For more than two years, criminal hackers had control of Yahoo's most sensitive computer systems, giving them unprecedented access to more than 500 million user accounts — and Yahoo staff were none the wiser.
The allegations, part of an FBI indictment against three Russians and a Canadian filed in a California court earlier this week, tell the story behind one of the largest corporate data breaches ever committed.
The tale begins in early 2014, when two Russian intelligence officers, Dmitry Dokuchaev and Igor Sushchin, sought access to potentially valuable email accounts — those belonging to U.S. and Russian government officials, but also Russian journalists, and employees of additional email and internet service providers.
They enlisted the help of two alleged criminal hackers to do so, each responsible for a different task.
Alexsey Belan, a Russian in the employ of Russia's Federal Security Service, or FSB, found a way into Yahoo's servers. Once inside, Belan accessed systems that stored and managed account data. Importantly, those systems could be used to either reset or modify account security mechanisms, and in some cases, bypass a user's password altogether.
The indictment alleges that later that year, Russian intelligence officers separately turned to Karim Baratov, a 22-year-old Canadian hacker of Khazhak origin living in Ancaster, Ont., a suburb of Hamilton. After identifying Yahoo accounts of interest, Baratov was instructed to find other webmail accounts held by the targets — Google accounts, in particular — and break in.
It's not clear what, exactly, tipped Yahoo staff off to the ongoing intrusion — though a hacker by the name of Peace, who claimed to be selling account credentials belonging to about 200 million Yahoo users on the dark web last August, may have had something to do with it.
Whether Peace was telling the truth is hard to say, but within weeks, Yahoo confirmed that it had been breached.
To gain access to Yahoo's servers, the indictment suggests that the Russian hacker Belan employed a common attack known as spear phishing, in which otherwise malicious emails are made to look legitimate.
A spear phishing email might instruct a person to download and open an attachment, which secretly contains malware. Or it may direct the recipient to enter their username and password after clicking on a link to a website designed to look like the login page of, say, a legitimate Gmail account.
The FBI alleges that Belan used spear phishing attacks to target Yahoo employees and steal their account credentials. He is said to have gained access to a Yahoo server in early 2014, and further access to the company's corporate network by September of that year.
Along the way, the attackers are said to have installed software that would cover their tracks — designed to scrub server logs, for example — making it harder for the Yahoo security team to notice they were there.
By October, they had obtained information about Yahoo's Account Management Tool, or AMT, which Yahoo administrators used to manage and modify information about accounts — user names, recovery email addresses and phone numbers, security questions and answers, and more.
That information was stored in Yahoo's User Database, or UDB, and they obtained a backup copy by early November 2014, containing information for more than 500 million accounts — gaining them access to the account of any user whose password had not been changed after that time.
Throughout 2015 and 2016, the attackers used their access to Yahoo's AMT and the information contained within the stolen UDB to target user accounts of interest.
One technique allowed the attackers to generate cookies — files commonly used by websites to remember users, so they don't have to enter their password each time — through a process called "cookie minting."
The cookies "allowed the conspirators to appear to Yahoo's servers as if the intruder had previously obtained valid access to the associated Yahoo user's account, obviating the need to enter a username and password for that account," the indictment says.
At first, the attackers generated the cookies on Yahoo's servers. But by August 2015, they had obtained Yahoo's cookie minting code, which allowed them to go through the process on their own machines.
According to the indictment, the attackers used these cookies "to access the contents of more than 6,500 Yahoo user accounts."
Along the way, it became clear to Dokuchaev and Sushchin, the Russian intelligence agents, that some of their targets had other webmail accounts with different providers — which they directed the alleged Canadian hacker Baratov to access.
Using the same techniques that Belan first used to gain access to Yahoo's infrastructure, Baratov is alleged to have launched a number of spear phishing attacks, gaining access to at least 80 email accounts, including at least 50 Google accounts.
He was allegedly paid around $100 per account.
'Spam marketing scheme'
While all this was going on, Belan, the criminal hacker who worked in the employ of Russian intelligence, is also alleged to have used his access to Yahoo accounts for personal gain — searching accounts for gift cards, credit card numbers, and login information for financial services such as PayPal.
The indictment claims he even modified the Yahoo search engine in November 2014 to direct users searching for a certain erectile dysfunction drug to an online pharmacy, for which Belan would get paid a referral fee.
And it alleges that Belan also used minted cookies to steal contact information from 30 million Yahoo accounts "as part of a spam marketing scheme."
Russian intelligence officials were only too happy to help Belan evade detection, according to the FBI. Last July, they sent him "information regarding FSB law enforcement and intelligence investigations, and FSB tactics, including its use of information to target hackers whose difficult-to-trace computer intrusion infrastructure made other means of surveillance more difficult."
In fact, throughout the entire operation, the FBI alleges the attackers "attempted to hide the nature and origin of their internet traffic" so they would not be detected by their victims and law enforcement alike — using servers in different countries, virtual private networks (VPNs), and multiple false email accounts.
But all that appears to have come to an end, beginning last fall. The breach was disclosed publicly in September, and Yahoo began working with the FBI. And while the indictment says the attackers continued to use their stolen information, that too was short lived.
Dokuchaev, one of the intelligence officers, was reportedly arrested in Russia, in December, on separate charges. Baratov, of course, is being held in custody, and U.S. officials are seeking his extradition to face charges in a California court. A bail hearing has been set for April 5.
As for Sushchin and Belan, Russian officials have denied their government's involvement. There is no extradition treaty between Russia and the U.S., and their whereabouts remain unknown.
Read the indictment below: