Inside the Hunt for Russia's Hackers

[Boats]

Inside the Hunt for Russia's Hackers
Posted on April 20, 2017, at 9:00 p.m. by Sheera Frenkel - BuzzFeed Staff
RE: https://www.buzzfeed.com/sheerafrenk...dmG#.dglOE6YPj

Russia’s cyberwarfare operations are built on the back of their cybercriminal networks. Can the US and its allies take them down?

SAN FRANCISCO — Just past 8 a.m. on March 14, police trod quietly through the snow to the double-fronted doors of Karim Baratov’s lavish home in Ancaster, Ontario. The officers passed by the garage where Baratov’s jet-black Mercedes Benz and Aston Martin DBS were parked, two of the only outward indications that the 22-year-old had money to spend. Minutes later, they took the Canadian-Kazakh hacker away into custody — a subdued end to an international cyber drama that involved the highest levels of the US government, Russian spies, a global cybercrime syndicate, and hundreds of millions of unsuspecting Americans.

The baby-faced Baratov is currently awaiting trial in the US on charges that he helped hack into half a billion Yahoo accounts — the largest known hack in history. His co-conspirators are Alexsey Belan, 29, a notorious Russian hacker still at large, and two Russian intelligence officers, Dmitry Aleksandrovich Dokuchaev, 33, and Igor Anatolyevich Sushchin, 43. The case against them is the starkest public example of the ways in which the Russian government works with cybercriminals to achieve its global agenda through cyberwarfare, and why those attacks have proven so difficult for governments around the world to track, let alone prosecute.

Baratov, according to accounts given by US law enforcement, was a hacker for hire. It appears he simply took the wrong job.

“The Yahoo hack is a great example of the US government coming forward and saying we know what you are doing and we can prove it,” said Milan Patel, the former chief technology officer of the FBI’s cyber division and now managing director at the K2 Intelligence cybersecurity firm. “In the past the US and Russia engaged in a lot of tit-for-tat covert operations. But with Russia now, a lot is coming to the forefront and being made public about how they run their cyberactivities.”

“We would tip them off about a person we were looking for, and they would mysteriously disappear, only to appear later on working for the Russian government.”

That’s not always how it was. In the mid-2000s, FBI agents tried to work with their counterparts in the FSB, Russia's Federal Security Service, to investigate hackers, with regular bilateral meetings featuring US and Russian agents working together in the hope that the two countries could stem the growing tide of online crime. At least that’s how the Americans saw it.

“We would tip them off about a person we were looking for, and they would mysteriously disappear, only to appear later on working for the Russian government,” Patel said. “We basically helped the FSB identify talent and recruit by telling them who we were after.”

The arrest of Baratov and his co-conspirators signals a broader US government crackdown on Russian cybercriminals. For years, cybersecurity researchers and US authorities have traced the ties between cybercriminals and the Russian state, including how malware first developed for criminal enterprises has made its way into state-sponsored cyberattacks on Russia’s neighbors, and how botnet armies created by hackers have been repurposed to launch attacks on Russian targets. Now, they appear ready to strike. Earlier this month, Spanish authorities acting on behalf of the US arrested Pyotr Levashov, long known to authorities as one of the world’s most prolific spam kingpins. Five months ago, the US named a number of well-known Russian hackers as being behind the hacks on the Democratic National Committee, which they say were aimed at influencing the US elections. For those following the murky dealings of the world’s top hackers, the names did not come as a surprise. What was new was the willingness of US officials to publicly name the hackers, and to aggressively pursue Russian cybercriminals who aid Russia’s increasingly aggressive strides into cyberwarfare.

"Russia is playing with different rules — or maybe just without rules."

Three Russian hackers told BuzzFeed News over the last month that there was “panic” about how far the arrests would go, and for how long hackers would be pursued by US authorities. US security officials told BuzzFeed News that they would do well to be scared, as “the gloves were coming off” with Russian hackers.

“We’ve reached a boiling point with Russia. They are the closest competitor to the US when it comes to cyberespionage and cyberattacks,” Patel said. “But Russia is playing with different rules — or maybe just without rules.”

Ask Americans to describe a typical Russian hacker who targets the US and they will likely describe a scruffy Russian teenager in a dimly lit basement, or a chiseled military figure in a warehouse-like room filled with hundreds of hackers, pounding away at their keyboards as they plot to take down the US. The truth is that Russian cyber operations are far more complex than either of those scenarios, with the Russian state relying on a network of hackers it hires within its military and intelligence divisions, as well as cybercriminal networks and hackers for hire it can recruit or co-opt as it needs.

“It’s a multilayered system, and it is very flexible. That’s what makes it so hard to track,” said one FBI agent who currently works within the bureau’s cyber division. He asked to speak off the record so that he could discuss open cases with BuzzFeed News. “Let’s say, for instance that Russian intelligence decide they want to hack into eBay to try and find information about a certain person. They might do that through an existing team they have in place, or they might go to a hacker, who has already infected a computer they want compromised and tell him to give them access or else … or they might just pay a guy who has previously hacked eBay to do it for them again.”

