All's fair in the spy game. The United States acknowledges that. But when hacking crosses into the theft of intellectual property or criminal gain, it's a red line. Cue Russia's alleged use of freelance hackers to help with state activities, which has now brought about an unprecedented indictment that will stoke further U.S.-Russia tension.
Two Russian FSB officers have been accused of directing and paying freelance hackers to break into Yahoo's network and others. All four have been indicted by a grand jury, the first such indictment against Russian government officials. Yahoo disclosed the breach, which occurred in 2014 and affected 500 million accounts, in September 2016 (see Massive Yahoo Data Breach Shatters Records).
"The indictment very specifically ... draws other explicit lines that signal the boundaries of what's acceptable."
One of the hackers, Alexey Belan, has been on the FBI's "cyber most wanted list" for five years. The indictment alleges that rather than apprehend him, the FSB helped him evade law enforcement and used him to gain access to Yahoo's network. Another man, Karim Baratov, who was arrested March 14 in Canada, is accused of aiding the FSB in accessing other email accounts and web services.
The indictment describes in great detail the alleged intermingling of cybercriminals and FSB officials. Think of it being something like TaskRabbit, only for state-sponsored espionage. But it's the freelancers' side activities that may have brought unwanted attention to Russia's intelligence moves.
Spam and Gift Cards on the Side
While working for the FSB, Belan allegedly sought side income. Per the indictment, he's been accused of trying to manipulate Yahoo's search engine to market erectile dysfunction drugs and exploiting 30 million stolen Yahoo email accounts for spam. Belan also mined Yahoo accounts for redeemable gift card numbers and access to PayPal and Western Union accounts, according to the indictment.
Had the Yahoo breach been purely an in-house Russian intelligence project and included no for-profit activities, it's unlikely it would have resulted in an indictment. But by tapping into a talented pool of freelance hackers with other motivations and questionable operational security, the Russian government landed itself in a muddy puddle.
China ran into the same kind of unwanted attention in 2013, but in reverse. The Justice Department indicted five members of the Chinese Army's signals intelligence unit 61398 with stealing nuclear, solar power and steel trade secrets from six U.S. organizations over eight years. Chinese industry was allegedly tapping into the state's cyber capabilities in order to steal intellectual property.
Neither indictment will likely result in prosecutions of Chinese or Russian officials. But the U.S. government may be motivated by an aim to send "messages both to the Russian government and other governments about what's permissible and what's not permissible," says Nathaniel Gleicher, head of cybersecurity strategy at Illumio and former director for cybersecurity strategy on the National Security Council at the White House.
"The indictment very specifically emphasizes that there was direction and control by the government officials and draws other explicit lines that signal the boundaries of what's acceptable," Gleicher tells me.
The Freelancer Downside
Russia may only be realizing now that using freelance hackers would eventually turn an unwanted spotlight on its intelligence-gathering activities. It's no secret that U.S. intelligence agencies, cybersecurity companies and anyone else in the space is have trouble recruiting. It makes sense that Russia would turn to outside talent, especially if government funding for recruiting and training in-house hackers is scarce.
The alleged Yahoo hacking crew wouldn't have been the only group so recruited. Indeed, The New York Times reported earlier this week that Evgeniy M. Bogachev, the alleged hacker and Gameover Zeus botnet mastermind, was roped into working for Russian intelligence. It's a clear quid pro quo: You help us, we'll leave you alone.
Bogachev is accused of running the Gameover Zeus botnet, which aimed to steal login credentials for financial services, and which U.S. prosecutors have tied to more than $100 million in fraud. But his control over the massive botnet he allegedly helped to build worldwide sparked interest not just from prosecutors, but also intelligence agencies. Interestingly, Bogachev's name popped up on a list of people and organizations sanctioned for links to the 2016 U.S. presidential election interference that the U.S. intelligence community attributed to Russia.
Outsourcing Carries Risks
There are many risks when outsourcing intelligence activities. For one, spymasters have little control over operational security. If freelancers make a mistake, their efforts could unravel, revealing a long, embarrassing chain of offenses.
The indictment of the alleged Yahoo hackers doesn't indicate how the Justice Department obtained its information. But it does contain specific detail on payments made by one of the FSB agents to Baratov, and dates when Baratov allegedly passed along passwords for certain accounts to his handler.
It's hard enough for professional intelligence agencies to keep their secrets secure, as we've seen most recently via the CIA leaks, as well as former National Security Agency contractor Edward Snowden's leaks from 2013 (see WikiLeaks Dumps Alleged CIA Malware and Hacking Trove).
Also, the desire to make more money could increase the freelancers' exposure, thus increasing the exposure to the Russian government. Shortly after Yahoo announced the breach of 500 million accounts in September 2016, the computer security firm InfoArmor told me some of the data was sold three times, first to a state-sponsored party and then to other cybercriminals (see Yahoo Hacked by Cybercrime Gang, Security Firm Reports).
Those deals were done in highly secretive forums. The fact that they were spotted, however, reflects how the broader computer security community has been keeping a watchful eye on cybercriminals - especially following the wave of breach disclosures last year relating to such firms as Dropbox, LinkedIn and MySpace - and reveals an apparent OPSEC failure on the part of Russia's freelance hackers.
Now they get to play the prosecution game.