FSB officers utilise hackers after US Red Notice
The FSB officers involved were named as Dmitry Dokuchaev and Igor Sushchin, who worked with hackers Alexsey Belan and Karim Baratov.
Belan had been publicly indicted in September 2012 and June 2013 and was named one of FBI’s Cyber Most Wanted criminals in November 2013. An Interpol Red Notice seeking his immediate detention has been lodged (including with Russia) since July 26, 2013.
Belan was arrested in a European country on a request from the US in June 2013, but he was able to escape to Russia before he could be extradited.
US authorities said instead of acting on the US government’s Red Notice and detaining Belan after his return, Dokuchaev and Sushchin subsequently used him to gain unauthorised access to Yahoo’s network.
Towards the end of 2014, Belan stole a copy of at least a portion of Yahoo’s user database that contained, among other data, subscriber information including users’ names, recovery email accounts, phone numbers and certain information required to manually create, or “mint”, account authentication web browser “cookies” for more than 500 million Yahoo accounts, the indictment said.
Belan also obtained unauthorised access to Yahoo’s account management tool (AMT), enabling Belan, Dokuchaev and Sushchin to locate Yahoo email accounts of interest and to mint cookies for those accounts, enabling the co-conspirators to access at least 6,500 such accounts without authorisation.
The FSB officers allegedly facilitated Belan’s other criminal activities, by providing him with sensitive FSB law enforcement and intelligence information that would have helped him avoid detection by US and other law enforcement agencies outside Russia, including information regarding FSB investigations of computer hacking and FSB techniques for identifying criminal hackers.
Additionally, Belan used his access to steal financial information such as gift card and credit card numbers from webmail accounts; to gain access to more than 30 million accounts whose contacts were then stolen to facilitate a spam campaign; and to earn commissions from fraudulently redirecting a subset of Yahoo’s search engine traffic.
When Dokuchaev and Sushchin learned that a target of interest had accounts at webmail providers other than Yahoo, including through information obtained as part of the Yahoo intrusion, they tasked their co-conspirator, Baratov, a resident of Canada, with obtaining unauthorised access to more than 80 accounts in exchange for commissions.
On 7 March 2017, the Department of Justice submitted a provisional arrest warrant to Canadian law enforcement authorities, requesting Baratov’s arrest. On 14 March 2017, Baratov was arrested in Canada and the matter is now pending with the Canadian authorities.
Commentators have said it is unlikely the US will be able to bring the Russian nationals involved to justice, but the indictment shows that US investigators can track Russian cyber espionage operations.
When the breaches were uncovered in 2016, they threatened to derail the sale of Yahoo’s core business to Verizon, but ultimately resulted in a $350m reduction in the price to $4.48bn.
Under the deal, Yahoo and Verizon will split the cost of government investigations and third-party litigation related to the data breaches, but Yahoo alone will be responsible for any liabilities arising from shareholder lawsuits and a Securities and Exchange Commission (SEC) investigation.