SAN FRANCISCO (CN) — In a bid to deflate the government’s case against alleged Russian hacker Yevgeniy Nikulin, defense attorney Adam Gasner raised the possibility that Nikulin could have himself been the victim of an intrusion, and that cybercriminals, possibly working under the auspices of the Russian government, stole his identity in order to commit the very crimes of which he is charged.
“It’s not uncommon, is it, for governments like Russia to co-opt known cybercriminals and use them as cyber mercenaries?” he asked FBI Special Agent Jeffrey Miller during cross-examination Thursday.
“I have no firsthand knowledge of that so I couldn’t say for certain,” Miller said, though he conceded that the Justice Department considers Russia a state sponsor of cyber terrorism activities, along with other countries.
Nikulin is accused of breaching company databases and stealing more than 100 million user passwords. He was arrested in the Czech Republic in 2016 and extradited to the U.S. in 2018 to face nine criminal counts of computer intrusion, causing damage to a protected computer, aggravated identity theft, trafficking and conspiracy
Gasner ventured that Nikulin’s account on VK, the Russian equivalent of Facebook, could have been compromised by a hacker working with the Russian Federal Security Services to pilfer his Gmail account credentials and implicate him in the 2012 data breaches at LinkedIn, Dropbox and the shuttered Q&A forum Formspring.
VK sent multiple automated alerts to an email address Miller traced to Nikulin: email@example.com. They were mostly notifications about messages and comments made by his girlfriend.
Gasner noted that account information Miller requested from Google showed a marked lack of activity beyond the flow of VK alerts.
“That’s normal,” Miller said.
“You don’t know from yourself who had access to Mr. Nikulin’s VK social media account,” Gasner said, adding that social media platforms like Facebook are often targeted by hackers.
Though the FBI believes Nikulin is responsible for the hacks, his defense team has pointed to other known Russian cybercriminals in his social circle, including Oleksander Ieremenko, indicted for hacking the U.S. Securities & Exchange Commission, or Evgeniy Bogachev, a hacker wanted by the FBI for the GameOverZeus malware hack that infected more than 1 million computers.
They’ve also steered suspicion toward Alexsey Belan, wanted for hacking Yahoo’s network and stealing 500 million user accounts. Belan is at least one hacker suspected of conspiring with the Russian government to steal user account credentials for commercial gain, according to an announcement by the FBI in 2017.
Miller said he was not involved in the Belan investigation, but remembered seeing references to Belan’s connection to the FSB on his wanted poster.
Miller also said he did not believe Belan was responsible for the LinkedIn, Dropbox or Formspring hacks, though he testified earlier this week about Belan’s alleged role in helping connect Nikulin to Nikita Kislitsin, who negotiated the sale of the Formspring database in September 2012.
Gasner also questioned the reliability of the Russian government’s response to Miller’s Mutual Legal Assistance Treaty request for information about suspicious activity on LinkedIn’s employee VPN logs from five Russian IP addresses. The response from the Russian government’s IP address information from the Russian internet provider National Cable Network revealed one of those addresses as Nikulin’s residence in Moscow.
Gasner pointed out that the documents contained no reviewing signature.
“Wouldn’t you want to know who this person was employed by and what their position is?” he asked.
Miller answered, “Yes.”
“And we don’t know that,” Gasner said.
Miller replied, “No.”
“You’re not skeptical of information you receive from the Russian government sir?” Gasner asked.
“Not in response to an MLAT, no,” Miller said.
Gasner pressed, “As a member of the American intelligence community, are you testifying that you don’t approach any information you receive from the Russian government with any degree of skepticism?”
“I trust the information they provide is accurate and if I can prove otherwise through other means, that’s a different story,” Miller said.
Miller also acknowledged that although investigators found evidence that Kislitsin brokered a wire transfer of the $7,100 from the stolen Formspring data, he never found any evidence that Nikulin received any of that money.
“Did Mr. Nikulin ever receive any financial gain that you were able to track from these breaches?” Gasner asked.
“No,” Miller said.
Closing arguments are expected Friday, and jurors could start deliberating as early as Friday afternoon.