Science

Here's how the FBI says Russian hackers stole Yahoo account secrets

One of the largest corporate data breaches ever committed — and a story of international intrigue — started with a simple phishing attack.

Using a variety of techniques to bypass security measures, hackers sought access to myriad email accounts

Yahoo disclosed the breach of at least 500 million of its user accounts last September, and confirmed further details in December. (Justin Sullivan/Getty Images)

For more than two years, criminal hackers had control of Yahoo's most sensitive computer systems, giving them unprecedented access to more than 500 million user accounts — and Yahoo staff were none the wiser.

The allegations, part of an FBI indictment against three Russians and a Canadian filed in a California court earlier this week, tell the story behind one of the largest corporate data breaches ever committed.

The tale begins in early 2014, when two Russian intelligence officers, Dmitry Dokuchaev and Igor Sushchin, sought access to potentially valuable email accounts — those belonging to U.S. and Russian government officials, but also Russian journalists, and employees of additional email and internet service providers.

They enlisted the help of two alleged criminal hackers to do so, each responsible for a different task.

Alexsey Belan, a Russian in the employ of Russia's Federal Security Service, or FSB, found a way into Yahoo's servers. Once inside, Belan accessed systems that stored and managed account data. Importantly, those systems could be used to either reset or modify account security mechanisms, and in some cases, bypass a user's password altogether.

Accused of a massive data breach at Yahoo that affected at least a half billion user accounts are, from left, Alexsey Belan, Karim Baratov, Igor Sushchin and Dmitry Dokuchaev. (Reuters/FBI, Bartov: Instagram/Canadian Press)

The indictment alleges that later that year, Russian intelligence officers separately turned to Karim Baratov, a 22-year-old Canadian hacker of Khazhak origin living in Ancaster, Ont., a suburb of Hamilton. After identifying Yahoo accounts of interest, Baratov was instructed to find other webmail accounts held by the targets — Google accounts, in particular — and break in.

It's not clear what, exactly, tipped Yahoo staff off to the ongoing intrusion — though a hacker by the name of Peace, who claimed to be selling account credentials belonging to about 200 million Yahoo users on the dark web last August, may have had something to do with it.

Whether Peace was telling the truth is hard to say, but within weeks, Yahoo confirmed that it had been breached.

Who was targeted?

According to the indictment, the conspirators sought access to accounts belonging to "Russian journalists, Russian and U.S. government officials; employees of a prominent Russian cybersecurity company," as well as those working for webmail and internet service providers in Russia and the U.S. "whose networks the conspirators sought to further exploit."

In some cases, the attackers are even alleged to have sought access to the email accounts of their targets' spouses and children.

Some of their targets included:

  • Former officials from countries bordering Russia.
  • U.S. government officials working in cybersecurity, diplomatic, military, and White House positions.
  • Employees of a U.S. cloud storage company.
  • A senior officer at a Russian webmail provider.
  • A Nevada gaming official.
  • The CTO of a French transportation company.
  • A Russian investment banking firm.
  • The managing director of a U.S. financial services and private equity firm.
  • 14 employees of a Swiss bitcoin wallet and banking firm.
  • A senior officer at a U.S. airline.
  • Employees of a Russian cybersecurity company.
  • An International Monetary Fund official.
  • An assistant to the deputy chairman of the Russian Federation.
  • An officer of the Russian Ministry of Internal Affairs.
  • A physical training expert working in the Ministry of Sports of a Russian republic.

Inside Yahoo

To gain access to Yahoo's servers, the indictment suggests that the Russian hacker Belan employed a common attack known as spear phishing, in which otherwise malicious emails are made to look legitimate. 

A spear phishing email might instruct a person to download and open an attachment, which secretly contains malware. Or it may direct the recipient to enter their username and password after clicking on a link to a website designed to look like the login page of, say, a legitimate Gmail account.

The FBI alleges that Belan used spear phishing attacks to target Yahoo employees and steal their account credentials. He is said to have gained access to a Yahoo server in early 2014, and further access to the company's corporate network by September of that year.

Along the way, the attackers are said to have installed software that would cover their tracks — designed to scrub server logs, for example — making it harder for the Yahoo security team to notice they were there.

