The US Department of Justice has published details of the charges against four individuals indicted for the hacking of Yahoo. The scope of the hack is unprecedented and the culprits turned out to be, among others, operatives of the FSB.
Very often interesting details of hacks only emerge when court papers are published. This case is not different. So far we have only known that in one of two incidents, Yahoo lost the credentials of 500 million accounts (the other one concerned one billion accounts). Yet the full scale of the hack is much bigger and the trail leads to Russia.
How big the blooper can be
Our readers certainly remember many a blooper by a large corporation. Yet we must admit that what happened at Yahoo can hardly be compared to anything. And we are not talking just about the 500 million of client accounts, impressive as this number may be. According to disclosed information, the hackers penetrated Yahoo’s network as early as in 2014 and did not lose access until… September 2016. This means that they moved as they pleased around the company’s network for two (or more) years, completely undetected. They were still using stolen data in December 2016. The level or their access to Yahoo’s network is astounding. In late 2014, they stole a user database from Yahoo’s servers, containing user names, back-up e-mail addresses, telephone numbers and information necessary to create cookies authorising access to the mailboxes (nonce). Then they gained access to the company’s internal Account Management Tool, which they used to find mailboxes which interested them and create cookies enabling them to access their contents.
Some victims of the hackers’ attacks were selected on the basis of interests of the Russian Federal Security Service (FSB), some others were in the sphere of interest of the hackers themselves. Among the victims, the indictment lists individuals working for foreign intelligence agencies and law enforcement agencies, Russian journalists, US and Russian officials, employees of a large Russian company dealing with cybersecurity (I wonder which one that might be), employees of the companies whose networks the hackers also tried to infiltrate, employees of a Russian investment firm, a French transport company, US financial firms, a Swiss firm offering bitcoin wallets and a US airline. They also got access to the accounts of the users held with other mail providers (most likely Google, among others). What is more, they were able to hack the accounts of their victims’ spouses and children to obtain more information about them. This way, they hacked the accounts of about 6,500 handpicked individuals. When they were looking for employees of a specific company, they followed the domains used in the back-up e-mail addresses registered with Yahoo.
Of all the information included in the indictment, the most astonishing for us were other actions by the culprits. It appears that one of the hackers, driven by money, searched Yahoo users communication for credit card numbers and gift vouchers, which he then stole. He also stole contact lists of 30 million users to use the addresses to build spammer networks. To cap it all, he redirected some traffic from the Yahoo search engine. He added his own link to the results of a search concerning problems with erection, leading to an online pharmacy selling magic pills and offering commission to anyone who refers clients there. For two years, the hackers treated Yahoo as their own private farm from which they took what they wanted and profited from it as if on their own business – and nobody noticed anything.
Who is behind it
According to the indictment, the crime was inspired by two agents of the Federal Security Service; 33-year-old Dmitry Aleksandrovich Dokuchaev, an officer of the Center 18 unit dealing with cybercrime (for we could hardly say that with fighting it) and 43-year old Igor Anatolyevich Sushchin, Dokuchaev’s commanding officer, employed, as a cover, as the head of the security department at a Russian investment bank.
For the dirty job, both the gentlemen hired Alexey Alexeyevich Belan, going by the nickname Magg, who had been indicted in the USA in 2012 and 2013 for hacking US online shops and the theft of personal data of 200 million users. Belan was even put on the FBI’s Cyber Most Wanted list and is still officially wanted by Interpol (also in Russia). In June 2013, Belan was even detained in Europe and awaited extradition to the USA but managed to elude the law enforcement authorities and escaped to Russia. Instead of arresting Belan, both FSB operatives most likely started cooperation with him, benefiting both sides. They allegedly instructed him how to avoid being detected during the hacking and provided him with confidential information possessed by the law enforcement agencies. Belan was assisted by the fourth accused, Canada-based Kazakh Karim Baratov (already apprehended).
This example indicated excellent cooperation between Russian cybercriminals with secret services. A similar scenario was recently depicted by The New York Times, outlining the profile of the famous Slavik, botmaster helping the Russian intelligence search millions of computers all over the world.