That flexibility makes it very difficult for the FBI, or any other law enforcement agency, to track what is being hacked, and why, the FBI agent said.

“They will use whatever method they need to use to get in, and they have no lines between criminals who are hacking for profit and those who are hacking for the government,” he said. “They might be going into eBay to steal credit cards, or they might be doing it as part of a covert op to target a US member of Congress. They might be doing both, really. It makes it hard to know when a hack is a matter of national security and when it is not.”

The hack on Yahoo that compromised the information of more than 500 million people lays out the complex relationship between the hackers and their targets. The accounts were hacked in 2014, with Yahoo only discovering the compromised accounts in September 2016. Just a few months later, Yahoo announced it had discovered a second, earlier breach, which had affected an additional 500 million people in 2013. Together, the hacks cost the company roughly $350 million, as users fled from the platform amid security concerns. It was, cybersecurity experts said, a death blow for Yahoo.

A spokesman for Yahoo did not answer a request for comment from BuzzFeed News. In a public statement published soon after the indictment was issued, Yahoo wrote: "The indictment unequivocally shows the attacks on Yahoo were state-sponsored. We are deeply grateful to the FBI for investigating these crimes and the DOJ for bringing charges against those responsible."

For weeks, cybersecurity researchers investigating the hacks believed they were looking at a case of corporate espionage. But as the scope of the breach was discovered, researchers began to fear that an enemy of the US was compiling a massive database of all US nationals, complete with personal details and email accounts they could mine for vulnerable information. The indictments issued last month against Baratov, Belan, and the FSB officers revealed that the group had breached Yahoo looking for both political targets and financial targets. The hundreds of millions of other people who had been caught up in the breach were just collateral damage.

The hundreds of millions of other people who had been caught up in the breach were just collateral damage.

“The guys who did this to Yahoo, they were criminals. They could have turned around and sold the entire database to the highest bidder,” the FBI agent said. “We are lucky they didn’t.”

Enough is known about the four men to sketch a rough timeline of how they came together to carry out the hack. Dokuchaev was once known in hacker circles as “Forb,” and he spoke openly about hiring out his services until he was recruited into government work, as the Russian newspaper RBC has reported. At the FSB, Dokuchaev was partnered with Sushchin, and the two recruited Belan, a Latvian-born hacker who had been on a list of the FBI’s most wanted since 2012.

“This is the way it goes: They trap one hacker and then they get him to trap his friends,” said one Russian hacker, who agreed to speak to BuzzFeed News via an encrypted app on condition of anonymity. The hacker, who recently served time in a Russian prison and had fled the country once he was released, said the “pressure was intense” to do work on behalf of Russian intelligence officers. “They press on you. It’s not, like, a nice request. It’s a knock on your door and maybe a knock on your ass. If they can’t threaten you they threaten your family.”

It’s unclear how the men were connected to Baratov, who immigrated to Canada from Kazakhstan with his family in 2007. Investigators say Baratov was a hacker for hire. In a July 14, 2016, post on his Facebook page, Baratov wrote that he first discovered how profitable hacking could be when he was expelled from his high school for "threatening to kill my ex-friend as a joke." The time off school "allowed me to work on my online projects 24/7, and really move my businesses to the next level." The post, which included photos of a BMW, Audi, and Lamborghini, claims he made “triple and even quadruple the normal amount” of income. He ended the post with "Taking shortcuts doesn't mean shortcutting the end result."

Once the group had gained access to Yahoo, its targets included an economic development minister of a country bordering Russia, an investigative reporter who worked for Russian newspaper Kommersant, and a managing director of a US private equity firm, court documents show. FBI investigators believe that in addition to searching for the political targets requested by the FSB, Belan also used the Yahoo database to line his own pockets by searching for credit card information and devising various schemes to target Yahoo users. In November 2014, he began tampering with the Yahoo database so that anyone interested in erectile dysfunction treatments was redirected to his own online pharmacy store, from which he got a commission for driving traffic to the site.

"It’s a knock on your door and maybe a knock on your ass. If they can’t threaten you they threaten your family."

“When you look at this case, you realize it has national security and criminal elements. It doesn’t fit neatly into one box or the other,” the FBI agent involved in the case said.

Patel said that the FBI often had difficulty distinguishing between cyber cases that were criminal in nature, versus those which were politically motivated, or had ties to the Russian state. “The government is making an effort to bridge the gap between investigations that involve classified national security issues, and those which are criminal because those worlds aren’t separate anymore,” he said, explaining that departments were trying to form more joint task forces and share classified information when possible.

It’s unclear who within the FSB was responsible for the group, or if their orders ultimately came from another arm of Russia’s government. In December 2016, Dokuchaev was arrested in Russia and accused of treason. His arrest appeared to be part of a roundup of Russian military and cybersecurity figures, though little information has emerged since their arrests.

Andrei Soldatov, a Russian investigative journalist and co-author of The Red Web, a book about the Kremlin’s online activities, said that while the Russian government’s tactic of outsourcing cyber operations to various groups is helpful in distancing themselves (and ultimately providing deniability), it also left them vulnerable to hackers running amuck.

