Karim Baratov and cyber incidents misattribution

This case of Karim Baratov is another refutation of the conspiracy theory of cyber incident attribution. This theory lamps together multiple network security breaches, performed by many unrelated individuals or small groups. Then it attributes these breaches to a small number of alleged government backed hacker groups. This theory was introduced by CrowdStrike, and promoted by CrowdStrike and FireEye (FEYE). One of apparently decent attribution criterias is use of the same network infrastructure — domain names and/or IP addresses — in multiple breaches. But even this criteria doesn’t work, because cyber criminals specialize and divide labor vertically. Spear-phishing incidents using the same deceptive domain and/or IP address are not necessarily connected to a single beneficiary entity. An owner of the domain name can steal passwords from many victims for many unrelated clients, knowing nothing about the clients, like this case. 

  1. Canada-based dual citizen of Canada and Kazakhstan, Karim Baratov owned the domain accounts-google.net. He offered services such as stealing passwords and content from individual webmail accounts for $60 a pop. See Krebs on Security for technical details.
  2. The DOJ and FBI (under Sessions and Comey, respectively) left no stone unturned (not sure about Roger Stone) in their attempts to connect Baratov’s hacking to Russian intelligence. They commingled his case with a mega-breach of Yahoo mail accounts, and they connected him to three Russian citizens who are alleged to be FSB officers. These three Russians live in Russia beyond the reach of US justice, so the DOJ can say anything about them without the risk that they would dispute it. DOJ also found a payment of $104 from one of them to Baratov, and emails showing that Dokuchaev (one of the “Russians”) ordered hacking of 80 accounts — out of 11,000 accounts, actually hacked by Baratov. Neither this disparity nor weakness of the claim that Dokuchaev was an FSB officer deterred the DOJ, which declared it found another example of hacking by the Russian government.
  3. Krebs on Security reported: “In September 2016, Yahoo first disclosed the theft of 500 million accounts that is being attributed to this conspiracy. But in December 2016, Yahoo acknowledged a separate hack from 2013 had jeopardized more than a billion user accounts.” I guess that Yahoo was happy to blame its negligence on activities of the Russian state.
  4. The Fake News falsely accused Russia of the mega breach of Yahoo mail, contrary to the evidence and the verdict (APNews: Hacker gets 5 years for Russian-linked Yahoo security breach. ABC News: Canadian who helped Russians hack half a billion Yahoo accounts get 5 years in jail).

Baratov was not connected to the Podesta email gaffe.

Baratov owned 81 domain names and provided an impressive array of “services” at very low prices:

Quality Mail hacking to order, without changing the password

    • 100% confidentiality
    • No pre-payment required
    • The lowest prices on the market
    • $60 per password [i.e., per hacked email account]
    • $25 insurance [sic!]
    • $25 for the full account copy, including all emails and folders
    • $200 for instruction in mail hacking (step-by-step)
    • Orders accepted for gmail.com and yahoo.com, among others

Contact  infotech-team@bigmir.net

Bigmir.net is a Ukrainian provider. The list of services and prices in Russian was saved in 2014.

On 2017-03-15 the DOJ announced an indictment: “U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts. FSB Officers Protected, Directed, Facilitated and Paid Criminal Hackers.

Buried inside of the document was the usual admission: “An indictment is merely an accusation, and a defendant is presumed innocent unless proven guilty in a court of law.” It was the most important one, because very few allegations in the indictment made it to the verdict. A mountain gave birth to a molehill. I have highlighted some of the most offensive, demented, and ridiculous statements from the press release:

The defendants used unauthorized access to Yahoo’s systems to steal information from about at least 500 million Yahoo accounts …

The charges were announced by Attorney General Jeff Sessions of the U.S. Department of Justice, Director James Comey of the FBI, Acting Assistant Attorney General for National Security Mary McCord, U.S. Attorney Brian Stretch for the Northern District of California and Executive Assistant Director Paul Abbate of the FBI’s Criminal, Cyber, Response and Services Branch.

Hadn’t Jeff Sessions recused himself from investigating “Russian interference”? Just kidding — I know that investigating Russian interference was a code phrase for investigating Trump.

“Cyber crime poses a significant threat to our nation’s security and prosperity, and this is one of the largest data breaches in history,” said Attorney General Sessions. “But thanks to the tireless efforts of U.S. prosecutors and investigators, as well as our Canadian partners, today we have identified four individuals, including two Russian FSB officers, responsible for unauthorized access to millions of users’ accounts. The United States will vigorously investigate and prosecute the people behind such attacks to the fullest extent of the law.”

