Acting Assistant Attorney General Mary McCord speaks during a news conference at the Justice Department in front of a mug shot poster of Russian hackerAlexsey Alexseyevich Belan.

Acting Assistant Attorney General Mary McCord speaks during a news conference at the Justice Department in front of a mug shot poster of Russian hackerAlexsey Alexseyevich Belan. AP / SUSAN WALSH

Yahoo, Erectile Dysfunction Meds, and the Sloppy Future of Russian Spying

Two hackers hired by FSB agents started running side scams. Now Moscow has account data on half a billion Yahoo users.

It’s a terrifying headline: hackers backed by Russian intelligence agents raided a database to steal information on more than 500 million Yahoo users. Possibly the Largest. Hack. Ever. But dig a bit into the Justice Department’s indictment against the four individuals charged with the crime, including two intelligence agents with Russia’s Federal Security Service, or FSB, and you’ll see an operation that got out of hand and eventually fostered a number of embarrassing side schemes.

It started with Russian operatives spying on other Russians; ultimately, some 500 million Yahoo users were caught up as collateral damage.

The indictment alleges that Igor Anatolyevich Sushchin and Dmitry Aleksandrovich Dokuchaev, the two FSB operatives, were conducting counterintelligence operations that focused on several key Russians:

•  “An officer of the Russian Ministry of Internal Affairs assigned to the Ministry’s…bureau of special technical projects.”

•  “An assistant to the deputy chairman of the Russian Federation.”

•  “A Russian journalist and investigative reporter who worked for Kommersant Daily.”

•  “A Russian official who was both the chairman of a Russian Federation Council committee and a senior official at a major transport corporation.”

•  “A diplomat from a country bordering Russia who was posted in a European Country.”

•  “A former minister of economic development of a country bordering Russia, his wife.”

In some cases, the two officers didn’t even know who they were looking for. They allowed clues on one compromised account to lead them to another.

Other targets included a Russian sports trainer, executives at a Western cloud-computing company, a handful of bank executives, and more.

So where does Yahoo come in? To help follow their leads, Sushchin and Dokuchaev hired a couple of young contractors, Alexsey Alexseyevich Belan, 29, and Karim Barato, 22. It was Belan who stole a copy of Yahoo’s User Database, or UDB. That included info on users’ names, recovery email accounts, phone numbers — “information required to manually create, or ‘mint,’ account authentication web browser ‘cookies’ for more than 500 million Yahoo accounts,” according to the indictment. That allowed the team to pose as specific users, fool Yahoo’s automated account-retrieval software, and create new passwords to break into accounts.

Between December 2014 and May 2015, this stolen information allowed the team to access the Yahoo accounts of almost all of the targets listed above.

But what’s more remarkable is what the FSB allowed Belan to do with the information he stole.

The young thief-for-hire embarked on a series of low-level scams. He searched email accounts — not for caches of politically compromising info to sway European elections — but for gift cards to online retailers. There was a nickel-and-dime spam effort aimed at 30 million people. Most hilariously, Belan launched an ad campaign to direct millions of users to specific vendors of erectile dysfunction meds.

“When users searched for erectile dysfunction medications, they were presented with a fraudulent link created by Belan. When a Yahoo User clicked on that link, he or she was taken to a website of a U.S. based cloud computing firm,” the indictment reads.

These petty crimes left a lot of clues in their wake — more than the Russian intelligence services likely anticipated from the modern privateers they employ.

Toomas Hendrik Ilves, the former president of Estonia, says that links between FSB agents and bad contractors are becoming more common. He should know. One year after he took office in 2006, Estonia suffered a massive cyber attack at the hands of the Kremlin.

“Given that there were criminal gangs” perpetrating this denial-of-service attack, Ilves told the Senate Judiciary Committee on Wednesday, “this was a unique form of public-private partnership, of which we have seen numerous examples since. Most recently, I would say, today with the announcement of the attorney general about people involved in hacking for money, and for stealing money, and at the same time, employees of the FSB.”

It also follows a three-year pattern of brazenness, or sloppiness, by the FSB, according to FireEye CEO Kevin Mandia.Mandia’ cybersecurity company is credited with first identifying the FSB unit, dubbed APT 28 or Fancy Bear, that went on to hack the Democratic National Committee. In 2014, he told reporters on Wednesday, APT 28 grew less careful to cover its tracks.

“Their counter-forensics went down,” he said. “I would propose, if you do an offensive operation, you need to cover your tracks. You would be staring at a checklist of things you need to clean up when you’re done. Whatever happened, they stopped following the checklist for the cleanup. I said, ‘Wow, they’re getting less disciplined.’”

That pattern continues, Mandia said, as does the Kremlin’s habit trend of relying on contractors, who provide not just expertise in penetrating networked systems around the globe but a certain level of plausible deniability when caught.

And that underscores a sad truth of our Interconnected Era. Under international law, espionage is officially neither legal nor illegal. But at least it used to be subtle. There was a spy and there was a target. If the operation succeeded, only one party would ever know what had happened.

Much intelligence collection today happens via popular consumer devices and networks. Looking for information about a small handful of people means comprising a gadget or services used by millions. That creates opportunities for side businesses for shady contractors, which creates messiness.

“This blurring of traditional roles and restrictions and this proxy 'cyber espio-crime' is exceedingly difficult to deter without serious escalation,” says Patrick Skinner, a former CIA case officer who now directs special projects for the Soufan Group. “Espionage certainly has gotten more messy … Russia, above all, is blurring the line — it really exists, even in a world of grey — between state-sponsored espionage for classic leverage and criminal theft used for profit and mayhem as well as for leverage. To the intelligence community, that is a profound shift. And not a good one.”

As for the hackers indicted in February: two were picked up by the time of this writing. Barato, a Canadian resident, was nabbed in Ancaster, Ontario, on Wednesday. Dokuchayev was picked up in Russia in December — and charged with treason by the government he served, albeit for a different crime. 

CORRECTION: An earlier version of this article stated that Dokuchayev was arrested in February. He was arrested in December. 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.