First, hire a hacker: how Russian agents stole data from 500 million Yahoo accounts, according to US
It was June 2013, and US law enforcement thought they were finally getting their hands on a slippery target: Russian hacker Alexsey Belan, indicted in Nevada and California for computer intrusions at three US e-commerce companies, had been arrested in Europe.
Instead, US authorities say, Belan escaped to Russia, where the charges didn’t hamper his job prospects. Rather than handing Belan over to the US, Russia’s Federal Security Service (FSB) allegedly enlisted the man to help the agency hack into American Internet companies, including Yahoo! Inc.
The alleged conspiracy, laid out in an indictment in Federal Court in San Francisco, reveals the internal workings of Russia’s state cyber-spying regime, implicated in alleged attempts to influence the US election last year. Increasingly, it’s a system that capitalises on a vast and talented pool of Russian-speaking cyber criminals, blurring the lines between profit and intelligence gathering.
“We believe that their technical capabilities are not where they’re purported to be and they’re using criminal hackers,” said Jack Bennett, the San Francisco Division Special Agent in Charge of the Federal Bureau of Investigation’s San Francisco office. He spoke at a press conference on Wednesday.
Besides Belan, the US indicted two FSB officials, Dmitry Dokuchaev and Igor Sushchin, and a second hacker, Karim Baratov, a Kazakh living in Canada.
It’s a first for the US, which has never before indicted anyone from the FSB for cyber-crimes, said Edward McAndrew, a former federal cybercrime prosecutor and now co-chair of the privacy and data security group at the law firm Ballard Spahr LLP.
“It obviously comes at a very intense time in our relationship with Russia and its cyber activities,” he said. “It also provides the public with fresh insight into the way that nation-state actors are enlisting cyber criminals of all types, from syndicates to lone wolves, to engage in sophisticated cyber campaigns.”
The indictment offers a lot of new information about the hack into Yahoo in 2014 that affected some half a billion accounts. Yahoo disclosed the breach last year, and pointed the finger at a “state-sponsored actor.” The intrusion, along with a second, earlier hack that exposed even more accounts, has complicated Yahoo’s planned acquisition by Verizon Communications Inc.
“The indictment unequivocally shows the attacks on Yahoo were state-sponsored,” Chris Madsen, an assistant general counsel for security and law enforcement at Yahoo, said in a statement. “We’re committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cybercrime.”
Belan, also known as “Magg,” was born in Latvia but holds a Russian passport, according to the FBI. He has a fondness for hair dye, based on an FBI wanted poster that features three snapshots of the baby-faced hacker with three different-coloured manes. The FSB recruited Belan in part by providing him with information that helped him avoid detection by law enforcement, according to the indictment. He quickly repaid his handlers with access to Yahoo’s computer network; by early 2014 he’d gotten them inside Yahoo’s system, and from there into the internal control centre for Yahoo email accounts, the tool the company used to administer changes to accounts, like new passwords.
That allowed them to see things like recovery email accounts, indicating specific companies and institutions of interest to the FSB, which helped them zero in on which of the stolen accounts might be of most use. In November or December of that year, according to the indictment, he copied and exported a backup of Yahoo’s User Database.
The hackers then used the database to forge credentials, tricking Yahoo servers into recognising them as an account holder who had essentially stayed logged in. The manoeuvre, appetisingly called “cookie minting,” allowed them to read the contents of some 6,500 Yahoo accounts without even needing a password or username.
Proving yet again how difficult intrusions can be to detect, the hack unrolled through 2015 to the end of 2016. Many of the targets were Russian: journalists, employees of a Russian cybersecurity company, and officials, even someone described as a physical training expert working in the Ministry of Sports (The Justice Department did not release names of victims, only general descriptions). They also included 14 employees of a Swiss bitcoin banking firm, a Nevada gaming official, a senior officer of a major US airline, a Shanghai-based managing director of a US private equity firm, and the chief technology officer of a French transportation company.
The hackers got personal once they’d focused on a particular target, identifying spouses and children and sending malware-laden emails to gain even more information about their victims. Baratov, the second hacker, who lives in Hamilton, a city near Toronto, was apparently the phishing expert - crafting emails that lured victims into giving up sensitive information. Baratov was paid to gain access to 80 email accounts, including 50 Google accounts, according to the indictment. The indictment doesn’t detail how the FSB recruited Baratov.
Belan, meanwhile, found opportunities to make some money on the side. While he gave the FSB access to Yahoo’s networks, he also used Yahoo servers for his own gain, manipulating search results for erectile dysfunction medication to send people to the website of one particular online pharmacy. That pharmacy paid Belan to drive traffic to the site, according to the indictment.
One of the suspects has already been apprehended.
Baratov appeared in a Canadian court on Wednesday, telling the judge, in a soft voice, that he planned to apply for bail but needed to find legal counsel first. He was taken out by court officers and will be in police custody until his next appearance, a bail hearing scheduled for March 17.
A Facebook profile belonging to a Karim Baratov showed the same young man pictured in the indictment. The profile features pictures of him standing in front of a large suburban home with several luxury cars including an Aston Martin and Mercedes. Both cars’ license plates match those mentioned in the indictment as property that is subject to forfeiture.
Belan remains at large in Russia. So does Sushchin.
Dokuchaev, who worked in the FSB’s information-security division, was detained in December by Russian law enforcement, on suspicion of having links to US intelligence agencies.