Yahoo Cyberattack Indictment Offers Clues Into Russian Election Hacking

“It’s a really interesting picture of how the whole system is put together.”

Jeff Chiu/AP; Mikolajn/Getty

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.

The low-profile prosecution of a 22-year-old Canadian hacker may offer clues regarding how US intelligence officials learned about Russia’s efforts to disrupt last year’s election—and it could offer a lot more clues if the case goes to trial.

Last month in US District Court in San Francisco, Karim Baratov, a Canadian citizen born in Kazakhstan, pleaded not guilty to multiple felonies related to his bit part in the cyberattack that compromised 500 million Yahoo accounts starting in 2014—and that nearly derailed Yahoo’s acquisition by Verizon. Of the four men indicted, Baratov is the only one in US custody. The others include an internationally wanted Latvian hacker and two members of a cyber unit within Russia’s Federal Security Service (FSB for short). They are the first FSB operatives American authorities have charged in any hacking case.

One of the FSB guys, Dmitry Dokuchaev, is part of a group of Russian intelligence officials reportedly jailed in Russia last December for treason. According to Russian media reports, Dokuchaev and an FSB superior, Sergei Mikhailov, stand accused of passing information about Russia’s election hacking to US intelligence agencies. The Russian news service Interfax reported that the two men were “accused of breaking their oath and working with the CIA.”

Another publication, Novaya Gazeta, reported that Russian authorities believe Mikhailov alerted American officials to the role of a server-rental firm called “King Servers,” which US cybersecurity sleuths say was used by the Russian hackers suspected of penetrating election systems in Arizona and Illinois in 2016 and voting systems in Germany, Turkey and Ukraine.

While these reports, attributed to unnamed officials, might be disinformation, the February Yahoo indictment suggests, as some cyber experts have speculated, that Dokuchaev was indeed a double agent. This is because the indictment details communications between Dokuchaev and Igor Sushchin, the more senior FSB official charged in the Yahoo case—a possible indication that Dokuchaev provided information to the United States. It also contains extensive information about Dokuchaev’s interactions with the hackers charged with assisting the FSB in the Yahoo attack. That may be another sign Dokuchaev was in contact with US intelligence. The fact that he was indicted in the United States might be read to mean he was not a US intelligence asset—would the government indict an overseas spy it had recruited? But a former Justice Department official notes it would be a logical for the feds to do just that in order to provide cover.

If Dokuchaev was a double agent, he may have supplied the CIA with far more information about Russian hacking than has come to light in the Yahoo case. According to David Hickton, a former US attorney who oversaw a case in which members of the Chinese military were indicted for hacking American corporations, it’s a “reasonable assumption” that the information revealed in the indictment is the tip of the iceberg. “You can assume there is more to this,” Hickton said. “This is a very important case.”

In a January 2017 report, US intelligence agencies, without naming their sources, concluded with “high confidence” that Russian President Vladimir Putin had “ordered an influence campaign in 2016 aimed at the US presidential election” that included an effort “to denigrate Secretary Clinton, and harm her electability and potential presidency” while benefiting Trump. The apparent penetration of the FSB’s cyber unit by American intelligence may have contributed to the agencies’ conclusions. (Russia’s arrests of Dokuchaev and Mikhailov were part of a larger purge, suggesting that US intelligence may have had sources deep inside Russia’s cybersecurity unit.)

“The Russians are almost certainly right that Dokuchaev provided sensitive information to the Americans,” says Dave Aitel, a former NSA employee and head of Immunity, a computer security company. “You can’t assume it was election-related, but it’s possible.”

In addition, cybersecurity analysts have concluded that the FSB used freelance hackers to influence the US presidential election. The most notable Russian hacking group was Cozy Bear (a.k.a. APT 29), one of the shadowy groups accused of mounting intrusions into the Democratic National Committee, the White House, the State Department, and the Joint Chiefs of Staff. Any FSB personnel compromised by US intelligence might have information on the agency’s myriad hacking activities, Aitel says. “The FSB isn’t that big.”

Baratov, one of the accused Yahoo hackers, was extradited to the Unites States last month to be prosecuted. With discovery underway, prosecutors are obligated to share their evidence with the defense. But District Court Judge Vince Chhabria has signed an order barring attorneys from releasing any pretrial materials that prosecutors deem sensitive due to privacy or national security concerns.

But if Baratov ends up standing trial, the prosecutors may have to reveal in open court how they built their case—and whether they relied on information from Dokuchaev. If the case does reach, much of this sensitive information “should be public,” says Andrew Mancilla, an attorney representing Baratov. Neither the Justice Department nor the US attorney’s office prosecuting the case responded to requests for comment.

