On Wednesday, the US Department of Justice announced charges against two members of the Russian Federal Security Service (FSB) and two hackers-for-hire for allegedly breaching Yahoo’s servers. Mary McCord, the acting Assistant Attorney General for National Security, said that prosecutors believe the FSB agents carried out the hack in their capacity as Russian government officials. We knew that the intrusion was rather bad—the Justice Department called it the largest data breach in US history—but the indictment offers new details on how the hackers allegedly exploited their access to Yahoo’s servers for sweet, sweet cash.
According to the indictment, the hackers appeared to have extensive access to Yahoo’s servers until September 2016. In addition to the 500 million email accounts originally reported as hacked, the attackers were able to manipulate Yahoo search results to send users to spam websites after further breaching the company’s servers. When a user searched for erectile disfunction, they were served a “fraudulent link” created by one of the hackers. Once the malicious dick pill link was clicked, users were automatically redirected to an online pharmacy company which, according to the indictment, offered a commission for traffic. It’s unclear how much money the hackers made from this arrangement, but with the full power of Yahoo’s search engine behind the scheme, it’s safe to bet it was significant.
The hackers are also said to have siphoned credit and gift card details from the accounts of Yahoo users. Here are some of one hacker’s exploits as described by the indictment:
For example, on or about April 26, 2015, [Alexsey Alexseyevich Belan] searched within a victim user’s account for credit card verification values (“cvv” numbers). As another example, on or about June 20, 2015, he did the same within a different user account, in addition to searching for “amex”; then he moved to another victim account and searched for, among other terms, “visa,” “amex,” “mastercard,” and “credit...card”; then searched for those same terms in yet another user’s account on the same day. In all, [Belan] sought financial information from at least eight Yahoo users’ accounts that day.
Prosecutors say that same hacker used his access to 30 million Yahoo accounts in order to set up an automated system to steal those users’ contacts. These contacts lists are highly valuable to spammers, as someone is much more likely to click on some malicious spam link if it appears to come from a friend of colleague.
In addition, the hackers are accused of targeting US and Russian government officials as well as journalists critical of Russia. From the indictment:
The conspirators used their unauthorised access to Yahoo’s network to identify and access accounts of, among other victims, users affiliated with U.S. online service providers, including but not limited to webmail providers and cloud computing companies, whose account contents could facilitate unauthorised access to other victim accounts; Russian journalists and politicians critical of the Russian government; Russian citizens and government officials; former officials from countries bordering Russia; and U.S. government officials, including cyber security, diplomatic, military, and White House personnel.
Furthermore, the hackers appear to have targeted specific people in what seem like fairly obvious attempts to profit off the hacked information. Prosecutors say the hackers successfully hacked accounts belonging to “14 employees of a Swiss bitcoin wallet and banking firm,” a “sales manager at a major U.S. financial company,” a “senior officer of a major U.S. airline,” a “Shanghai-based managing director of a U.S. private equity firm,” and a “Chief Technology Officer of a French transportation company.” The list goes on and on.
There are tonnes of other juicy tidbits in the indictment. According to one section, an FSB hacker named Igor Sushchin worked as the head of information security at a Russian financial firm and secretly monitored the communications of that firm’s employees. Yet another portion describes how one of the FSB officers paid a non-FSB co-conspirator to break into at least 13 specific Google and other email accounts. These emails accounts allegedly belonged to people like the “Deputy Chairman of the Russian Federation, Russian Ministry of Internal Affairs and a physical training expert working in the Ministry of Sports of a Russian republic,” suggesting a possible connection to Russia’s well-oiled Olympic doping operation.
The hackers are accused of using all kinds of methods, from simple things like “spear phishing” to stealing and creating their own authentication cookies from Yahoo’s servers. Spear phishing, the same method allegedly used to compromise Clinton campaign chairman John Podesta’s account, works by sending someone an email that looks authentic, like a password reset email that appears to be sent from Google. In reality, the email contains a malicious link that tricks you into giving your password to a hacker or secretly installing malware onto your computer.
According to the indictment, the hackers installed malware in order to further compromise Yahoo’s severs and to cover up their tracks once they gained access. Yahoo probably had shit security, but even then, a compromise this devastating and complex isn’t child’s play. From the indictment:
The [user database] was, and contained, proprietary and confidential Yahoo technology and information, including, among other data, subscriber information, such as: account users’ names; recovery email accounts and phone numbers, which users provide to webmail providers, such as Yahoo, as alternative means of communication with the provider; password challenge questions and answers; and certain cryptographic security information associated with the account, i.e. the account’s “nonce”, further described below. Some of the information in the UDB was stored in an encrypted form.
This is... about as bad as it gets, folks! Somehow, of course, it manages to get worse. Prosecutors say the hackers then used a Yahoo account management tool to “manage aspects of its users’ accounts, including to make, log, and track changes to the account, such as password changes.” As mentioned earlier, the hackers were able to generate and obtain authentication cookies, so they could access Yahoo accounts without even needing to steal passwords. According to the indictment, the hackers “utilised cookie minting to access the contents of more than 6,500 Yahoo user accounts.” Basically, Yahoo got fucked from top to bottom.