Posts

Ruslan Stoyanov and Two Degrees of Separation from Protected Criminal Hackers

Ruslan Stoyanov, the former head of cyber investigations at Kaspersky and now in prison fighting accusations of treason, got some press yesterday when letters he sent to his lawyers got released by a Russian TV station, Dozhd. Moscow Times covered Stoyanov’s accusation that Russia exchanges intelligence related hacking for impunity for foreign cybercrimes.

“The essence of the deal is that the state gets access to the technologies and information of ‘cyberthieves,’ in exchange for allowing them to steal abroad with impunity,” Stoyanov said, claiming that this agreement has lead to “a new crime wave” perpetuated by “patriotic thieves.”

Stoyanov also warned that hackers are liable to turn their attention back to Russia, once their “patriotic fervor” wears off.

Dozhd’s coverage is here, which makes one additional focus of Stoyanov’s letters clear: Stoyanov pits the dangers to Russia of formerly protected hackers engaging in crimes within Russia against his own value to Russia in taking down the Lurk hackers last year. As Stoyanov’s report from last year claims, Lurk’s members managed to steal over 3 billion rubles before they were arrested with the help of Kaspersky.

It’s a nice play to the public, Stoyanov’s attempt to challenge Russia’s accusations of treason by pointing out that protected criminal hackers pose a greater threat to Russia.

But there’s a problem with it (though one of which Stoyanov may be unaware).

Stoyanov’s arrest for treason has been tied to that of FSB officers Sergei Mikhailov and Dmitry Dokuchaev. The best public (and, I believe, partial) explanation for their arrest so far is that the arrest arose, in part, out of an old grudge from spammer Pavel Vrublevsky, who believed Mikhailov and Stoyanov shared information on his operations with the FBI.

But that explanation pre-dates the unsealing of the indictment against four people — including Dokuchaev — for the hack of Yahoo from 2014 to 2016. In the indictment’s description of Dokuchayev and in some of its description of the alleged hacks, it describes an FSB officer 3 who, because he is described as “supervisory,” is likely Mikhailov (which, as I suggested in my original post on this, raises interesting questions about why he wasn’t also charged).

DMITRY ALEKSANDROVICH DOKUCHAEV, also known as “Patrick Nagel,” was a Russian national and resident. DOKUCHAEV was an FSB officer assigned to Second Division ofFSB Center 18, also known as the FSB Center for Information Security. He was an associate ofFSB officer IGOR SUSHCHIN; another, supervisory FSB officer known to the Grand Jury (“FSB Officer 3”), who was the senior FSB official assigned to Center 18; and other FSB officers known and unknown.

[snip]

From at least in or around December 2015 until May 2016, the conspirators sought access to accounts ofthe former Minister ofEconomic Development of a country bordering Russia (“Victim A”) and his wife (“Victim B”). DOKUCHAEV, SUSHCHIN, and BELAN worked with FSB Officer 3 to access_Victims A and B’s accounts by minting cookies and to share information obtained from those accounts. In one instance, on or about December 18, 2015, FSB Officer 3 provided SUSHCHIN with information regarding a company controlled by Victims A and B. On or about December 21, 2015, DOKUCHAEV sent a cookie for Victim B’s account to SUSHCHIN, who then later that day sent DOKUCHAEV a report on Victims A and B. On or about May 20, 2016, BELAN minted a cookie for the same Victim B account.

And the rest of the indictment describes how Dokuchaev, in particular, worked closely with prominent criminal hacker Alexsey Belan to access Yahoo. The indictment even describes how they helped Belan avoid legal troubles in Russia.

One of the criminal hackers, BELAN, has been the subject of an Interpol “Red Notice” and listed as one of the Federal Bureau ofInvestigation’s (“FBI”) “Most Wanted” hackers since 2012. BELAN resides in Russia, within the FSB’ s jurisdiction to arrest and prosecute. Rather than arrest him, however, the FSB officers used him. They also provided him with sensitive FSB law enforcement and intelligence information that would have helped him avoid detection by law enforcement, including information regarding FSB investigations of computer hacking and FSB techniques for identifying criminal hackers.

That is, Dokuchaev and, at least by presumed extension, Mikhailov, are allegedly involved in precisely the thing Stoyanov is trying to distinguish himself against, protecting prominent hackers so as to use their skills for FSB’s goals.