The Yahoo indictment does not address election-hacking directly. But it does indicate that US officials have detailed knowledge of activities of Russians who may also have been involved in election-related efforts. The document asserts that Dokuchaev, working under Sushchin and other unnamed FSB officials, oversaw a scheme in which the Latvian hacker named in the case—Alexsey Belan, known in the cyber world as “Magg”—stole information from at least 500 million Yahoo users.

With this data, prosecutors charge, the conspirators accessed other email accounts of people the FSB wanted to spy on, including American and Russian officials, Russian journalists, a Russian cybersecurity firm, and executives in the finance, transportation, and technology industries. The targets included two American cloud-computing firms. Belan also allegedly profited by searching the stolen Yahoo accounts for credit and gift-card information and by manipulating Yahoo search traffic to score commissions from a company that sold erectile dysfunction products.

Baratov, the Canadian, is charged with a smaller role. The indictment says Dokuchaev sent him data from the Yahoo hack—which Baratov is not accused of participating in directly—to help him break into more than 80 additional email accounts belonging to FSB targets. Dokuchaev allegedly paid Baratov $100 per account.

Dokuchaev is central to the scheme described in the Yahoo indictment. He reported to Sushchin and oversaw Belan and Baratov. The indictment describes two email exchanges in which Dokuchaev sent Sushchin “a minted cookie”—a small file with information about a specific account—along with instructions on how to break into that account.

Overall, experts say, the Yahoo case provides an unusually detailed look at how Russian intelligence officials interact with freelance hackers. These relationships help Russian intelligence maintain a level of deniability and enhance their capabilities. “It’s a really interesting picture of how the whole system is put together,” Aitel remarks.

The Kremlin, not surprisingly, denies any connection to the Yahoo case. In March, Russian spokesman Dmitri Peskov declared, “We have repeatedly stated that there can be absolutely no question of any official agency, including the FSB, in any unlawful actions in cyberspace.”

AN IMPORTANT UPDATE

We’re falling behind our online fundraising goals and we can’t sustain coming up short on donations month after month. Perhaps you’ve heard? It is impossibly hard in the news business right now, with layoffs intensifying and fancy new startups and funding going kaput.

The crisis facing journalism and democracy isn’t going away anytime soon. And neither is Mother Jones, our readers, or our unique way of doing in-depth reporting that exists to bring about change.

Which is exactly why, despite the challenges we face, we just took a big gulp and joined forces with the Center for Investigative Reporting, a team of ace journalists who create the amazing podcast and public radio show Reveal.

If you can part with even just a few bucks, please help us pick up the pace of donations. We simply can’t afford to keep falling behind on our fundraising targets month after month.

Editor-in-Chief Clara Jeffery said it well to our team recently, and that team 100 percent includes readers like you who make it all possible: “This is a year to prove that we can pull off this merger, grow our audiences and impact, attract more funding and keep growing. More broadly, it’s a year when the very future of both journalism and democracy is on the line. We have to go for every important story, every reader/listener/viewer, and leave it all on the field. I’m very proud of all the hard work that’s gotten us to this moment, and confident that we can meet it.”

Let’s do this. If you can right now, please support Mother Jones and investigative journalism with an urgently needed donation today.

payment methods

AN IMPORTANT UPDATE

We’re falling behind our online fundraising goals and we can’t sustain coming up short on donations month after month. Perhaps you’ve heard? It is impossibly hard in the news business right now, with layoffs intensifying and fancy new startups and funding going kaput.

The crisis facing journalism and democracy isn’t going away anytime soon. And neither is Mother Jones, our readers, or our unique way of doing in-depth reporting that exists to bring about change.

Which is exactly why, despite the challenges we face, we just took a big gulp and joined forces with the Center for Investigative Reporting, a team of ace journalists who create the amazing podcast and public radio show Reveal.

If you can part with even just a few bucks, please help us pick up the pace of donations. We simply can’t afford to keep falling behind on our fundraising targets month after month.

Editor-in-Chief Clara Jeffery said it well to our team recently, and that team 100 percent includes readers like you who make it all possible: “This is a year to prove that we can pull off this merger, grow our audiences and impact, attract more funding and keep growing. More broadly, it’s a year when the very future of both journalism and democracy is on the line. We have to go for every important story, every reader/listener/viewer, and leave it all on the field. I’m very proud of all the hard work that’s gotten us to this moment, and confident that we can meet it.”

Let’s do this. If you can right now, please support Mother Jones and investigative journalism with an urgently needed donation today.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate