Watch CBS News

The growing partnership between Russia's government and cybercriminals

How Russia joined forces with cybercriminals
The growing partnership between Russia's government and cybercriminals 13:40

The release of special counsel Robert Mueller's long-awaited report last Thursday created new headlines, but did nothing to lessen the country's partisan divide. One fact, however, that at least U.S.intelligence officials agree on is that Russia's cyber espionage efforts constitute one of the greatest threats we face as a nation.

Tonight, we're going to tell you about one of the most insidious aspects of that threat, one that goes well beyond what Robert Mueller documented in his investigation: it is the growing and unlikely partnership between Russian government spymasters and Russian cybercriminals.

One of the first public hints of this unholy alliance came, coincidentally, when President Obama imposed sanctions on Russia's intelligence agencies for interfering in the 2016 presidential election. At the same time, and little noticed, he also sanctioned two big-time Russian criminal hackers.  How the FBI came to unmask them is a great detective story and a rare window into this marriage made in Hell.

bogachev-on-boat.jpg
Evgeniy Bogachev

John Carlin: What you're seeing is one of the world's most sophisticated intelligence operations when it comes to cyber espionage using the criminal groups for their intelligence ends and protecting them from law enforcement.

John Carlin, the assistant attorney general for national security during the Obama administration, echoes what current U.S. Officials have confirmed to us about the Russians.

Lesley Stahl: So the intelligence agencies are what, piggybacking on the criminal enterprise?

John Carlin: Increasingly, you cannot tell which is which when it comes to the criminal and the intelligence agency. So one day, the same crook may be doing something purely to make a buck. But that same crook may be directed by a trained intelligence operative using the same tools and techniques to steal information from them for the goals of the state.

Lesley Stahl: Why would the government rely on crooks? They could do their own intelligence.

John Carlin: By relying increasingly on criminals and the tools that they use, they make it really difficult to figure out who did it. They wanna hide their tracks.

How the U.S. caught on to hacker Bogachev 02:10

For years, they were able to hide their tracks behind the criminal exploits of this Russian hacker, Evgeniy Bogachev, one of the FBI's most wanted cybercriminals today, with a $3 million bounty on his head.

Dave Hickton: He is the most prolific, most dangerous, and most notorious cybercriminal in history.

Dave Hickton is the former U.S. attorney in Pittsburgh who oversaw the government's investigation of Bogachev, which began in 2009.

Lesley Stahl: In the beginning, did you know anything about his connections to the Russian government?

Dave Hickton: We were very much in the dark about who he was, where he was. He was a phantom over the internet effectively.

A phantom with no known address or nationality who went by the online aliases of "Slavik" and "lucky12345". What was known was that he had created a computer program that enabled him to steal victims' online credentials, which he then used to drain their bank accounts. It was called "Gameover ZeuS".

Dave Hickton: If you were infected, it was game over.

Lesley Stahl: Did he just do individuals or did he go in and disrupt companies?

Dave Hickton: Oh, both. He was particularly prolific with banks and businesses at the time of payroll.

To help identify lucky12345, the feds brought together cybersecurity experts from around the world, including Microsoft, which was already looking into this because so many of its clients had been hacked.

Lesley Stahl: So this is the Microsoft Cybercrime Center?

Tom Burt: it is. It is the home of our Digital Crimes Unit.

burt-wt.jpg
Correspondent Lesley Stahl with Tom Burt

Tom Burt is a vice president of cybersecurity at Microsoft, which was enlisted to understand how Gameover ZeuS worked and to identify where the infected computers were located.

Tom Burt: This is Omaha, Nebraska. And the FBI reported that the first infections they found were here in Omaha.

Lesley Stahl: And then you begin to see what? Show us.

Tom Burt: Well, you see where all the infected computers were that were part of this criminal network.

Lesley Stahl: Oh my goodness. Whoa.

Tom Burt: These are the infected devices connecting to the internet throughout the United States that were part of this Gameover ZeuS criminal enterprise. And now you can see how it was really a global-- a global network.

A global network of a million infected computers under the complete control of this cyberthief.  

Lesley Stahl: You know what's almost as interesting as where the red dots are, is where they're not.

Tom Burt: That is interesting.

Lesley Stahl: So look at Russia.

Tom Burt: It's not at all unusual for these criminals who operate these kinds of networks to actually design their code so it will not infect computers in the country they live in.

burt-infected-globe.jpg

As Microsoft investigators worked with the FBI to map the spread of Gameover ZeuS, they also reverse-engineered its computer code. And what they saw stunned them: a thicket of interconnected infected computers around the world that made it nearly impossible to trace back to its creator, lucky12345.

Tom Burt: We looked at it and said, "Whoa, how do we stop this?"

Lesley Stahl: And he was just hiding behind all of this. The Wizard of Oz behind everything.

Tom Burt: The very rich Wizard of Oz.

What Microsoft figured out was a way to pull back the wizard's curtain.

Tom Burt: We created computers that we called honey pots that we actually got onto the criminal network. We got them infected so that we could then see all the traffic, all the communication that was passing through the network.

Lesley Stahl: And once you were able to do that, what-- was it just a matter of time before you broke them down?

Tom Burt: Once we had that information and we understood how the network worked we gave that to the FBI. They then had a lotta work to do before they were able to identify who the real bad guy was.

The FBI turned to other security experts for help. One of them was Brett Stone-Gross of the cybersecurity firm CrowdStrike.

brett-stone-gross-cu.jpg
Brett Stone-Gross

Lesley Stahl: When you started to analyze Gameover ZeuS, how advanced, how sophisticated, Brett, was it? 


Brett Stone-Gross: From every angle it was innovative and brilliant. And what they did was they had designed the system that was very difficult for both researchers and law enforcement to take action against.

Lesley Stahl: How long did you track him?

Brett Stone-Gross: Yeah, we had tracked him close to 10 years.  

Lesley Stahl: You chased this guy for ten years?

Brett Stone-Gross: Yup.

As the FBI dug deeper, they realized his criminal operation was every bit as innovative and brilliant as his computer code. Lucky12345 had assembled something law enforcement had never seen before: a syndicate of super cyber-criminals looting banks and businesses with impunity.  

Dave Hickton: We were chasing a group of individuals, which was known as the Business Club, which was a collection of some of the most skilled and dangerous cybercriminals in the world who had formed what was basically a 21st century mafia don club for the internet.

Lesley Stahl: Did you ever determine how much money they actually stole?

Dave Hickton: We stopped counting at $100 million in the United States. And I really think the answer is he stole as much as you can count.

After years of investigation, they were no closer to identifying the mastermind, until finally they got a tip from a source.

Lesley Stahl: So you really didn't catch him with whatever tools we have. You had to have a human being walk in like in the old days.

Dave Hickton: Right. This confidential human source came forward and said, "I think this email address, which traces back to Russia, is gonna be the ticket to find him," and that proved true.

"I think increasingly today, the Russian government is a criminal syndicate."

Because the email address was how lucky12345 communicated with his criminal syndicate. And by connecting many dots, the FBI was eventually able to identify the mastermind as Evgeniy Bogachev, a raccoon-eyed, 30-year-old whose last known address was here in Anapa, a Russian resort city on the Black Sea. Online photos show him on his boat, with his wife and with his spotted bengal cat in his matching pajamas. The feds finally had their man.

Meanwhile, they had analyzed his computer server where, says former Justice Department official John Carlin, they saw that Bogachev had begun searching around for targets outside his criminal activities.

Assessing the threats in the new "code war" 02:06

John Carlin: We saw them doing things like right before Russia was going to invade Ukraine, we saw that same network being used to collect information on Ukraine. And we saw terms like "Top Secret" or "Department of Defense" being used as search terms or queries.  

Lesley Stahl: U.S. Department of Defense?

John Carlin: Yes.

Lesley Stahl: What other agencies was he looking into?

John Carlin: There were queries targeting the FBI. And—

Lesley Stahl: Why the FBI?

John Carlin: It seems like they were looking for information that they could use to then compromise or try to turn FBI agents.

All of which led U.S. national security officials to conclude that Bogachev had become an asset of Russian intelligence, though U.S. investigators had no concrete proof of Moscow directing him. They would get proof in another case, involving this Russian cyber thief, Alexsey Belan, who was indicted in 2017 along with two Russian intelligence officers charged with directing him.

According to the indictment, Belan didn't start working with Russian intelligence until after the U.S. asked Russia for help in arresting him for identity theft and other cyber crimes.

John Carlin: This was a period, we were looking for cooperation from the Russians. Not only did they not help, they signed him up as an intelligence asset after we asked for help.

Lesley Stahl: So you identify him for them as a brilliant hacker, and then they sign him up to work for them the way they did with Bogachev?

John Carlin: Yeah, not what you were looking for with cooperation, right?

Lesley Stahl: And then were you able to see that he was working for intelligence, trying to gather information for the state?

John Carlin: And that's the incredible detail in this indictment. This is the first case where we're able to show he's getting direct requests from Russian intelligence officers and they are providing him secret information that he can use to evade detection and arrest.

Belan then proceeded to commit one of the most far-reaching hacks ever, from 2014 to 2016, into Yahoo, one of the world's busiest internet sites.

Lesley Stahl: That was gigantic, that Yahoo hack.

John Carlin: People estimate 500 million to a billion email addresses.

Lesley Stahl: So the Russians have their eyes on half a billion-plus people's computers. And this guy is siphoning off money.

John Carlin: They still let him be the-- the crook that he wants to be.

Lesley Stahl: Uh-huh.

John Carlin: But then they'll also use that same trove of information to target people they might be interested in for intelligence purposes.

People, he says, like business leaders and foreign government officials, in order to steal classified information or to search for something compromising to blackmail them. As documented in both the Belan and Bogachev cases.

Lesley Stahl: Are they the only two cases that we know about?

John Carlin: If you look at the most wanted cyber criminals, it's a who's who of Russians.

Lesley Stahl: Now you mentioned Putin. Is he aware of all of this? Has he personally sanctioned this kind of activity?

John Carlin: There is no doubt that he is both aware of it and has personally sanctioned some of the activity.

Lesley Stahl: Wow.

John Carlin: This is a kleptocracy. This is a government by theft. And the thing that matters the most is that you do what the don wants, what the head of the crime family wants. And here, the head of the crime family is Putin.

Lesley Stahl: The Russian government is running a criminal syndicate. I mean is that going too far?

John Carlin: No. I think increasingly today, the Russian government is a criminal syndicate. It's a rogue state when it comes to cyber activity and it's causing harm to countries, companies, and people throughout the world. 

Produced by Richard Bonin and Ayesha Siddiqi

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.