On February 28, the Justice Department filed a 47-count indictment against (0) two agents of Russia’s foreign intelligence agency, the FSB, and two Russian hackers, allegedly hired by the FSB. Although part of a broad pattern of Russian spying activities, the indictments are not related to the Russian hacking into the Democratic National Committee or other interference in the 2016 election.
The Justice Department charges (1) that the Russian agents directed a sweeping conspiracy to steal data from 500 million Yahoo customers in 2014; and then the FSB employed that data as the basis for using a complement of other intelligence tools to spy on a wide array of targets, both government and private. Specifically, between 2014 and 2016, the two intelligence officers directly paid the hackers to penetrate the servers of a Silicon Valley company — including its source code — to spy on the contents of internet traffic of more than 6,500 individual accounts. The targets included a diverse, even bizarre, multitude of victims — White House personnel, US diplomatic and military officials, a US financial company, and a Nevada gaming official. Possibly signaling competition among Russian intelligence agencies, the hacks also included a Russian journalist and other Russian government agencies. As the New York Times summed it up (2): “The list of targets is a glimpse into both the global reach of Russia’s spying apparatus and the internecine power struggles of Russia’s competing security agencies.”
Indeed, in a fundamental sense, the arrangement was set up to take advantage of — even encourage — the hackers’ entrepreneurial spirit. One private culprit was allowed to manipulate a Yahoo server to direct users to an online pharmacy, specializing in products similar to Viagra. Other ventures included phishing email messages designed to trick users to give the hackers access to their financial accounts. (This scheme was lucrative enough for one hacker to treat himself to an Aston Martin DBS and a Mercedes C4, the indictment states (3)).
These picaresque details did not amuse the FBI or Justice Department, for in the ultimate insult and embarrassment, it turns out that the two spies worked for (4) the FSB unit that is the liaison with the FBI in international efforts to identify and bring cybercriminals to justice.
The indictments have been called a “landmark move (5)” — it is and it isn’t.
Certainly, it is the first time the US has directly charged Russian government officials with cybercrimes — although we have done so with North Korean, Chinese, and Iranian officials in the past. In this case, given the controversy swirling around Trump administration relations with Vladimir Putin and his lieutenants, it may partially allay fears that the administration is “going soft” on Russia for whatever reasons. Yet Democrats surely will not be deflected from their drumbeat of criticism concerning unresolved issues surrounding Russian interference in the US presidential election. Sen. Mark Warner (D-VA), ranking member of the Senate Intelligence Committee, applauded the Justice Department actions, but added (6): “These indictments shed light on the close and mutually beneficial ties between the cyber underworld and the Russian government and security services, and the extent to which Russia leverages these cyber activities to multiple ends: commercial, financial and geopolitical. This simply underscores the complexity and urgency of the task facing the Senate Intelligence Committee in its bipartisan investigation into Russian interference in America’s 2016 elections.”
The indictments are also striking for the level of detail that is included in the court document. In past cybersecurity episodes, there has been endless speculation and hand-wringing over the difficult problems associated with attribution and assembling evidence to support charges. Inevitably, it has been argued that there will be a tug-of-war between Justice Department officials and intelligence agencies fearful of exposing their sources and methods. In this case, however, given the extraordinary details of charges, that debate has largely been resolved in favor of public revelations. The point is that the indictments demonstrate — even if never actually acknowledged — a level of surveillance relating to communications between the “private” hackers and the FSB unit (as well intra-FSB communications) that will tip off the Russians to the deep technical capabilities of the US intelligence community. They probably knew or suspected such facility — but this is daunting confirmation.
Behind all the details of this Russian Yahoo episode and the individual indictments lies a still unanswered question that also plagued the Obama administration: Is this enough? The Russians have shown no indication that they will lessen, let alone desist, in cyber activities that not only interfere with US elections but also use stolen US intellectual property for cybercrime purposes, whether directly or through paid accomplices — and consort with those private buccaneers to commit further cybercrimes and thefts. And they have stepped up political interference with US allies in Europe, particularly in Eastern Europe and the Baltic states.
China is widely held to have desisted or diminished the theft of (7) US IP after President Obama’s direct warning to Xi Jinping in September 2015. Russia seems to blow by such warnings. And therein lies one of the most daunting cyber challenges for the fledging Trump administration.