But then, there are also the reasons to ask whether all that Dokuchaev, at least, was doing was official FSB business. On top of targeting a Russian email provider (which is probably Yandex) via unofficial means, Dokuchaev used a number of tools, such as Yahoo and Paypal, that would be readily accessible to American authorities, but inaccessible to Russian authorities. Which, if he was spying against Russian authorities themselves, might explain why Russia would arrest Dokuchaev for treason.

Along with Stoyanov.

As I said, there’s no reason to assume Stoyanov knows that Dokuchaev just got credibly accused of using Belan to help hack Yahoo. The Yahoo indictment likely got minimal attention in Russia to begin with, and it’s not clear how much access to the media Stoyanov has in prison in any case.

But while his accusation against Russian authorities served its presumed purpose of making a media splash, both in Russia and internationally, given that he was accused of treason along with a guy who does just what he’s claiming, it’s not clear how much it helps his case (except perhaps to distinguish himself from those he got charged with).

Why Would FSB Officer Dmitry Dokuchaev Use a Yahoo Email Account to Spy for Russia?

At the Atlantic, I expanded on this post to explore how Russia has to do by hacking what the US can do using Section 702. As I lay out, for a lot of foreign spying involving US tech companies, Russia has to do things like phish or hack Yahoo’s servers to gain the kind of access the NSA gets just by asking nicely.

But as Jeffrey Carr notes in this post, that’s not true for unencrypted communications that originate in Russia. FSB — the agency where alleged Yahoo hackers Dmitry Dokuchaev and Igor Sushchin worked — have access to anything that originates in Russia.

To put it another way, the FSB has total information awareness on every type of communication that originates in Russia or passes through Russian servers.

Carr uses that detail to argue that this probably means Dokuchaev — who was charged by Russia with treason in December — and Suschin were operating on their own.

[W]hy would the FSB, with their vast resources and legal authorities, need to collect information on Russian targets in Russia via Yahoo?

The obvious answer is — they don’t. And since all of the defendants with the exception of one person are either criminals or charged by the Russian government with treason, the Yahoo breach was most likely the act of corrupt FSB employees and criminal hackers rather than an official FSB operation.

Now, many if not most accounts identified in the indictment (I made a list of the described targets in this post) wouldn’t be officially available, because they’re located in countries adjoining Russia or the US.

But there are a few other details that do support Carr’s argument.

First, in addition to Yahoo and Google accounts, the conspirators targeted a Russian webmail service — probably Yandex.

In or around April 2016, the conspirators sought access to an account of a senior officer at a Russian webmail and internet-related services provider (the “Russian Webmail Provider”). On or about April 25, 2016, DOKUCHAEV successfully minted a cookie to gain access to the victim user’s account.

Admittedly, FSB might not want to go to Yandex (or whichever provider it is) to ask for information on one of their senior officers, but nevertheless, this information should be available officially in Russia. Another passage that describes the Russian webmail service lists only Russian targets, though that section also includes Google targets, so those may have been the GMail accounts of Russians unavailable in Russia.

In addition, the day after the indictment, Sushchin got fired from Renaissance Capital (which is owned by Nets owner Mikhail Prokhorov), where he was embedded. That suggests his was not an official embed noticed to the company (though it still may have been a legitimate FSB placement).

Most interesting of all is that Dokuchaev used US resources to conduct the hack. He had a Paypal account, which he presumably used to pay Karim Baratov.

All funds which constitute proceeds that are held on deposit in PayPal account number xxxxxxxxxxxxxxx2639, held by DOKUCHAEV;

And, according to the G&M (and this is the most amazing part), Dokuchaev used a Yahoo account to communicate with Baratov.

Mr. Dokuchaev is alleged in the court documents to have used a Yahoo e-mail account to contact Mr. Baratov and hire him to get the log-in information for about 80 accounts belonging to victims of the Yahoo hack.

I get why you wouldn’t email Baratov from your [email protected] account, because that would alert Canadian and US authorities he was working with Russian spies. But surely a Russian spy knows enough not to communicate via an account that is readily available to US authorities under Section 702, even if the conspirators’ persistent presence in the Yahoo servers might alert you to such surveillance? Even if you wanted to use an account in North America there are surely better options.

In other words, there are a lot of reasons to believe that Dokuchaev was making more effort to keep this activity out of easy reach of Russian authorities then he did to hide it from the US.

How Was Karim Baratov Paid?

The indictment accusing two FSB officers and two hackers of compromising Yahoo in 2014-2016 is remarkably detailed. It describes how Alexsey Belan accessed individual Yahoo accounts (though not how he broke in the first time). It provides lists and lists of who got hacked, in enough detail that any victims who didn’t already know would learn they had been targeted — as would anyone else in Moscow who might find these details of interest.

