UNITED24 - Make a charitable donation in support of Ukraine!

Intelligence

[ rfe/rl banner ]

More Glimpses Of How Russian Intelligence Utilized Hackers Revealed In U.S. Trial

By Mike Eckel March 16, 2020

One month after he was indicted in the United States for hacking-related cybercrimes, a Russian man named Nikita Kislitsin sat in a room at the U.S. Embassy in Moscow where FBI agents notified him of the charges.

At the time of the meeting, in April 2014, Kislitsin was employed by Group-IB, a major Russian cybersecurity company. Prior to that, Kislitsin had been well known in Russia's cyberunderground. He was acquainted with Yevgeny Nikulin, whom he described as the "Putin" of the hacking world.

According to filings in U.S. federal court, Kislitsin was notified of his rights by the FBI agents. Kislitsin then indicated that he was "open for collaboration" and wanted to "mitigate problems."

And he described how another Russian hacker had worked with the Russian Federal Security Service, known as the FSB, to obtain "compromising information" on unnamed individuals.

The revelations are contained in filings in the U.S. District Court in San Francisco, where Nikulin is on trial for a series of hacks and cyberthefts that targeted major U.S. social-media companies including Dropbox, LinkedIn, and Formspring.

Nikulin, who was arrested in Prague in October 2016 and extradited 17 months later, was targeted by U.S. law enforcement as part of a multiyear campaign to arrest some of the most notorious Russian hackers and suspected cybercriminals. More than a dozen have been arrested in various countries, a development that has enraged Moscow, which has accused Washington of "hunting" Russian citizens.

The campaign undermined years of fitful cooperation between U.S. law enforcement and Russian intelligence on various cyberinitiatives. But it has also yielded insights into how Russian intelligence agencies including the FSB allegedly used hackers as part of their operations -- including efforts, documented by U.S. intelligence and U.S. congressional committees, to interfere in the U.S. presidential election in 2016.

Fancy Bear, Cozy Bear

Since 2016, when the U.S. intelligence community first publicly accused Russia of using a cyber-and-propaganda campaign to interfere in the presidential election, there has been a steady drip of evidence -- in media reports, in congressional testimony, in court filings -- that has filled gaps in the picture of how Russian security agencies undertook efforts to steal logins, passwords, and other information, not just from Americans, but from Europeans and others as well.

In July 2018, the U.S. Justice Department unsealed an indictment by Special Counsel Robert Mueller that charged 12 officers with Russia's military intelligence agency, known as the GRU, of hacking the servers and e-mail accounts of the U.S. Democratic National Committee and the campaign of presidential candidate Hillary Clinton.

Cyber-researchers dubbed the hacking group run by the GRU as Fancy Bear.

A hacking group that attacked the White House, the State Department, and major U.S. companies was dubbed Cozy Bear and was alleged to be controlled by the FSB, whose main cyberdivision was known as the Center for Information Security.

In December 2016, one month after Republican candidate Donald Trump defeated Clinton to win the U.S. presidential election, the outgoing administration of Barack Obama expelled dozens of Russian diplomats and announced sweeping new sanctions in response to alleged hacking. Both the GRU and the FSB were targeted.

Earlier that same month, two top officers with the FSB's Center for Information Security were arrested in Moscow by the FSB itself. One of them was a former hacker named Dmitry Dokuchayev who used to work for Kislitsin.

Threat Intelligence

As of 2012, Nikulin and Kislitsin were acquaintances, possibly friends, in Russia's hacking community. The two met at a Moscow hotel in March 2012, along with several other Russians and Ukrainians, at a gathering that was dubbed the "summit of bad motherf*****s," according to evidence submitted in Nikulin's trial.

That same month, according to the U.S. indictment unsealed after his extradition to the United States, Nikulin broke into the servers of LinkedIn, the professional social-networking company, and stole its user database.

A couple of months later, Nikulin allegedly also hacked another lesser-known social-media company, Formspring. Kislitsin then allegedly worked with another Russian, Aleksei Belan, to buy the Formspring data from Nikulin.

At the time, Kislitsin was the editor in chief of a Russian cybermagazine called Hacker. Among his employees was a hacker nicknamed "Forb." His real name was Dokuchayev, who went on to join the FSB cyberunit.

In January 2013, Group-IB hired Kislitsin as a specialist in "threat intelligence." He later became the company's director of network security.

Later that year, according to Group-IB, Kislitsin and company representatives met with officials from the U.S. Justice Department in Moscow. The purpose of the meeting was to "inform them of research relating to the underground," which Kislitsin conducted prior to joining Group-IB.

