Why Would FSB Officer Dmitry Dokuchaev Use a Yahoo Email Account to Spy for Russia?

At the Atlantic, I expanded on this post to explore how Russia has to do by hacking what the US can do using Section 702. As I lay out, for a lot of foreign spying involving US tech companies, Russia has to do things like phish or hack Yahoo’s servers to gain the kind of access the NSA gets just by asking nicely.

But as Jeffrey Carr notes in this post, that’s not true for unencrypted communications that originate in Russia. FSB — the agency where alleged Yahoo hackers Dmitry Dokuchaev and Igor Sushchin worked — have access to anything that originates in Russia.

To put it another way, the FSB has total information awareness on every type of communication that originates in Russia or passes through Russian servers.

Carr uses that detail to argue that this probably means Dokuchaev — who was charged by Russia with treason in December — and Suschin were operating on their own.

[W]hy would the FSB, with their vast resources and legal authorities, need to collect information on Russian targets in Russia via Yahoo?

The obvious answer is — they don’t. And since all of the defendants with the exception of one person are either criminals or charged by the Russian government with treason, the Yahoo breach was most likely the act of corrupt FSB employees and criminal hackers rather than an official FSB operation.

Now, many if not most accounts identified in the indictment (I made a list of the described targets in this post) wouldn’t be officially available, because they’re located in countries adjoining Russia or the US.

But there are a few other details that do support Carr’s argument.

First, in addition to Yahoo and Google accounts, the conspirators targeted a Russian webmail service — probably Yandex.

In or around April 2016, the conspirators sought access to an account of a senior officer at a Russian webmail and internet-related services provider (the “Russian Webmail Provider”). On or about April 25, 2016, DOKUCHAEV successfully minted a cookie to gain access to the victim user’s account.

Admittedly, FSB might not want to go to Yandex (or whichever provider it is) to ask for information on one of their senior officers, but nevertheless, this information should be available officially in Russia. Another passage that describes the Russian webmail service lists only Russian targets, though that section also includes Google targets, so those may have been the GMail accounts of Russians unavailable in Russia.

In addition, the day after the indictment, Sushchin got fired from Renaissance Capital (which is owned by Nets owner Mikhail Prokhorov), where he was embedded. That suggests his was not an official embed noticed to the company (though it still may have been a legitimate FSB placement).

Most interesting of all is that Dokuchaev used US resources to conduct the hack. He had a Paypal account, which he presumably used to pay Karim Baratov.

All funds which constitute proceeds that are held on deposit in PayPal account number xxxxxxxxxxxxxxx2639, held by DOKUCHAEV;

And, according to the G&M (and this is the most amazing part), Dokuchaev used a Yahoo account to communicate with Baratov.

Mr. Dokuchaev is alleged in the court documents to have used a Yahoo e-mail account to contact Mr. Baratov and hire him to get the log-in information for about 80 accounts belonging to victims of the Yahoo hack.

I get why you wouldn’t email Baratov from your [email protected] account, because that would alert Canadian and US authorities he was working with Russian spies. But surely a Russian spy knows enough not to communicate via an account that is readily available to US authorities under Section 702, even if the conspirators’ persistent presence in the Yahoo servers might alert you to such surveillance? Even if you wanted to use an account in North America there are surely better options.

In other words, there are a lot of reasons to believe that Dokuchaev was making more effort to keep this activity out of easy reach of Russian authorities then he did to hide it from the US.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

9 replies
  1. Rayne says:

    WaPo’s Andrew Roth offered four theories related to Dokuchaev’s arrest for treason. Almost seem too pat for otherwise byzantine situation.

    EDIT: by the way, I see roll-up continues apace. Another dead Russian, this time inside a prison cell with two puncture wounds to the neck. Held for embezzling money from an aerospace company.

    • emptywheel says:

      Yeah, all covered in this post in February. Plus he’s missing 1) the tie between King Servers and Vrublevsky and 2) an error in the public claims about King Servers that I’ll come back to.

       

        • emptywheel says:

          I suspect it may actually be MORE pat. There are people in the US who were under the impression that the Humpty Dumpty stuff was retaliation for the DNC hack.

  2. Badtux says:

    The thing is, while *unencrypted* communications can be spied upon easily by the FSB, *encrypted* communications cannot — and both Google and Yahoo have moved to encrypt all connections to their servers in the wake of the Snowden revelations. Try it yourself. Go to http://google.com and you’ll be immediately popped into an encrypted https connection with the little green “Secure” lock. If you’re in Russia, the FSB can see that you’re talking to Google (or gmail, or yahoo mail, or etc.), but they can’t see the actual content of your communication.

    And for the conspiracy theorists out there, no, RSA encryption has not been broken (we still haven’t solved the prime factoring problem), and SSL is still secure (assuming the private keys corresponding to the public key certificates in your web browser have not been compromised).

    Thus the need for the FSB to hack Google and Yahoo to see what dissidents are up to when they’re logged into those servers. If the FSB *isn’t* hacking them, they’re stupid. And nobody has yet to convince me that the FSB is stupid.

    • Rayne says:

      You’ve only mentioned three layers of the security stack. And the spying referenced here on Yahoo accounts happened before the shift toward greater security measures — this breach was a key driver behind that shift.

      • emptywheel says:

        How was this breach a key driver? Yahoo didn’t admit knowing about it for years after the fact. The NSA breach and NSA’s spying on Yahoo overseas was. Plus, this hacking continued through 2016.

    • emptywheel says:

      There’s a reason I said “unencrypted.” Because I know that encrypted would need to be hacked. But Google is one thing and Yahoo another.

  3. SpaceLifeForm says:

    Why would an FSB officer use Yahoo?

    1,  They would not except for cover/blending in.

    2. They already knew Yahoo was hacked so that lends to a plausible cover story.  But would also make it less likely they would ever setup a Yahoo account in the first place.

    3.  Yahoo lets anyone setup an email account with any name.  (as long as not already used, but a few years ago they dropped that rule if the email addy had been dormant for years.   Note that this policy is super bad security practice.  Allows forgery after the fact.)

    4.  They were scared to use gmail.

     

    OR…

     

    The entire story is pure unadulterated  bullshit, and Baratov was gamed by a TLA with BlackOps money.  The other three alleged co-conspirators did nothing.

    And those other three will never testify in any US court or in front of House or Senate.

     

     

     

Comments are closed.