev, one of four cyber-security experts arrested by the Kremlin on charges of treason, has allegedly been revealed as an infamous Russian hacker.

Dokuchaev worked as a hacker under the alias “Forb” until Russia’s Federal Security Service (FSB) threatened to jail him, an unverified source told the RBC newspaper.

“Forb” gave a interview to Russian newspaper Vedomosti in 2004, revealing that he specialized in “hacking on request” and stealing money from bank cards – an occupation which he said could earn him anywhere between $5,000 and $30,000 a month.

He also claimed that he had carried out a successful attack on U.S. government infrastructure.

The FSB ultimately traced Dokuchaev to the card thefts, and threatened to prosecute the hacker unless he agreed to work for the agency, the source alleged.

If what the Moscow Times article says is true (and the story looks well-sourced) then Dokuchaev’s criminal past makes it even more plausible that what he engaged in was a rogue criminal operation which was not officially sanctioned by the FSB.

Recruiting a notorious cyber-criminal to track down other cyber-criminals is a strange idea, but hardly unique in the world of law-enforcement.  Possibly the FSB, lacking its own trained cyber-specialists as a result of the crisis of the 1990s, looked to people like Dokuchaev in order to fill its ranks quickly.  If so then this has now come back to bite it, with another FSB officer – Sergey Mikhailov, the deputy head of the FSB’s security information centre (the FSB department for which the US Justice Department says Dokuchaev worked), who may have been Dokuchaev’s superior and line manager – seemingly also implicated in Dokuchaev’s activities.

This is a tangled web.  However if what is known about the case in Moscow is put together with what is now known about the case in Washington, then it is at least possible that this is a case of two parallel investigations into the activities of the same gang.  Belan and Dokuchaev would presumably be the ringleaders, but it seems that Dokuchaev has succeeded in involving at least one other person (Mikhailov) within the FSB as well.

Supporting the theory that the treason case in Moscow and the Yahoo case in Washington are the products of two parallel investigations into the activities of the same gang, is a report carried by TASS of the comments of a lawyer familiar with the Moscow case.  The lawyer is reported to have said the following

No CIA is mentioned in the case. It is only the country that is mentioned. Yes, the talk is about America, not about the CIA

(bold italics added)

When I previously discussed this comment in an article written on 2nd February 2017, I assumed it referred to the passing of classified information to the US intelligence community, if not to the CIA itself.  I overlooked the fact that the lawyer’s comment contains no hint of this.  Instead the lawyer merely said that “the talk is about America”.   His words are equally consistent with data theft from the US as with information transfer to the US.

It is likely that both took place.  If the cases in Moscow and Washington involve the activities of the same gang of cyber-criminals, then it seems that they were equally happy to steal information from the US, and to steal information from Russia and sell it to the US.

That would explain the claim about the passing of classified information to Verigin, with which Stoyanov is charged, and which is presumably what lies behind the treason charges.

However in all cases the motive for the gang’s activities would have been the same – the classic criminal one: to make money.

As it happens the fact that the gang was targeting Russians as well as Americans is confirmed by the US Justice Department in its report

The defendants targeted Yahoo accounts of Russian and U.S. government officials, including cyber security, diplomatic and military personnel. They also targeted Russian journalists; numerous employees of other providers whose networks the conspirators sought to exploit; and employees of financial services and other commercial entities.

(bold italics added)

There is much that is murky about this affair.  Though the known facts do suggest that the arrests in Moscow and the charges in Washington concern the same gang or at least the same people, that is not yet absolutely certain, and it could be that Dokuchaev, who figures so prominently in both cases, spread his net wide and involved more than one gang in his activities.

If however the two cases do involve the same gang, then unfortunately it is all too clear from the information trickling out of both Washington and Moscow that the relevant law enforcement agencies of the US and Russia are not cooperating with each other and are completely uninformed and possibly even unaware of each other’s investigations.  If so then that is much to be regretted since it can only increase the possibility of the two investigations working against each other and at cross-purposes, as in fact actually seems to be the case.

At this point however a few points can be made with confidence.

Firstly, it is clear that the Moscow arrests have absolutely nothing to do with the hacking of the computers of John Podesta and the DNC.  The case in Moscow is a criminal investigation into the activities of a gang of cyber-criminals, who practised criminal activity for financial gain.  They may be and probably are the same gang the US Justice Department and the FBI say is behind the Yahoo hack.  Regardless all the stories claiming that the Moscow case is somehow connected to the DNC and Podesta leaks are wrong.

Secondly, the claims in the Russian media that the arrests in Moscow had something to do with the Shaltay Boltai hacking group are also clearly wrong.  In that case the confusion is understandable.  It seems there is a wholly separate investigation into the Shaltay Boltai group going on as well.  Unsurprisingly some journalists in Moscow have confused the two, failing to realise that they are two wholly distinct investigations into two different groups of people.

Thirdly, if the investigations in Washington and Moscow are indeed parallel investigations into the activities of the same gang, then this shows the huge damage which has been done by the severing of contacts between the US and Russian law enforcement agencies carried out by the Obama administration.

Instead of information being pooled in order to track down and prosecute the same gang of cyber-criminals, two wholly separate and rival investigations are being conducted in two different countries which quite possibly involve the same gang.

The result is that neither investigation is being provided with all the facts.  Worse, the potential for conflict and misunderstanding between Washington and Moscow has been increased.   Both Washington and Moscow seem to be convinced that what looks to be one and the same gang was working for the intelligence agencies of the other side.  The result is that the US and Russia are blaming each other for the gang’s activities whilst protesting – correctly – their own innocence.

Perhaps one day, if Donald Trump finally comes through with his proposed detente with Russia, this sort of muddle and recrimination will be avoided.  If so then cooperation between the law enforcement agencies of the two countries would be a further important step in reducing misunderstandings and improving relations.

However until that happens the sort confusion, misunderstanding and exchange of blame and recriminations we are now seeing will continue unabated.

Previous ArticleNext Article
Alexander Mercouris
Editor-in-Chief atThe Duran.

Follow me:Facebook