What the Yahoo Hack Says About Russian Spies
Former Russian domestic intelligence officer Dmitry Dokuchaev won't appear in a U.S. court to face charges related to the mass 2014 hacking of the Yahoo! Inc. user database. That's because he already sits in a Moscow jail, accused of treason. Dokuchaev's rare achievement in being wanted by both the U.S. and Russian authorities sheds light on what is widely said in the West to be "state-sponsored Russian hacking," but would more accurately be described as a combination of freelance theft and a concept known in Russian as "krysha."
Dokuchaev is a former hacker from Yekaterinburg. He was reportedly blackmailed into joining the FSB, Russia's domestic intelligence agency, after his private exploits became known to the service, but then built a successful career, rising to the rank of major. The Russian investigation appears to link him to a group called Shaltai Boltai, or Humpty Dumpty, which broke into electronic mailboxes, mostly of Russian officials and business people, obtained compromising information about them and then either sold or published it. The group's work was a combination of blackmail, competitive intelligence and public relations; Dokuchaev's alleged role was to direct the group toward particular victims and cover up its activities while pretending to investigate it.
The U.S. indictment appears to tell a similar story. One of the four defendants in the Yahoo case is Igor Sushchin, identified both as Dokuchaev's superior in the FSB and as someone "embedded as a purported employee and head of information security" at a "Russian financial firm." This would be an unorthodox arrangement: A case officer given a cover job at a company is unlikely to be the direct superior of someone working at the FSB. More likely, the chain of command was informal.
Dokuchaev is said to have hired Alexey Belan, a Latvian-born hacker sought by the Federal Bureau of Investigation since 2012 for breaking into the networks of various U.S. companies, hacking the Yahoo user database and providing access to email accounts on the free service. Belan seems to have used spear phishing -- a plausible-looking email with a fake link -- to steal the credentials of a Yahoo employee, then got into the database and started minting cookies, or tracking files, that allowed him to get into Yahoo email accounts without the need to crack passwords. Sushchin and Dokuchaev then identified accounts whose contents they wanted. Since hardly anyone uses Yahoo email for anything private or important, Belan or the FSB officers fished for information about other email accounts. Then, a Canada-based hacker, Karim Baratov, was paid to hack into those more useful accounts for about $100 apiece.
They may have simply found Baratov on the internet. He advertised cheap email hacking services, and he didn't make much of an effort to be inconspicuous, driving, for example, an Aston Martin DBS with the vanity plate "Mr. Karim." Baratov has been arrested in Canada, and is awaiting extradition to the U.S. Sushchin and Belan remain at large in Russia.
The victims listed in the U.S. indictment fit the profile of a Shaltai Boltai-type private intelligence operation rather than government spying. Sushchin wanted the dope on executives in his financial company; businesspeople working in a "country bordering on Russia," and a former economics minister of that country, were hacked. A couple of mid-ranking Russian politicians and functionaries and "an assistant to the Deputy Chairman of the Russian Federation" are also on the list. (The latter is a nonexistent title, possibly indicating a deputy prime minister's aide; Shaltai Boltai hacked the email of Deputy Prime Minister Arkady Dvorkovich in 2014.)
Western targets were mainly private-sector employees at transport and tech companies. It's not clear what the FSB officers wanted with them, but Belan wasn't above searching their accounts for credit card and even gift card data. He also redirected Yahoo traffic to an online pharmacy to earn a commission.
It's likely that the FSB, which arrested Dokuchaev and a number of alleged accomplices late last year, and the FBI caught the same activity from two different ends. Some of it may have been government or quasi-government business; but most of it was probably freelancing for cash, both on the part of the intelligence operatives and the hackers they hired. The latter could be paid for their work, the way small-time email break-in artist Baratov allegedly was, or they could be provided with "krysha" -- which in Russian means "a roof."
A British court exposed to the notion in the course of litigation between two Russian oligarchs described it as involving "either the provision of political influence or protection for money or money’s worth, or criminal violence, or both." Belan, who had narrowly escaped arrest in Europe and had to lay low in Russia, needed it to continue operating. Working for FSB officers fit the bill.
U.S. commentators these days often speak of a "deep state." In Russia, it would more appropriate to discuss "deep business." President Vladimir Putin's corrupt system functions as a network of business relationships. It's a kind of secondary nervous system inside the Russian bureaucracy, running parallel to the official one, creating parallel chains of command and serving different goals than the official system whose tools it uses.
But it's easier for Western law enforcers and even intelligence agencies to see the Russian state as a monolithic force, Putin's obedient machine in the service of his revanchist goals. Freelancing FSB majors who hire freelancing hackers to steal information they can then sell is a harder narrative to internalize; but the truth is that much of Russia's hacking activity, even when it appears to be government-connected, is about money, not power.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
To contact the author of this story:
Leonid Bershidsky at firstname.lastname@example.org
To contact the editor responsible for this story:
Mark Gilbert at email@example.com