More than 500 million users were affected by the Yahoo hack in 2014, but this massive heist wasn’t perpetrated by a team of cyber warriors. It was the brainchild of a couple Russian intelligence agents and their two hacker recruits.
The hack was one of the largest data breaches in world history, and the subsequent indictments associated with it mark the first time the U.S. has charged Russian intelligence officers for a cyber crime.
“The involvement and direction of FSB officers with law enforcement responsibilities make this conduct that much more egregious,” said Acting Assistant Attorney Gen. Mary McCord in a statement Wednesday. “There are no free passes for foreign state-sponsored criminal behavior.”
Dmitry Dokuchaev (also known as Patrick Nagel), a 33-year-old Russian FSB agent, was the mastermind behind the hack. He was overseen by Igor Sushchin, 43, also an FSB agent and a former information security head of a Russian financial company, where he reportedly provided information on the company’s employees to the FSB.
Both men worked for the agency’s “Center 18,” the FSB’s center for information security. Sushchin was the senior FSB official at the Center during the Yahoo hack and oversaw the younger Dokuchaev, according to the Department of Justice indictment.
While Dokuchaev played an active role in the Yahoo operation, he was not the main hacker behind the breach. He tapped notorious Russian hacker Alexsey Belan, AKA “Magg,” to act as the primary hacker. Belan came into the operation with quite the resume, having racked up two prior indictments in the U.S. for hacking e-commerce companies in September 2012 and June 2013.
The Belan-Dokuchaev partnership almost never happened. According to the indictment, Belan was arrested in an unnamed European country in 2013 under a provisional arrest warrant. He was slated to be extradited to the U.S. for prosecution, but was inexplicably able to escape prosecution by leaving the European country and fleeing to Russia. As a result, he was put on the FBI’s list of most wanted hackers, sanctioned by President Barack Obama and put under an Interpol “Red Notice” to be arrested and extradited.
Russia is an Interpol member, but instead of arresting Belan, the FSB decided to recruit him. The practice is not uncommon in Russia, as the security services are known to frequently catch criminal hackers and offer them employment to avoid prosecution. Dokuchaev apparently did not wait long to put Belan to work, as the indictment claimed the operation against Yahoo began in early 2014.
Belan and company’s hack into Yahoo’s computer network involved a mix of common hacker tactics and clever methods used to cover up their traces. Belan acted as the point man for the hacking itself, while his FSB handlers fed him intelligence information to help avoid detection by U.S. and other law enforcement agencies.
The group used four main tools to engage in the hack: leased servers (some of which were located in the U.S.), virtual private networks, “spear phishing” attacks and fake email accounts. Virtual Private Networks, or VPNs, use encryption to provide secure access to a computer on the Internet, essentially allowing a user to hide their actions from the public eye. Spear phishing is the use of fake messages to trick a user into giving a hacker access to accounts and computers, the same tactic Russian hackers supposedly used to hack the email account of Hillary Clinton campaign chairman John Podesta.
Belan targeted two aspects of Yahoo’s network to gain access to user information: Yahoo’s Account Management Tool (AMT) and its user database, or UDB. To put it simply, the UDB contains user information that the hackers were after, such as user names, passwords, and phone numbers, while the AMT is the tool Yahoo uses to make and log changes to user accounts. Essentially, the UDB contained the treasure trove, AMT was the key to accessing it. When Belan combined the two, he was able to potentially access information to Yahoo’s one billion users.
The hacking group also engaged in a technique known as cookie “minting” to gain access to accounts. Cookies are small files stored on a user’s computer by the computer’s web browser. When a user connects to an email server, the server can read the cookie’s data to obtain information on the user. This allows a user to continue to access their accounts without having to constantly re-enter passwords.
By “minting,” or making fake copies, of these cookies both inside and outside of Yahoo’s network, the Russian hacking collective was able to access accounts by making the company’s servers believe they already had valid access. Approximately 6,500 accounts fell victim to this technique, according to the Department of Justice.
Minted cookies also helped the hackers narrow down their targets. Most of the 500 million accounts affected by the breach had only things like usernames and passwords stolen. The hackers were able to pinpoint targets of potential intelligence value by searching recovery emails associated with a company or organization the user may have worked for. These victims included high-ranking foreign officials in countries near Russia; a Russian journalist who worked for Kommersant, a leading Russian newspaper once owned by the now-deceased Boris Berezovsky, an unabashed critic of Russian President Vladimir Putin; U.S. officials, and other targets of “intelligence interest.”
Belan not only hacked Yahoo users for intelligence purposes, he was also able to make a little money on the side. He accessed 30 million accounts, stole their address books and engaged in a huge spam email marketing scheme. He searched some the accounts for credit and gift card information, as hackers tend to do. But perhaps most fascinating was an ad scheme that involved hacking Yahoo’s search engine to show fake erectile dysfunction ads. When clicked on, the links redirected users to a cloud computing firm website and then an online pharmacy which paid Belan a “bounty” for each click.
While Belan was hacking Yahoo from 2014 through late 2016, Dokuchaev and Sushchin directed another hacker, Karim Baratov (AKA “Kay”), to concurrently hack into Google and other unnamed email providers, including an unnamed Russian provider. In some cases, the hacker group used information gained from the Yahoo hack to attack other providers.
Baratov’s hack was not as widespread as Belan’s, but it was well-targeted. His 18 victims included an assistant to the deputy chairman of the Russian Federation and an organization known as the “Bureau of Special Technical Projects,” which investigates cyber tech and child pornography cases for Department K of the Russian Ministry of Internal Affairs. For his services, Dokuchaev paid Baratov a bounty of approximately $100 for each victimized account.
Baratov, a 22-year-old Canadian national of Kazakh background, lived a lavish lifestyle with an even flashier online persona featuring pictures of the young hacker with $100 bills and expensive sports cars. He reportedly made his first million dollars by age 15 through unknown means.
His lifestyle came to an abrupt end Wednesday, when Toronto and Royal Canadian Mounted Police arrested him for his role in the Russian hacking plot. His extradition to the U.S. is pending.
Belan and his Russian handlers were more subtle in their actions, as evidenced by the careful cover-up inside Yahoo’s network. In addition to using the minted cookies to cover their tracks, Belan used what are known as “log cleaners,” small programs which hide computer logs from a server, to ensure Yahoo did not become aware of his activity.
Those careful steps only worked for so long, as U.S. law enforcement and intelligence were eventually able to gather evidence of the group’s alleged crimes. The Department of Justice did not comment on the methods used, only telling reporters that the cooperating was “lawful and legal.”
The indictment of the hacker group is a historical marker for the Department of Justice, but the likelihood of the three Russians facing prosecution on U.S. soil is low. Russia and the U.S. do not have a formal extradition treaty, and given the frosty relations between the two countries, the Kremlin will probably not be keen on handing over top intelligence agents to a major rival. Regardless, U.S. officials said they remained committed to prosecuting cyber crime wherever it happens.
“Cyber crime poses a significant threat to our nation;s security and prosperity, and this is one of the largest data breaches in history,” said Attorney General Jeff Sessions in a statement Wednesday. “The United States will vigorously investigate and prosecute the people behind such attacks to the fullest extent of the law.”