SAN FRANCISCO (CN) – The federal government’s case against a Russian national accused of hacking tech companies LinkedIn, DropBox and Formspring in 2012 faltered Wednesday, as the judge overseeing the jury trial expressed some concerns about the prosecution’s evidence.
The hacker, whom prosecutors claim is 32-year-old Yevgeniy Nikulin, got control of a personal computer used by a LinkedIn employee to log in to work remotely, and from there was able to compromise the company’s internal database of user credentials.
Nikulin also allegedly infiltrated a DropBox engineer’s work account, as well as the work credentials of a former employee of the now-shuttered Q&A site Formspring, to make off with millions of user passwords that later showed up on internet hacker forums.
Attorneys for the government focused much of their direct examination of company employees, and of retired FBI Agent Bryant Ling, on establishing how the intrusion occurred. U.S. District Judge William Alsup observed during a mid-morning break that the testimony was getting bogged down with “excruciating detail that seems irrelevant.”
Alsup asked if prosecutors “had some magic witness” who could tie everything together, saying, “I figured you had a grand plan.”
Not really. Assistant U.S. Attorney Michelle Kane said she has to show there were three companies that suffered data breaches via unauthorized use of employee accounts. “We have to prove their identities were used without their permission,” she said.
According to the government, the FBI obtained records revealing that a DropBox account with username “firstname.lastname@example.org” was registered just before the DropBox hack, and that this DropBox account was accessed from an IP address originating in Russia. The same Russian IP address was also linked to the DropBox attack, as well as the intrusions on LinkedIn and Formspring. Prosecutors hope to show the 16-member jury that Nikulin is the owner of the chinabig01 account but have not yet done so.
Nikulin’s lawyers attacked the government’s IP address theory during cross-examination, hypothesizing that it’s possible a proxy server was used to mask the actual IP address. In other words, an intermediary server could have made it appear the attack was coming from Russia. There’s typically no way of telling whether a proxy server was used unless you also have access to the computer.
“When a proxy server is used you can’t be certain of the actual source IP address of the information?” defense attorney Adam Gasner asked Formspring founder Ade Olonoh.
“Of the original source, no,” Olonoh said.
“A proxy server is used to mask the original IP address right?” Gasner asked.
“Yes,” Olonoh replied.
“So the IP address that Formspring is getting would not be the IP address where the information was originated,” Gasner pressed, and Olonoh again answered yes.
“So if you do a lookup of the IP address in your system’s log you are getting the IP address you received, but not necessarily the IP address from which the information came,” Gasner continued.
“Yes, we’d see the IP address of the proxy server,” Olonoh said.
Finally Gasner asked, “One of the reasons people use proxy servers is to keep the original IP address private?”
Olonoh said: “Yes.”
Nikulin is also accused of sharing the stolen user data with various co-conspirators who tried to sell it on internet forums. A Justice Department trial brief from March 4 identifies one of these alleged co-conspirators as Oleksandr Ieremenko, a Ukrainian charged in 2019 with hacking the U.S. Securities and Exchange Commission’s computer systems. In November 2012, the U.S. Secret Service recovered a hard drive belonging to Ieremenko that prosecutors believe will prove he and Nikulin worked together.
According to the Justice Department’s brief, a folder on that hard drive titled “Moscow 2012” will show Ieremenko driving with a friend to a “summit of bad motherfuckers” at a hotel in Moscow. As the pair approach the hotel, they notice a black car pulling up in front of them. Ieremenko’s friend calls the driver of that vehicle an “angry hacker.” Ieremenko’s hard drive also contains a photo of Nikulin behind the wheel of that black car, as well as a video of Nikulin at a conference room with other alleged co-conspirators like Nikita Kislitsin, a Russian cybersecurity firm employee and accused cybercriminal.
The defense claims the hotel gathering was an innocuous meeting about plans to open an internet cafe.
On Wednesday, Nikulin’s lawyers objected to the government’s plans to play at least one of the videos for the jury, calling it prejudicial hearsay.
Alsup didn’t say whether he would allow the video into evidence but will likely rule sometime before March 17 when testimony resumes.
He also expressed concern that prosecutors seem to think this video is critical to the case.
“If your case turns on some person in a car calling him a hacker, you’d better throw in the towel now. We ought to have higher standards,” Alsup said. “I thought you had actual evidence that he did this.”
The trial is calendared through March 27, but the government plans to wrap its case next week and the defense hasn’t decided whether it will call any witnesses. It could go to the jury as early as March 20.
Before dismissing jurors for a three-day hiatus, Alsup said, “I don’t want you getting your hopes up that it could end next week, but there’s a fighting chance that it will.”