Published by The Lawfare Institute
in Cooperation With
Yesterday, the U.S. Department of Justice (DoJ) released an indictment against four Russians in one of the most significant hacking-related law enforcement actions to date. According to the indictment, two criminals working at the behest of two officers of Russia’s Federal Security Service (FSB) hacked into Yahoo’s internal networks, compromised Yahoo user accounts, and used those compromises to pivot into accounts with other online services, including Google. The Yahoo compromise, involving half a billion accounts, made major news last year; the hack resulted in $250 million being shaved off Verizon’s acquisition price for that company.
This indictment has it all, from details of Russian espionage and tradecraft and connections to the criminal underworld, to an erectile-dysfunction-spam scheme and even an Aston Martin with a vanity license plate spelling “MR KARIM.” It is only the third indictment we can recall that alleges state-sponsored hacking, with the previous two coming against Chinese People’s Liberation Army officers and Iranian Islamic Revolutionary Guard Corps members.
Up front, the story here is not about the long arm of American law bringing ne’er-do-wells to justice. While one of the conspirators has been arrested in Canada, the rest are located in Russia and will not be seeing a U.S. jail cell any time soon—though at least one of the conspirators is already facing Russia’s own brand of justice for alleged collaboration with U.S. intelligence services. Russia has a rather poor track record in complying with U.S. extradition requests. At best, this will inconvenience the at-large hackers, who will now risk arrest if they travel to U.S.-friendly vacation spots. And this case and others like it will, in aggregate, hopefully seek to deter future hackers, who may think twice about targeting U.S. entities.
Neither is the case likely to shame Russia into joining the U.S. at the bargaining table, as the earlier PLA indictments did for China. Russian behavior in this domain makes clear it is not particularly concerned about these actions hurting its standing in the international community. Remarkably, this indictment alleges that the FSB officers continued tasking one of the criminals, Aleksey Belan, after he was indicted by the United States in 2012 and an INTERPOL Red Notice was issued for his arrest (Belan was arrested in Europe in 2013 but mysteriously escaped). Using an international fugitive for espionage doesn’t exactly signal a desire to fly under the radar.
However, we believe this indictment and the accompanying statement have several notable effects. First, this indictment contains many relevant details about Russian hacking operations. This includes details of coordination between the FSB and criminals, the organizational structure of the FSB, specific hacking techniques used, targeting patterns employed, and operational security methods. It even includes the details of specific senior Russian government targets under investigation by the FSB—information that surely must be roiling the Kremlin this week. What strikes us as quite unusual is just how much information DOJ chose to make public—information about those individuals now indicted, and about their hacking tactics and techniques. DoJ could have kept this indictment under seal if it thought such publicity might tip off the accused before a potential arrest. Or DoJ could have opted to leave out out many of the technical details, as it did in its indictment of several Iranian hackers in 2015. Instead, the Department decided to put it all out there in public—sending a message to Russia and sharing information that could help other organizations protect themselves from this set of actors and others.
The indictment also helps debunk the myth that attribution of cyber intrusions and attacks is a major roadblock for the United States government. The U.S. has significant means at its disposal to identify the perpetrators of various hacks. Many methods for attributing attackers are far outside the digital domain, something that security experts in the private sector often overlook when criticizing attribution capabilities. This case and others underscore that the United States is often able to attribute the source of a given intrusion. That it does not always do so has as much to do with a lack of political will or concern about blowing sources as it does with any technical inability.
Finally, this action puts pressure on the political leadership in the White House to take further action to respond to and deter Russian malicious activities. That this latest indictment comes from an organ of the U.S. government undercuts the dangerous moral equivalence that President Trump has drawn between U.S. and Russia. But this case is just one more addition to a voluminous record of unacceptable conduct that Russia has assembled in recent years, which includes influence operations, diplomatic harassment, military brinkmanship and unbridled aggression against European partners.
For reasons already mentioned, however, this indictment will not impose serious direct costs on the Russian government or its hackers. It further builds the case against Russia, but it needs to be followed up with additional actions if the U.S. actually wants these activities to cease in the future.
A few other significant points stood out to us:
Use of Proxies. In their statement, the Department of Justice officials take pains to emphasize the connection between government officials and criminals as the aspect of Russian behavior that is most concerning. Using non-governmental and loosely-controlled criminals to carry out malicious cyber activities on behalf of the state could lead to actions that are unintended or misperceived by the victim state, which could be escalatory. Particularly galling is that the offending FSB unit is the FBI’s point of contact in Russia for law enforcement cooperation related to computer crimes.
The ties between governments and criminal proxies are some of the murkiest aspects of cyber operations, and this indictment forces one particular demonstration of those ties into the sunlight. Russia has long been suspected of utilizing proxy actors to maintain a degree of separation from its hacking activities. A variety of “pro-Russian” hackers and hacker groups, including CyberBerkut, the Cyber Caliphate and, of course, Guccifer 2.0, have long been suspected of direct Russian government sponsorship, but hard evidence is hard to come by.
