One of the key figures in a cyber-treason scandal shaking Russia and possibly related to Russian efforts to influence the U.S. presidential election has been linked to underground criminal forums on the web, something cybersecurity analysts say shows the overlap between Russia’s security services and the criminal underworld.
Dmitry Dokuchaev, a major in Russia’s FSB security service and its Information Security Center, the nation’s premier unit investigating cybercrime, used the screen name “Forb” when he mingled with the large underground community of Russian-speaking criminals who use the so-called dark web to trade tools for defrauding consumers in the West.
Dokuchaev’s activities have potential significance to congressional inquiries into President Donald Trump’s ties to Russia. Prosecutors under President Vladimir Putin have charged Dokuchaev and his boss with treason, accusing them of collaborating with the CIA just weeks after the Obama administration made public its conclusions that Russia had meddled in the 2016 presidential election.
“If you look at his history, he did lots of general cybercrime stuff. He did lots of account takeovers. He did lots of stuff with carding – credit card fraud,” said Vitali Kremez, senior intelligence analyst at Flashpoint, a New York-based firm that provides services to confront cyber threats.
Whether Dokuchaev or his boss, Sergei Mikhailov, had direct ties with the CIA is not known publicly. But Dokuchaev’s activities open a window onto how Russia’s Federal Security Service, known as the FSB – the successor to the Soviet Union’s KGB spy agency – has deep links to the murky world of cybercrime and uses criminals to help reach state objectives.
“The Russian intelligence services are notorious for using criminal groups to create backstopping or moonlighting for their own benefit,” said Leo Taddeo, who until 2015 headed the cyber division of the FBI’s New York City office. Following the fall of the Soviet Union, “there was a great melding of criminal activity and intelligence gathering activity on the part of the FSB.”
Dokuchaev’s arrest sometime before the turn of the year made less news than that of Mikhailov, a colonel who was deputy director of the Information Security Center. According to Russian media closely linked to Putin, Mikhailov was led from a room in the nine-story FSB headquarters in Moscow with a sack over his head.
The whole string of arrests is unprecedented.
Vitali Kremez, senior intelligence analyst at Flashpoint
“The whole string of arrests is unprecedented,” Kremez said, noting that two other men outside of government who are known for advanced hacking and computer skills also were arrested.
Treason charges brought an intense spotlight to the two FSB officers.
“Treason is a particularly unique charge, and it sends a message. It wouldn’t have been brought without very high-level deliberation in the Putin regime,” Taddeo said.
The treason scandal broke in late January, a month after then-President Barack Obama expelled 35 Russians identified as intelligence operatives in retaliation for what the White House called “very disturbing Russian threats to U.S. national security” in connection with hacking during the U.S. election campaign.
In a follow-up 25-page declassified report Jan. 6, the U.S. intelligence community blamed Russia for hacking aimed at helping Trump win the vote.
“Russia’s intelligence services conducted cyber operations against targets associated with the 2016 U.S. presidential election, including targets associated with both major political parties,” the assessment said.
U.S. officials accused Russian military intelligence and the FSB of what the U.S. officials called “malicious cyber activity.”
The FSB has many roles in the cyber sphere domestically and abroad, but is not the only agency involved in regulating and investigating the digital realm. The Russian Interior Ministry also has a dedicated unit, known as Division K (K is for Kiber, or Cyber in Russian).
The FSB conducts counterespionage efforts in the cyber sphere and works with law enforcement in investigations. It also has a commercial function, licensing some products for consumer use, a potential source of corruption.
Before the treason charges were levied, Russian media had sought to portray Mikhailov as corrupt.
“LifeNews.ru, a news outlet that is often linked to the FSB, reports that the FSB found $12 million in cash in a search of his apartment and dacha,” said a U.S. investigator based in Western Europe who closely follows Russian cyber policy and criminal groups but fears retaliation and asked to remain anonymous.
A pro-Kremlin television network, Tsargrad TV, which is controlled by Konstantin Malofeev, a billionaire favored by Putin, reported in late January that Mikhailov had passed to U.S. agents the information that allowed Washington to issue the intelligence report blaming Moscow for election-related hacking.
Cybercriminals from Russia and Russian-speaking Eastern Europe and Central Asia buy and sell malicious tools, services, stolen personal data and passwords in forums on what is known as the dark web, an area of the internet that can be visited only with a Tor browser that guarantees anonymity.
At the RSA Cybersecurity conference here this week, researchers said Russian cyber-criminal techniques were expanding rapidly. Researchers in 2016 identified 62 new families of ransomware, or code used to encrypt a victim’s data until a ransom is paid. Of those, 47 are associated with Russian groups, said Anton Ivanov, senior malware analyst at Kaspersky Lab, a Moscow-based company that sells anti-virus and other cybersecurity products.
Such ransomware is deployed all over the world, he said, attacking a victim every 20 seconds.
How deeply Dokuchaev may have been involved in forums is not known.
Kremez, who was born in Belarus, a former Soviet republic, said he didn’t believe Dokuchaev had acted alone in visiting dark web criminal forums or without FSB knowledge.
“He was a high-level FSB agent,” Kremez said. “There must be more than one individual. It’s a safe assumption.”
Details of the case against Dokuchaev and Mikhailov are secret.
Treason cases are classified . . . so getting direct, verified information may be hard.
U.S. investigator of Russian cyber activities
“Treason cases are classified . . . so getting direct, verified information may be hard,” said the investigator.
Russian media, principally the Novaya Gazeta newspaper, also suggest a link between the two detained officers with a hacking group known as Shaltai Boltai, which means Humpty Dumpty in Russian, and which has leaked emails hacked from high-level Russian politicians and shaken down others to avert publishing their stolen information, the investigator said.