Was Yahoo a sanctioned FSB operation or a rogue operation?

Russian SORM-2

There are good reasons to believe that the two indicted FSB officers and the two hackers who worked for them were acting independently and not in their official capacity of employees of the Russian Federal Security Service.

Charges of Treason

FSB Major Dmitry A. Dokuchaev, named in the indictment, has been charged with treason by the Russian government.

An un-named “FSB officer #3” who ran Dept 18 where Dokuchaev worked is probably Sergei Mikhailov, who was its Deputy Head and is also charged with treason by the Russian government.

FSB officer (rank unknown) Igor A. Sushchin, who the FBI claims is Dokuchaev’s superior and an associate of “FSB officer #3, has not been charged with treason; possibly because he was working for Renaissance Capital Limited (Rencap), a Russian financial firm owned by billionaire Mikhail Prokhorov, a political opponent of Vladimir Putin (he ran against him in the 2012 election). In fact, the FSB raided Prokhorov’s offices in 2016.

Suschin’s involvement, as specified in the indictment, seems to be in line with his assignment at Rencap; meaning he was interested in Yahoo accounts owned by Russian financial company executives. So it’s possible that he leveraged information gained from the non-sanctioned Yahoo operation for his official duties simply because he could, and not because he needed to.

UPDATE (18 MAR 2017): According to Kommersant, Renaissance Capital fired Suschin yesterday. This is probably not something they would do if the bank knew that the FSB had wanted him there in the first place. Under Article 15 of the FSB Law:

“In order to meet the challenges of Russian Federation, security forces of the Federal Security Service could be assigned to public authorities, enterprises, institutions and organizations irrespective of ownership, with the consent of their managers in the manner prescribed by the President of Russia, leaving their military service.”

Targeting of Russian companies

Screen capture from the indictment

The FSB has enormous legal authority in Russia to conduct surveillance on Russian citizens and organizations using SORM and other technical methods. The Russian Law on the FSB (article 15) states that

“all individuals and legal entities in Russia, providing postal services, telecommunications of all kinds, including systems, data communication, satellite communications, are obliged at the request of the Federal Security Service to include in the extra hardware equipment and software, as well as create other conditions necessary for the operational and technical measures by the Federal Security Service.”

This falls under the purview of the FSB’s Information Security Center (where Dokuchaev worked). To put it another way, the FSB has total information awareness on every type of communication that originates in Russia or passes through Russian servers. Which begs the question, why would the FSB, with their vast resources and legal authorities, need to collect information on Russian targets in Russia via Yahoo?

UPDATE (18 MAR 2017): A journalist friend pointed out to me that the indictment (see paragraph 42 captured above) mentions that the two FSB officers ordered Baratov to phish victims on a Russian web and email provider (presumably Yandex). There’s literally no other explanation for this than that they were operating off the reservation.

The obvious answer is — they don’t. And since all of the defendants with the exception of one person are either criminals or charged by the Russian government with treason, the Yahoo breach was most likely the act of corrupt FSB employees and criminal hackers rather than an official FSB operation.

There’s a Pattern of Politics Driving Indictments

In 2014, Chinese cyber attacks were in the political spotlight in Washington leading up to a summit between Obama and Xi. Cybersecurity firms like Crowdstrike published attribution reports blaming the Chinese government and the Dept of Justice charged five PLA officers/hackers with acts of cyber espionage.

In 2016 and 2017, Russian cyber attacks took the spotlight, with Crowdstrike and ThreatConnect publishing attribution reports blaming the FSB and GRU, and the Dept of Justice charged FSB officers and their criminal conspirators with hacking Yahoo.

This is just my theory and perhaps I’m being overly cynical, but there are enough oddities in this case for questions to be raised and hopefully answered.