I want to look closely, though, at what it tells us about how one of the hackers, Karim Baratov, got paid.

The question is not that interesting as it pertains to Belan. In his case, the indictment describes a number of ways he profited off the hack — with marketing commissions for erectile dysfunction drugs, with spam targets based off millions of hacked Yahoo accounts, and with credit and gift card numbers stolen from specific accounts. Moreover, any additional payment to Belan would be internal to Russia — a cinch to pull off without attracting the attention of the FBI or Department of Treasury.

But Baratov, the phisher that broke into Google and (presumably) Yandex accounts for the FSB men after they were identified via Yahoo metadata, is in Canada, meaning financial transfers would be international.

The indictment explains that he demanded payment of about $100 via online payment system per successful phish, and that FSB officer Dmirty Dokuchaev had to pay before obtaining the credentials.

During the conspiracy DOKUCHAEV tasked BARATOV with obtaining unauthorized access to at least 80 identified email accounts, including at least 50 identified Google accounts.

[snip]

When BARATOV successfully obtained unauthorized access to a victim’s account, he notified DOKUCHAEV and provided evidence of that access. He then demanded payment-generally approximately U.S. $100-via online payment services.

Once DOKUCHAEV sent BARATOV a payment,’ BARATOV provided DOKUCHAEV with valid, illicitly obtained account credentials permitting DOKUCHAEV, SUSHCHIN, and others known and unknown to thereafter access the victim’s account without further assistance from BARATOV.

[snip]

Upon successfully gaining the credentials for a tasked account, BARATOV informed DOKUCHAEV thathe could be paid for his work in Russian rubles, U.S. dollars, Ukrainian hryvnia, or Euros through online payment services. DOKUCHAEV then paid BARATOV using these means.

Altogether, Baratov provided access to upwards 80 accounts, for a total profit of not much more than $8,000 for crimes that expose him to decades in prison.

At least once (though I believe just this once), the indictment actually records Dokuchaev paying Baratov.

On or about November 17, 2015, BARATOV sent DOKUCHAEV the password for ****[email protected], to which account DOKUCHAEV had tasked BARATOV to gain unauthorized access.

On or about November 17, 2015, DOKUCHAEV paid BARATOV U.S. $104.20.

We also learn that — in addition to seizing Baratov’s Aston Martin and Mercedes — the government will be seizing the contents of a Paypal account in his name.

All funds which constitute proceeds that are held on deposit in PayPal account number xxxxxxxxxxxxxxx9844, held by BARATOV in the name of “Elite Space Corporation”;

Brian Krebs pointed to one of Baratov’s hacker for hire sites that also accepted payment in WebMoney and YandexMoney.

According to this G&M article, the documents filed in support for extraditing Baratov say the Paypal account was tied to a Royal Bank checking account. (It also says Dokuchaev communicated with Baratov via a Yahoo account!)

The payments are alleged to have travelled through Web accounts including a PayPal account that links to a Royal Bank chequing account in Mr. Baratov’s name. Between February, 2013, and October, 2016, Mr. Baratov received more than $211,000 via that PayPal account, the court records say, adding, however, that the amounts he is alleged to have earned from the Yahoo scheme are smaller.

And the indictment also lists a Dokuchaev Paypal account for forfeiture.

All funds which constitute proceeds that are held on deposit in PayPal account number xxxxxxxxxxxxxxx2639, held by DOKUCHAEV;

So we have a pretty good idea of how the Paypal payments got to Baratov: from Dokuchaev’s account to Baratov’s to Baratov’s Royal Bank checking account.

But we don’t know where the money in Dokuchaev’s account came from — and whether it made the FSB tie clear.

Jeffrey Carr has asked whether this operation was an official or rogue operation from the FSB side — a question which has merit and which I’ll return to. That question certainly raises the stakes on where the money in Dokuchaev’s Paypal account came from.

There’s also the other question. Baratov clearly made more than the $211,000 that came into his Royal Bank account. $211,000 would barely cover his fancy cars, much less the ability to throw $100 bills at trick or treaters. So where is the rest of Baratov’s hacking income coming from?

Incidentally, according to the G&M, Baratov was put under surveillance by the RCMP around March 7. His $900K house was put on sale on March 13, but then delisted after the indictment. The indictment was actually dated February 28.