By October, they had obtained information about Yahoo's Account Management Tool, or AMT, which Yahoo administrators used to manage and modify information about accounts — user names, recovery email addresses and phone numbers, security questions and answers, and more.

That information was stored in Yahoo's User Database, or UDB, and they obtained a backup copy by early November 2014, containing information for more than 500 million accounts — gaining them access to the account of any user whose password had not been changed after that time.

Minting cookies

Throughout 2015 and 2016, the attackers used their access to Yahoo's AMT and the information contained within the stolen UDB to target user accounts of interest.

One technique allowed the attackers to generate cookies — files commonly used by websites to remember users, so they don't have to enter their password each time — through a process called "cookie minting."

The cookies "allowed the conspirators to appear to Yahoo's servers as if the intruder had previously obtained valid access to the associated Yahoo user's account, obviating the need to enter a username and password for that account," the indictment says.

At first, the attackers generated the cookies on Yahoo's servers. But by August 2015, they had obtained Yahoo's cookie minting code, which allowed them to go through the process on their own machines. 

According to the indictment, the attackers used these cookies "to access the contents of more than 6,500 Yahoo user accounts."

Paul Abbate, the FBI's Criminal Cyber, Response and Services Branch Executive Assistant Director, announced criminal charges against three Russians and a Canadian citizen in connection with the 2014 breach of tech giant Yahoo, disclosed last Fall. (Brendan Smialowski/AFP/Getty Images)

Along the way, it became clear to Dokuchaev and Sushchin, the Russian intelligence agents, that some of their targets had other webmail accounts with different providers — which they directed the alleged Canadian hacker Baratov to access.

Using the same techniques that Belan first used to gain access to Yahoo's infrastructure, Baratov is alleged to have launched a number of spear phishing attacks, gaining access to at least 80 email accounts, including at least 50 Google accounts.

He was allegedly paid around $100 per account.

'Spam marketing scheme'

While all this was going on, Belan, the criminal hacker who worked in the employ of Russian intelligence, is also alleged to have used his access to Yahoo accounts for personal gain — searching accounts for gift cards, credit card numbers, and login information for financial services such as PayPal. 

The indictment claims he even modified the Yahoo search engine in November 2014 to direct users searching for a certain erectile dysfunction drug to an online pharmacy, for which Belan would get paid a referral fee.

And it alleges that Belan also used minted cookies to steal contact information from 30 million Yahoo accounts "as part of a spam marketing scheme."

Russian intelligence officials were only too happy to help Belan evade detection, according to the FBI. Last July, they sent him "information regarding FSB law enforcement and intelligence investigations, and FSB tactics, including its use of information to target hackers whose difficult-to-trace computer intrusion infrastructure made other means of surveillance more difficult."

In fact, throughout the entire operation, the FBI alleges the attackers "attempted to hide the nature and origin of their internet traffic" so they would not be detected by their victims and law enforcement alike — using servers in different countries, virtual private networks (VPNs), and multiple false email accounts.

But all that appears to have come to an end, beginning last fall. The breach was disclosed publicly in September, and Yahoo began working with the FBI. And while the indictment says the attackers continued to use their stolen information, that too was short lived. 

Dokuchaev, one of the intelligence officers, was reportedly arrested in Russia, in December, on separate charges. Baratov, of course, is being held in custody, and U.S. officials are seeking his extradition to face charges in a California court. A bail hearing has been set for April 5.

As for Sushchin and Belan, Russian officials have denied their government's involvement. There is no extradition treaty between Russia and the U.S., and their whereabouts remain unknown.

Read the indictment below:

Mobile users: View the document
(PDF 3377KB)
(Text 3377KB)
CBC is not responsible for 3rd party content

ABOUT THE AUTHOR

Matthew Braga

Senior Technology Reporter

Matthew Braga is the senior technology reporter for CBC News, where he covers stories about how data is collected, used, and shared. You can contact him via email at [email protected]. For particularly sensitive messages or documents, consider using Secure Drop, an anonymous, confidential system for sharing encrypted information with CBC News.