"[Since] this meeting, neither Group-IB nor Nikita Kislitsin have been officially approached with any additional questions," the company said in a statement to RFE/RL on March 5.

In fact, according to U.S. court filings, Kislitsin met with the FBI in Moscow in April 2014, one month after an indictment was filed, under seal, in the San Francisco federal court.

In a second statement to RFE/RL, Group-IB said the indictment against Kislitsin was filed well after he was hired.

Asked about the discrepancy between the statement that the company and Kislitsin were not "officially approached with any additional questions" and Kislitsin's April 2014 meeting, the company declined to answer.

Center For Information Security

During the meeting with the FBI, according to U.S. prosecutors, Kislitsin was advised of his legal rights under U.S. law. Kislitsin also "indicated that he was "open for collaboration" and wanted to "mitigate problems."

Kislitsin discussed multiple topics in the interview, prosecutors said, "including other hackers who have no relation to the charges in this case."

That included Nikulin, whose last name Kislitsin said he did not know.

"He knew that his nickname was 'Zhenya,'" according to the court filing. "Kislitsin said that Yevgeny was living in Moscow, was very wealthy, and owned multiple Maserati cars. Kislitsin described Yevgeny as the 'Putin' of the hacking world" -- a reference to Russian President Vladimir Putin.

It also included Belan, who was allegedly involved in the sale of Formspring data, and had allegedly hacked other Internet companies including Zappos and Evernote. He was arrested in Greece in 2013 at the request of the U.S. authorities, but evaded extradition and returned to Russia, where he was recruited by the FSB.

Kislitsin told the FBI, according to court documents, that "Belan assisted an FSB captain with assignments that, in Kislitsin's belief, involved targeting specific e-mail accounts and other data. Kislitsin said that the other individual claimed that the FSB captain was building profiles on various individuals using 'compromising information.'"

The documents do not indicate who the FSB "captain" is.

However, in March 2017, four months after Belan was sanctioned by the Obama administration, Belan was indicted for what turned out to be one of the largest cyberthefts in the history of the Internet: the theft of hundreds of millions of credentials from Yahoo.

Indicted alongside Belan were two FSB officers, including Dokuchayev. Another unnamed FSB officer was described in the indictment; the description matches up with Dokuchayev's superior officer at the Center for Information Security: Sergei Mikhailov.

The same month that Belan was sanctioned by the Obama administration, the FSB arrested Mikhailov, Dokuchayev, charging them with state treason for allegedly passing classified information to U.S. intelligence. Two other men were also arrested, including Ruslan Stoyanov, a former Interior Ministry cybercrime investigator who worked for Kaspersky Lab.

Mikhailov, like Stoyanov, pleaded not guilty to the Russian charges, and was sentenced last year to 22 years in prison. Dokuchayev pleaded guilty and agreed to cooperate with investigators. He was handed a six-year sentence.

Hearsay Evidence

Filed under seal six years ago, Kislitsin's indictment -- allegedly as a co-conspirator in the theft of the Formspring data -- was released publicly on March 2, one week before Nikulin's trial began in San Francisco.

The revelations contained in Kislitsin's interview with the FBI came to light specifically as part of the Nikulin trial.

Unusually, however, U.S. prosecutors have sought to keep the evidence contained in Kislitsin's interview from being introduced in Nikulin's trial.

The information Kislitsin was relaying, prosecutors said, was second-hand: it was information that he had heard from another unnamed individual, which made it less valuable from a prosecution standpoint.

Moreover, prosecutors appeared to argue that Nikulin's defense lawyers were using Kislitsin's testimony to the FBI in their defense, and could potentially confuse the jury.

A spokesman for the U.S. attorney's office for the Northern District of California did not immediately respond to an e-mail seeking further comment.

Nikulin's lawyers, meanwhile, appeared to be focusing their arguments in defense of Nikulin on highlighting other hacks that the FSB has allegedly been implicated in, suggesting it may have been the Russian agency that was behind the hack that Nikulin was involved in.

"The overall structure and relationship between the cyberhacker community and Russian government is very well documented," defense lawyer Valery Nechay was quoted by Courthouse News as saying.

Source: https://www.rferl.org/a/more-glimpses-of- how-russian-intelligence-utilized-hackers- revealed-in-u-s-trial/30491223.html

Copyright (c) 2020. RFE/RL, Inc. Reprinted with the permission of Radio Free Europe/Radio Liberty, 1201 Connecticut Ave., N.W. Washington DC 20036.



NEWSLETTER
Join the GlobalSecurity.org mailing list