Russian Intelligence Behind Yahoo Email Hack

Indictment shows FSB officers worked with criminal hackers

Acting Assistant Attorney General Mary McCord
Acting Assistant Attorney General Mary McCord / Getty Images
March 15, 2017

Russia's intelligence service directed the hacking of 500 million Yahoo email accounts in an operation conducted in coordination with Russian criminal hackers.

Two officers of Russia's Federal Security Service, or FSB, worked with two Russian cyber criminals in the data espionage and criminal operation, according to a federal indictment and law enforcement officials.

The disclosures confirm long-held suspicions that Russia's government collaborates with non-government hackers and uses its spy services to facilitate criminal activity in addition to conducting espionage.

The Yahoo cyber attacks were carried out by the FSB between 2014 and December in a conspiracy to "protect, direct, facilitate, and pay criminal hackers to collect information through computer intrusions in the United States and elsewhere," according to the indictment.

The two FSB officers were identified as Dmitry Dokuchaev and Igor Sushchin. The criminal hackers were named as Alexsey Belan and Karim Baratov. Belan was arrested in Canada on Tuesday and the Justice Department is seeking his extradition.

Dokuchaev worked for the FSB's Center 18, known as the Center for Information Security. Sushchin was Dokuchaev's superior at Center 18 who operated under cover at a Russian financial company.

The FBI in the past worked with the Russian FSB center. An FBI official said Tuesday the Bureau has no plans to cut off cooperation despite the fact that the FSB was engaged in criminal activity.

"The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cyber crime matters, is beyond the pale," said Acting Assistant Attorney General Mary McCord.

McCord told reporters in announcing the indictment that the FSB officers helped the hackers and the hackers were able to "line their own pockets."

"We are certainly seeing more and more use by nation states of criminal hackers to carry out some of their intentions," McCord said of the hacking partnership.

McCord said the indictment does not allege any link between the Yahoo FSB operation and the Russian hacking of the 2016 election.

The FSB was linked by U.S. intelligence to the hacking of Democratic Party servers and Democratic Party official John Podesta's email during the 2016 campaign. The military GRU intelligence service also was involved.

Belan was among several Russians designated for sanctions by President Obama in December when 35 Russian intelligence officers were expelled for Russia's election hacking.

China and Iran in the past used non-government hackers for some of their cyber attacks, according to security researchers.

Belan made money from his access to the private Yahoo emails by manipulating Yahoo search results in order to market erectile dysfunction drugs, obtaining credit card and gift card numbers from private emails, and running a spam program for 30 million Yahoo users.

The operation used spear phishing attacks, using fraudulent emails to trick computer users into installing malware that facilitated the hacking.

The hackers also manually created computer "cookies," a method known as "minting," to break in to Yahoo email accounts. Cookies are small files stored on users' web browsers.

Targets of the hacking included U.S. and Russian government officials, employees of a Russian cyber security company, Russian journalists, and employees of Internet service providers.

Russian financial firms, U.S. financial services and private equity firms, a French transportation company, a Swiss bitcoin wallet and banking firm, and a U.S. airliner also were targeted in the hacking operation.

The Sunnyvale, Calif., tech company provides email and electronic messaging services to more than 1 billion people.

The massive data theft was accomplished by breaking into Yahoo's user database, which contained proprietary and confidential technology as well as subscriber information such as user names, recovery email accounts and phone numbers, password challenge questions and answers, and sensitive cryptographic security information associated with the accounts.

The operation began with cyber reconnaissance—the clandestine mapping of Yahoo's information systems—in the fall of 2014. The hackers then obtained a copy of the 2014 user database and began minting cookies that permitted access to Yahoo email accounts.

"Both internally and externally minted cookies allowed the conspirators to appear to Yahoo's servers as if the intruder had previously obtained valid access to the associated Yahoo user's account, obviating the need to enter a username and password for that account," the indictment states.

The Russians gained access to emails of a diplomat from a nation bordering Russia, a former economic minister from a neighboring country, and a Russian journalist for Kommersant, an economic newspaper. An American working for a cloud computing company also was targeted.

The four men were indicted on 47 counts of conspiracy to commit computer fraud and abuse, cyber economic espionage, and theft of trade secrets.

"We will not allow individuals, groups, nation states, or a combination of them to compromise the privacy of our citizens, the economic interests of our companies, or the security of our country," said McCord.

Yahoo said the indictment "shows the attacks on Yahoo were state-sponsored."

"We are deeply grateful to the FBI for investigating these crimes and the DOJ for bringing charges against those responsible," Chris Madsen, Yahoo's assistant general counsel, said in a statement.

Published under: Cyber Security , Russia