“Today we continue to pierce the veil of anonymity surrounding cyber crimes,” said Director Comey. “We are shrinking the world to ensure that cyber criminals think twice before targeting U.S. persons and interests.”

Comey shrinking the world — what a picture!

The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cybercrime matters, is beyond the pale,” said Acting Assistant Attorney General McCord. “Once again, the Department and the FBI have demonstrated that hackers around the world can and will be exposed and held accountable. “

Generally, hackers around the world cannot be exposed, much less brought to justice. This indictment and consequent prosecution have demonstrated just that. Preventing data loss due to hackers and insiders should be stressed with defensive measures. Security should have been the top priority. But the Obama administration steered the internet development around the Google business model, and this mentality remains. But this is another topic.

[cont.] State actors may be using common criminals to access the data they want, but the indictment shows that our companies do not have to stand alone against this threat. We commend Yahoo and Google for their sustained and invaluable cooperation in the investigation aimed at obtaining justice for, and protecting the privacy of their users.

Yes, he commended Yahoo for protecting the privacy of its users — after Yahoo allowed a compromise of half a billion to a billion of users’ accounts! This statement also indirectly acknowledged that the FBI had failed to properly investigate Yahoo for its negligence in securing users’ data.

A few months later, Canadian National Post brought a more balanced view of the case:

Emails between Baratov and his alleged contact in the Russian intelligence service show he was only allegedly hired to hack into 80 accounts, and only allegedly succeeded in accessing seven, [Baratov’s attorney] Pillay said.

Hacking into several individual accounts is “fundamentally different” from breaching Yahoo’s security system and gaining access to data from nearly half a billion accounts, Pillay argued.

“There’s no evidence that Mr. Baratov knew who (the person who hired him, Dmitry) Dokuchaev was or that he was FSB,” Pillay said. He also noted that Dokuchaev only allegedly transferred $104 into Baratov’s PayPal account. $104 is not a lot of money for his trouble. “If the applicant knew he was dealing with a government official from another country, $104 is not a lot of money for his trouble,” Pillay said.

But Crown Attorney Heather Graham said that money is only what was allegedly transferred to Baratov’s PayPal accounts, suggesting further funds could have been sent to other accounts American investigators have not been able to access.

Further funds could have been sent” but “the tireless efforts of U.S. prosecutors and investigators, as well as our Canadian partners” should have found them and brought them as evidence to the trial. Anyway, the successful breach of seven accounts would bring payment to somewhere between $420 and $770, according to the price list — about 0.1% of what Clinton received for a single speech in Moscow.

On 2017-11-28  the DOJ issued a press release with another bombshell headline: “Canadian Hacker Who Conspired With and Aided Russian FSB Officers Pleads Guilty. Russian Officers Tasked Prolific Hacker-for-Hire to Target Webmail Accounts.

Closer reading has shown something entirely different. The hacker Karim Baratov pleaded guilty only to spear-phishing. The allegation that he had taken part in the Yahoo data mega-leak was dropped. His allegedly Russian co-defendants remained in Russia and probably didn’t bother to answer allegations. Another black eye for the DOJ: “co-defendant” Alexsey Belan, listed on the Wanted by the FBI poster as Latvian, became Russian in the indictment.

As part of his plea agreement, Baratov not only admitted to agreeing and attempting to hack at least 80 webmail accounts on behalf of one of his FSB co-conspirators, but also to hacking more than 11,000 webmail accounts in total from in or around 2010 until his March 2017 arrest by Canadian authorities.  Baratov advertised his services through a network of primarily Russian-language hacker-for-hire web pages hosted on servers around the world. He admitted that he generally spearphished his victims, sending them emails from accounts he established to appear to belong to the webmail provider at which the victim’s account was hosted (such as Google or Yandex).  Baratov’s spearphishing emails tricked victims into (i) visiting web pages he constructed to appear legitimate, as though they belonged to the victims’ webmail providers and (ii) entering their account credentials into those web pages.

But neither the verdict in the case nor common sense stood in the way of the DOJ when it was grandstanding about the alleged Russian cyber-threat:

“The illegal hacking of private communications is a global problem … These threats are even more insidious when cyber criminals such as Baratov are employed by foreign government agencies acting outside the rule of law,” said U.S. Attorney Stretch.

This press release follows the same pattern as what Mueller charges: Americans (a Canadian in this case) plead out or are found guilty of something not linked to Russian intelligence; the DOJ accuses Russian citizens of being FSB officers or spying for Russia with full knowledge that they would not stand trial in the US. Even if the the individual for whom Baratov attempted to breach 80 accounts were an FSB officer, that comprises less than 0.1% of Baratov’s business, and does not establish a real link.