[BreachExchange] Outsourcing Cyber Espionage Landed Russia in Trouble

[Audrey McNeil]

http://www.databreachtoday.com/blogs/outsourcing-cyber-
espionage-landed-russia-in-trouble-p-2420

All's fair in the spy game. The United States acknowledges that. But when
hacking crosses into the theft of intellectual property or criminal gain,
it's a red line. Cue Russia's alleged use of freelance hackers to help with
state activities, which has now brought about an unprecedented indictment
that will stoke further U.S.-Russia tension.

Two Russian FSB officers have been accused of directing and paying
freelance hackers to break into Yahoo's network and others. All four have
been indicted by a grand jury, the first such indictment against Russian
government officials. Yahoo disclosed the breach, which occurred in 2014
and affected 500 million accounts, in September 2016 (see Massive Yahoo
Data Breach Shatters Records).

One of the hackers, Alexey Belan, has been on the FBI's "cyber most wanted
list" for five years. The indictment alleges that rather than apprehend
him, the FSB helped him evade law enforcement and used him to gain access
to Yahoo's network. Another man, Karim Baratov, who was arrested March 14
in Canada, is accused of aiding the FSB in accessing other email accounts
and web services.

The indictment describes in great detail the alleged intermingling of
cybercriminals and FSB officials. Think of it being something like
TaskRabbit, only for state-sponsored espionage. But it's the freelancers'
side activities that may have brought unwanted attention to Russia's
intelligence moves.

Spam and Gift Cards on the Side

While working for the FSB, Belan allegedly sought side income. Per the
indictment, he's been accused of trying to manipulate Yahoo's search engine
to market erectile dysfunction drugs and exploiting 30 million stolen Yahoo
email accounts for spam. Belan also mined Yahoo accounts for redeemable
gift card numbers and access to PayPal and Western Union accounts,
according to the indictment.

Had the Yahoo breach been purely an in-house Russian intelligence project
and included no for-profit activities, it's unlikely it would have resulted
in an indictment. But by tapping into a talented pool of freelance hackers
with other motivations and questionable operational security, the Russian
government landed itself in a muddy puddle.

China ran into the same kind of unwanted attention in 2013, but in reverse.
The Justice Department indicted five members of the Chinese Army's signals
intelligence unit 61398 with stealing nuclear, solar power and steel trade
secrets from six U.S. organizations over eight years. Chinese industry was
allegedly tapping into the state's cyber capabilities in order to steal
intellectual property.

Neither indictment will likely result in prosecutions of Chinese or Russian
officials. But the U.S. government may be motivated by an aim to send
"messages both to the Russian government and other governments about what's
permissible and what's not permissible," says Nathaniel Gleicher, head of
cybersecurity strategy at Illumio and former director for cybersecurity
strategy on the National Security Council at the White House.

"The indictment very specifically emphasizes that there was direction and
control by the government officials and draws other explicit lines that
signal the boundaries of what's acceptable," Gleicher tells me.

The Freelancer Downside

Russia may only be realizing now that using freelance hackers would
eventually turn an unwanted spotlight on its intelligence-gathering
activities. It's no secret that U.S. intelligence agencies, cybersecurity
companies and anyone else in the space is have trouble recruiting. It makes
sense that Russia would turn to outside talent, especially if government
funding for recruiting and training in-house hackers is scarce.

The alleged Yahoo hacking crew wouldn't have been the only group so
recruited. Indeed, The New York Times reported earlier this week that
Evgeniy M. Bogachev, the alleged hacker and Gameover Zeus botnet
mastermind, was roped into working for Russian intelligence. It's a clear
quid pro quo: You help us, we'll leave you alone.

Bogachev is accused of running the Gameover Zeus botnet, which aimed to
steal login credentials for financial services, and which U.S. prosecutors
have tied to more than $100 million in fraud. But his control over the
massive botnet he allegedly helped to build worldwide sparked interest not
just from prosecutors, but also intelligence agencies. Interestingly,
Bogachev's name popped up on a list of people and organizations sanctioned
for links to the 2016 U.S. presidential election interference that the U.S.
intelligence community attributed to Russia.

Outsourcing Carries Risks

There are many risks when outsourcing intelligence activities. For one,
spymasters have little control over operational security. If freelancers
make a mistake, their efforts could unravel, revealing a long, embarrassing
chain of offenses.

The indictment of the alleged Yahoo hackers doesn't indicate how the
Justice Department obtained its information. But it does contain specific
detail on payments made by one of the FSB agents to Baratov, and dates when
Baratov allegedly passed along passwords for certain accounts to his
handler.

It's hard enough for professional intelligence agencies to keep their
secrets secure, as we've seen most recently via the CIA leaks, as well as
former National Security Agency contractor Edward Snowden's leaks from 2013
(see WikiLeaks Dumps Alleged CIA Malware and Hacking Trove).

Also, the desire to make more money could increase the freelancers'
exposure, thus increasing the exposure to the Russian government. Shortly
after Yahoo announced the breach of 500 million accounts in September 2016,
the computer security firm InfoArmor told me some of the data was sold
three times, first to a state-sponsored party and then to other
cybercriminals (see Yahoo Hacked by Cybercrime Gang, Security Firm Reports).

Those deals were done in highly secretive forums. The fact that they were
spotted, however, reflects how the broader computer security community has
been keeping a watchful eye on cybercriminals - especially following the
wave of breach disclosures last year relating to such firms as Dropbox,
LinkedIn and MySpace - and reveals an apparent OPSEC failure on the part of
Russia's freelance hackers.

Now they get to play the prosecution game.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170317/bbdaae44/attachment.html>