How was Yahoo hacked
The US government’s indictments reveal how Russian spies allegedly recruit criminal hackers in a conspiracy to hack the tech giant iStock

US authorities on Wednesday (15 March) brought forward charges against two Kremlin intelligence (FSB) officials and two criminal hackers for launching a massive cyberattack on Yahoo in 2014, which compromised around 500 million user accounts.

The US government's indictments reveal how Russian spies allegedly recruited criminal hackers in a conspiracy to hack the tech giant.

The FBI said that the two criminal hackers, Alexsey Belan, a Russian who is currently on the agency's most-wanted list and Karim Baratov, a Kazakh residing in Canada, who was arrested on Tuesday (14 March) were hired by two FSB agents Dmitry Dokuchaev, 33, and Igor Sushchin, 43 to carry out the cyberattack.

How was Yahoo hacked?

According to the FBI, Belan, who went by "Magg" had breached Yahoo's system by early 2014 and made his way to the firm's internal control center for email accounts, which allowed him to make administration level changes, including accessing and changing passwords. This helped the FSB zero in on which accounts to go after. Belan copied and exported a backup of Yahoo's user database between November and December 2014.

This database was later used for credential forging and cookie minting, which allowed the suspects to access the contents of nearly 6,500 accounts without even having to provide usernames and passwords. The Kremlin intelligence officials' targets included Russian journalists and government officials as well as senior officials of foreign governments and corporations.

Baratov was allegedly recruited to use the data hacked by Belan to carry out phishing attacks, designed at gaining even more information. The hacker was paid was hired to access 80 specific email accounts, including 50 Google accounts.

Unmasking the Yahoo hackers

According to the US government's indictment, Belan appeared to have played a major role in the attack, while Baratov was likely the least involved in the incident. Compared to Belan, Baratov's technical skills were also likely less sophisticated, given that he was not all that careful about hiding his cybercriminal activities.

According to a security journalist Brian Krebs, it took about "10 minutes of searching online to trace back" numerous email hacking services run by Baratov back to him specifically. The hacker was active on social media and blatantly displayed his wealth. In one of his posts on Instagram, he describes himself as "well off in high school to be able to afford driving a BMW 7 series and pay off a mortgage on my first house".

Commenting on Baratov's easily traceable activities, Krebs wrote, "Security professionals are fond of saying that any system is only as secure as its weakest link. It would not be at all surprising if Baratov was the weakest link in this conspiracy chain."

Meanwhile, Belan had already garnered the interest of US authorities, making it to the FBI's cyber most wanted list in 2013 after being charged with hacking and stealing credit card data from various corporations. Belan successfully fled to Russia, after being arrested in Europe in June 2013, thereby escaping being extradited to the US.

"During the conspiracy, the FSB officers facilitated Belan's other criminal activities, by providing him with sensitive FSB law enforcement and intelligence information that would have helped him avoid detection by U.S. and other law enforcement agencies outside Russia, including information regarding FSB investigations of computer hacking and FSB techniques for identifying criminal hackers," the Justice Department charged in its statement about the indictments.

"Additionally, while working with his FSB conspirators to compromise Yahoo's network and its users, Belan used his access to steal financial information such as gift card and credit card numbers from webmail accounts; to gain access to more than 30 million accounts whose contacts were then stolen to facilitate a spam campaign; and to earn commissions from fraudulently redirecting a subset of Yahoo's search engine traffic," the US government added.

Have all the suspects been arrested?

All 4 indicted by the US face 47 criminal charges. While Belan remains at large in Russia, Baratov was presented before a Canadian court on Wednesday, where he reportedly claimed that he intends to apply for bail, but that he needs to find legal counsel, Bloomberg reported.

Of the two Russian spies, Sushchin is also at large while Dokuchaev was arrested by Russian authorities, who suspect that he passed over information to US intelligence agencies. He currently faces treason charges and may be jailed for as long as 20 years, if found guilty.

The FSB is yet to comment on the matter. Putin's spokesperson Dmitry Peskov claimed that Russia wants to cooperate with the US over the cyber threats.

The FBI's San Francisco Division's special agent in charge Jack Bennett said the he is confident US authorities will apprehend the three suspects, despite America not having an extradition treaty with Russia.

"These guys will travel one day somewhere. There are countries that have extradition treaties with the United States and we will take advantage of that," he said. "The world is a small place."