It’s a terrifying headline: hackers backed by Russian intelligence agents raided a database to steal information on more than 500 million Yahoo users. Possibly the Largest. Hack. Ever. But dig a bit into the Justice Department’s indictment against the four individuals charged with the crime, including two intelligence agents with Russia’s Federal Security Service, or FSB, and you’ll see an operation that got out of hand and eventually fostered a number of embarrassing side schemes.
It started with Russian operatives spying on other Russians; ultimately, some 500 million Yahoo users were caught up as collateral damage.
The indictment alleges that Igor Anatolyevich Sushchin and Dmitry Aleksandrovich Dokuchaev, the two FSB operatives, were conducting counterintelligence operations that focused on several key Russians:
• “An officer of the Russian Ministry of Internal Affairs assigned to the Ministry’s…bureau of special technical projects.”
• “An assistant to the deputy chairman of the Russian Federation.”
• “A Russian journalist and investigative reporter who worked for Kommersant Daily.”
• “A Russian official who was both the chairman of a Russian Federation Council committee and a senior official at a major transport corporation.”
• “A diplomat from a country bordering Russia who was posted in a European Country.”
• “A former minister of economic development of a country bordering Russia, his wife.”
In some cases, the two officers didn’t even know who they were looking for. They allowed clues on one compromised account to lead them to another.
Other targets included a Russian sports trainer, executives at a Western cloud-computing company, a handful of bank executives, and more.
So where does Yahoo come in? To help follow their leads, Sushchin and Dokuchaev hired a couple of young contractors, Alexsey Alexseyevich Belan, 29, and Karim Barato, 22. It was Belan who stole a copy of Yahoo’s User Database, or UDB. That included info on users’ names, recovery email accounts, phone numbers — “information required to manually create, or ‘mint,’ account authentication web browser ‘cookies’ for more than 500 million Yahoo accounts,” according to the indictment. That allowed the team to pose as specific users, fool Yahoo’s automated account-retrieval software, and create new passwords to break into accounts.
Between December 2014 and May 2015, this stolen information allowed the team to access the Yahoo accounts of almost all of the targets listed above.
But what’s more remarkable is what the FSB allowed Belan to do with the information he stole.
The young thief-for-hire embarked on a series of low-level scams. He searched email accounts — not for caches of politically compromising info to sway European elections — but for gift cards to online retailers. There was a nickel-and-dime spam effort aimed at 30 million people. Most hilariously, Belan launched an ad campaign to direct millions of users to specific vendors of erectile dysfunction meds.
“When users searched for erectile dysfunction medications, they were presented with a fraudulent link created by Belan. When a Yahoo User clicked on that link, he or she was taken to a website of a U.S. based cloud computing firm,” the indictment reads.
These petty crimes left a lot of clues in their wake — more than the Russian intelligence services likely anticipated from the modern privateers they employ.
Toomas Hendrik Ilves, the former president of Estonia, says that links between FSB agents and bad contractors are becoming more common. He should know. One year after he took office in 2006, Estonia suffered a massive cyber attack at the hands of the Kremlin.
“Given that there were criminal gangs” perpetrating this denial-of-service attack, Ilves told the Senate Judiciary Committee on Wednesday, “this was a unique form of public-private partnership, of which we have seen numerous examples since. Most recently, I would say, today with the announcement of the attorney general about people involved in hacking for money, and for stealing money, and at the same time, employees of the FSB.”
It also follows a three-year pattern of brazenness, or sloppiness, by the FSB, according to FireEye CEO Kevin Mandia.Mandia’ cybersecurity company is credited with first identifying the FSB unit, dubbed APT 28 or Fancy Bear, that went on to hack the Democratic National Committee. In 2014, he told reporters on Wednesday, APT 28 grew less careful to cover its tracks.
“Their counter-forensics went down,” he said. “I would propose, if you do an offensive operation, you need to cover your tracks. You would be staring at a checklist of things you need to clean up when you’re done. Whatever happened, they stopped following the checklist for the cleanup. I said, ‘Wow, they’re getting less disciplined.’”
That pattern continues, Mandia said, as does the Kremlin’s habit trend of relying on contractors, who provide not just expertise in penetrating networked systems around the globe but a certain level of plausible deniability when caught.
And that underscores a sad truth of our Interconnected Era. Under international law, espionage is officially neither legal nor illegal. But at least it used to be subtle. There was a spy and there was a target. If the operation succeeded, only one party would ever know what had happened.
Much intelligence collection today happens via popular consumer devices and networks. Looking for information about a small handful of people means comprising a gadget or services used by millions. That creates opportunities for side businesses for shady contractors, which creates messiness.
“This blurring of traditional roles and restrictions and this proxy ‘cyber espio-crime’ is exceedingly difficult to deter without serious escalation,” says Patrick Skinner, a former CIA case officer who now directs special projects for the Soufan Group. “Espionage certainly has gotten more messy … Russia, above all, is blurring the line — it really exists, even in a world of grey — between state-sponsored espionage for classic leverage and criminal theft used for profit and mayhem as well as for leverage. To the intelligence community, that is a profound shift. And not a good one.”
As for the hackers indicted in February: two were picked up by the time of this writing. Barato, a Canadian resident, was nabbed in Ancaster, Ontario, on Wednesday. Dokuchayev was picked up in Russia in December — and charged with treason by the government he served, albeit for a different crime.
CORRECTION: An earlier version of this article stated that Dokuchayev was arrested in February. He was arrested in December.