“Hackers are not people who are traditionally easy to control,” said Soldatov. “They might disobey you sometimes.”

[Boats]

EXPERT COMMENTARY
Cyber Warfare Beyond Domains
APRIL 23, 2017 | JACQUELYN G. SCHNEIDE
RE: https://www.thecipherbrief.com/artic...d-domains-1092

In 2010, then-Deputy Secretary of Defense William J. Lynn III made a pivotal decision for the future of cyberspace and the U.S. military: He saw to it that the U.S. Department of Defense declared cyberspace a “domain” of warfare.

This decision created the organizational impetus for the DoD to organize and equip forces to defend and attack from cyberspace. Lynn anticipated that the future of warfare would be determined by competitions for information and that without the ability to organize for missions in cyberspace, the DoD would be unable to ensure the digital freedom it needed to win modern wars. Since that time, the DoD has not only developed an overarching Cyber Strategy and stood up an entire Cyber Command with more than 6,000 personnel, and has also brought to initial operating capability 133 teams for its Cyber Mission Force. Under the auspices of the cyberspace domain, the DoD has made huge strides to defeat and deter adversaries in cyberspace.

But while labeling cyberspace an independent warfighting domain may have been administratively useful for the Pentagon, the arbitrary separation between “cyber” and the conventional domains has potentially deleterious effects for U.S. military effectiveness. The problem is that cyberspace does not operate within its own stovepipe. Instead, “cyber” is a general term that captures the role that digital information – the ones and zeros of modern warfighting – plays in creating conventional military power. These digital capabilities are embedded within tactical datalinks, smart weapons, unmanned and autonomous systems, in logistics platforms and mission planning software, and the millions of emails that direct military power.

This digital terrain of modern warfare is increasingly contested by cross-domain threats. These threats could come from cyber attacks on networks, but also undersea cable-cutting, conventional bombing attacks of database farms, and anti-space attacks on the satellites that transmit digital navigation and targeting information. It is impossible to understand the significance of offense and defense in cyberspace without understanding the digital technologies that create the cyber terrain. Network-centric warfare and the digital capabilities it is dependent on have created a cyber terrain in which the U.S. is incredibly vulnerable to cross-domain threats to its cyber dependencies. You cannot separate these capabilities and vulnerabilities created in cyberspace from the ability to achieve victory in the air, land, sea, and space domains.

The administrative separation of cyberspace from the conventional domains with which it is linked leads to two significant problems for the modern American military.

First, the delineation of a cyberspace domain creates cyber stovepipes. Warfighters, particularly below the Combatant Command, are unaware of potential offensive cyber capabilities to support conventional domains of warfighting, nor are they authorized to execute any of these cyber capabilities. This problem is likely a combination of a legacy of secrecy passed down from the National Security Agency, coupled with the inherent technical difficulty of obtaining and maintaining cyber accesses. Without the ability to assure access, organizations that safeguard offensive cyber capabilities are necessarily wary of sharing information with conventional warfighters. Cyber capabilities remain confined to the special access and special technical operations world.

The second problem was highlighted recently, when Army and Special Operations leaders pointed out that kinetic attacks were often easier to authorize than similar, or even less intense, cyber attacks. These officials were so concerned with the authorization problem that they staffed normally tactical-level exercises with Congressional representatives and members of the Office of the Secretary of Defense.

The reality is, separation of cyberspace from the other domains creates an incentive to centralize cyber defense. The consequence is that conventional warfighting units have limited capability or agency to protect and defend their own digital terrain. This problem is exacerbated because “cyber” warriors are increasingly distinct from the conventional mission set. While they are well-trained and equipped for identifying potential cyber vulnerabilities in military networks, these cyber warriors have limited knowledge of how various cyber vulnerabilities affect the conventional mission.

Indeed, the explosion of digital technologies within conventional missions means that vulnerabilities have expanded beyond network access points to vulnerabilities in software, datalinks, and even hardware. While the conventional warfighter may not have the cyber skills to mitigate these vulnerabilities, he does understand the impact that losing any of these components might have on air, land, sea, and space missions.

The conventional warfighter needs to be given the agency, some knowledge, and the ability to lean on cyberspace defenders in order to give priority to the defense of the crucial cyber terrain.

The solution to the cyberspace domain problem is not likely a change in nomenclature. Making cyberspace its own domain has provided useful incentives for organizing and – most importantly – funding key components of victory in the 21st Century world. Instead of renaming the cyberspace domain, we need to devote effort to better understanding the linkages between cyberspace and conventional capabilities, both in the offensive realm where authorities and access are the primary problems, and the defensive realm, where agency and knowledge are the primary issues.

Cyberspace is not solely Cyber Command’s problem nor is it solely Cyber Command’s tool. The state that will succeed at cyber warfare of the future is the one that understands the link between conventional operations and cyber capabilities and vulnerabilities.

Views expressed here are my own and do not reflect those of the U.S. Navy or the Naval War College.