This indictment changes that. But if Russia’s intent was to hold proxy actors at arm’s length to mask government activities, it is the stubby arm of a T-Rex. According to the indictment, the relationship seems to go far beyond the simple tasking of criminal actors and instead includes an extraordinary amount of close coordination between government intelligence officers and criminals. The information flow went both ways between government and criminal: the FSB even passed the criminals “information regarding FSB law enforcement and intelligence investigations, and FSB tactics,” according to the complaint. The indictment makes clear that the relationship between the criminal hackers and the government was primarily financial: the FSB would pay one of the hackers approximately $100 for each compromised email account.
Though many Russian hackers are allegedly gang-pressed into service by Russian intelligence services against their will, at least a few appear to be doing well for themselves, as one of the hacker’s stable of expensive cars seems to indicate.
A Sophisticated Hack? After the hack was initially announced, Yahoo stuck to a now-familiar script in its defense: calling the hack a sophisticated, state-sponsored intrusion as a way to lessen embarrassment for the company and get help from the feds. Many commentators argue that Yahoo was, in fact, correct. But what is important here is not that this is a case where a victim’s convenient cries that they were targeted by a “sophisticated state-sponsored actor” actually turned out to be true. It’s that distinctions between criminal and government hacking hardly matter in countries where the state exists for the personal benefit of its government officials. According to the indictment, the hackers seamlessly toggled their targeting from U.S. and foreign government officials to private sector companies and individual users. Furthermore, a state-sponsored campaign need not be sophisticated. (Our colleague Ben Buchanan has a new paper on this exact point.) Though the FSB apparently used a few interesting techniques, such as the delicious-sounding “cookie minting,” the indictment also makes clear that access was gained via good old fashioned spearphishing—which likely could have been defended against with basic best practices. The odds are good that this spearphishing provided the initial compromise of Yahoo, and we’d venture a guess that the initial infection came through the exploitation of well-known vulnerabilities. This doesn’t mean that the FSB is not a sophisticated adversary—they just may not have needed to work quite so hard to access this target.
Even though Yahoo can now credibly claim that its network defenders were up against a determined foreign intelligence service, this indictment still brings horrible news for the company. The depth of the compromise was far deeper than suspected. The Russians did not simply execute a smash-and-grab operation to steal user accounts—they used Yahoo’s networks as their playground for months. The ability to generate cookies for users implies a total compromise of Yahoo’s internal systems. As experts have pointed out, at that level of penetration there is nothing users can do to defend themselves. Even more sensationally, one hacker manipulated the code for Yahoo’s search engine to generate fraudulent results to users searching Yahoo for erectile dysfunction medication, in order to direct users to the certain websites to generate marketing revenue for himself. Jokes aside, these details raise serious questions about the integrity of any Yahoo application or website.
U.S. Government Relationship with Silicon Valley. Also noteworthy here is the emphasis in the statement on the Department of Justice’s close cooperation with Google and Yahoo. In the statement, DoJ commends Yahoo and Google for their cooperation with the investigation, notes the invaluable role that Silicon Valley companies play in global communications (and implicitly the government’s role in punishing those who seek to undermine that role), and stresses that the FBI and DoJ were able to conduct this investigation without “unduly intruding into the privacy of the accounts that were stolen.”
The heavy stress on this close public-private cooperation and the FBI’s ability to work without compromising user privacy must assuredly be in response to all of the negative publicity stemming from the Apple iPhone encryption debacle and the news that Yahoo had previously installed special software to aid law enforcement and intelligence requests for user data. In the halls of the FBI, top leadership must be especially happy to get a badly-needed win on the board that can serve as an example of the government coming to the aid of industry. The truth is, the respective roles of government and industry in information security are not as black and white as many observers make it out to be. Law enforcement action can be a huge asset to businesses under daily assault from foreign businesses and intelligence services, and cooperation between industry and the government continues below the surface, even if public antagonism is politically expedient.
The Department of Justice’s indictment provides an extraordinary level of detail into Russian state-sponsored hacking that will be useful to industry, academics, and other governments. Whether it will also lead to sustained action to impose costs on Russia remains to be seen. It is now on the White House to take additional steps to turn the tide against Russian hacking.
Finally, this indictment will add to the crescendo of spy-versus-spy intrigue surrounding Russia and the 2016 U.S. presidential election. One of the indicted hackers, Dmitry Dokuchaev, was recently arrested on charges of treason for allegedly spying for the Central Intelligence Agency. Many observers saw this as a response to the U.S. accusations of election interference, insinuating that Dokuchaev and others may have been involved in giving the CIA information used in the public release of information relating to Russia’s role. This latest indictment, along with Wikileaks’ release in early March of documents allegedly related to CIA’s hacking program, will only add to the intrigue. We seem to be in a very dense wilderness of mirrors today, and notwithstanding investigations underway in Congress, it may be quite a while before we learn the linkages, if any, between these events.