A grand jury Northern District of California has indicted four defendants, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal offenses in connection with a conspiracy, beginning in January 2014, to access Yahoo’s network and the contents of webmail accounts. The defendants are Dmitry Aleksandrovich Dokuchaev, 33, a Russian national and resident; Igor Anatolyevich Sushchin, 43, a Russian national and resident; Alexsey Alexseyevich Belan, aka “Magg,” 29, a Russian national and resident; and Karim Baratov, aka “Kay,” “Karim Taloverov” and “Karim Akehmet Tokbergenov,” 22, a Canadian national and a resident of Canada.
— www.justice.gov (see below)
Court documentation for cases such as this are interesting as the provide insights into real-world hacking incidents that provide defenders with insight into how attacks happen and what could indicate a potential problem. Looking at the court document provides some insight into how the initial breach was made, how they were able to exploit that breach and then maintain persistent access to the systems of a major internet services provider.
In this case, the intruders made use of “spear phishing” to trick unwilling recipients into giving up access to their computers and accounts. They also created or “Minted” account authentication “cookies,” to gain access to webmail accounts. They also targeted the email accounts of close associates of their targets, including spouses and children, to gain additional information about and belonging to their intended victims
In or around November and December 2014, BELAN stole a backup copy of the Yahoo User Database. At least part of this database was exfiltrated over File Transfer Protocol (FTP). This database contained the authentication cookies or ‘nonces’ for user accounts. For the accounts that had not changed their passwords, these nonces allowed them access to their accounts. Being able to now use Yahoo’s Account Management Tool allowed them to maintain their access to accounts. They were then able to search for email accounts of interest to seek information that would be of value.