How did Yahoo get breached? Employee got spear phished, FBI suggests

SAN FRANCISCO—The indictment unsealed Wednesday by US authorities against two agents of the Russian Federal Security Service, or FSB, (Dmitry Dokuchaev and Igor Sushchin) and two hackers (Alexsey Belan and Karim Baratov) provides some details of how Yahoo was pillaged of user data and its own technology over a period of over two years. But at a follow-up briefing at the FBI office here today, officials gave fresh insight into how they think the hack began—with a "spear phishing" e-mail to a Yahoo employee early in 2014.

Malcolm Palmore, the FBI special agent in charge of the bureau’s Silicon Valley office, told Ars in an interview that the initial breach that led to the exposure of half a billion Yahoo accounts likely started with the targeting of a “semi-privileged” Yahoo employee and not top executives. He said social engineering or spear phishing “was the likely avenue of infiltration" used to gain the credentials of an “unsuspecting employee” at Yahoo.

Palmore declined Ars’ request to elaborate during a brief interview inside the San Francisco FBI office, and he would not say whether the government or Yahoo discovered the breach. He also would not say how long the intrusion lasted before it was cut off.

In like Flynn (Errol, not Michael)

The targeted attack allowed the four, and possibly other unnamed parties, to gain direct access to Yahoo's internal networks. Once in, Alexsey Belan—a hacker already wanted in the United States for a series of intrusions into the networks of e-commerce providers—is alleged to have conducted reconnaissance of Yahoo's networks. In the process, he discovered two key assets, according to the FBI: Yahoo's User Database (UDB) and an administrative tool called the Account Management Tool.

While the UDB's contents did not necessarily give everything required to access individual user accounts, it did give Belan and the two FSB agents information that could be used to locate and target specific accounts of interest. And the Account Management Tool could be used to make alterations to targeted accounts, including password changes.

The intruders then discovered a tool that let them "mint" cookies for specific user accounts, allowing them to gain access to the accounts without changing their passwords. The UDB records for each user contained a "nonce"—a cryptographic number associated with the user's account that could be used to generate the cookies issued after user authentication. Using the code—at first on the Yahoo network and then outside of it on systems they controlled, both the FSB agents and Belan allegedly were able to create forged cookies and use them to gain access to targeted accounts.

Belan moved some of the data from the UDB to his own computer between November and December of 2014, using the File Transfer Protocol, according to the indictment. From that point, the group was able to generate cookies without directly accessing the Yahoo network. However, since the nonces associated with users changed when those users changed their passwords, the externally generated cookies would fail whenever they targeted an account with a change after the UDB was stolen. Those failed cookies were logged by Yahoo's systems.

The way the forged cookies were used was documented by one of the conspirators. In an e-mail sent in July of 2015, Dokuchaev sent Sushchin a screenshot from his Apple computer of a plugin tool for Firefox called Advanced Cookie Manager—along with instructions on how to use the tool to insert a forged cookie for a Yahoo account. Over the course of the breach, the FBI said, the FSB agents and Belan used the cookies to access "more than 6,500 Yahoo accounts."

Target-rich environment

With the Yahoo keys to the kingdom in hand, according to the indictment, the hackers sought access to the Yahoo accounts of "Russian journalists; Russian and U.S. government officials; employees of a prominent Russian cybersecurity company; and numerous employees of U.S., Russian, and other foreign webmail and Internet-related service providers whose networks the conspirators sought to further exploit."

In other instances, according to the indictment, the hackers "sought access to accounts of employees of commercial entities, including executives and other managers of a prominent Russian investment banking firm…; a French transportation company; U.S. financial services and private equity firms; a Swiss bitcoin wallet and banking firm; and a U.S. airline."

John Bennett, the FBI special agent in charge in San Francisco, told a news conference that the bureau was unsure how far up the Kremlin chain the hack went. “I don’t have that playbook,” he said.

“This has been a long grind for several years to get to this point,” Bennett said of the unsealed indictments.

Bennett said Yahoo's executives and staff “were great partners” during the investigation. He said Yahoo was under no government mandate not to tell customers of the breach. But the company did delay disclosure for nearly two years.