The Yahoo Indictment: Erectile Dysfunction Marketing, Plus Stuff NSA Does All the Time

With much fanfare today, DOJ indicted four men for pawning Yahoo from 2014 to 2016. The indictment names two FSB officers, Dmitry Dokuchaev (who was charged by Russia with treason in December) and Igor Sushchin (who worked undercover at a Russian financial company), and two other hackers, Alexsey Belan (who has been indicted in the US twice and was named in December’s DNC hack sanctions) and Karim Baratov (who, because he lives in Canada, was arrested and presumably will be extradited).

Among the charged crimes, they accused Belan of using his access to the Yahoo network to game search results for erectile dysfunction drugs, for which he got commission from the recipient of the redirected traffic.

BELAN leveraged his access to Yahoo’s network to enrich himself: (a) through an online marketing scheme, by manipulating Yahoo search results for erectile dysfunction drugs; (b) by searching Yahoo user email accounts for credit card and gift card account numbers and other information that could be monetized; and (c) by gaining unauthorized access to the accounts of more than 30 million Yahoo users, the contacts of whom were then stolen as part of a spam marketing scheme.

But almost the entirety of the rest of the indictment — forty-seven charges worth — consist of stuff the FBI and NSA do both lawfully in this country and under EO 12333 in other countries (almost certainly including Russia).

Collect metadata and then collect content over time

Consider the details the indictment provides about how these Russians obtained information from Yahoo and other email services, including Google.

First, they collected a whole bunch of metadata.

[T]he conspirators stole non-content information regarding more than 500 million Yahoo user accounts as a result of their malicious intrusion.

The US did this in bulk under the PRTT Internet dragnet program from 2004 to 2011, and now conducts similar metadata collection overseas (as well as — in more targeted fashion — under PRISM). Mind you, the Russians got far more types of metadata than the US did under the PRTT program.

account users’ names; recovery email accounts and phone numbers, which users provide to webmail providers, such as Yahoo, as alternative means of communication with the provider; password challenge questions and answers; and certain cryptographic security information associated with the account, i.e. the account’s “nonce”

But this likely gives you an understanding of the kinds of things the US does collect overseas, as well as via the PRISM program.

The Russians then either accessed the accounts directly or created fake cookies to access accounts (note, the US also gets cookies lawfully from at least some Internet providers; I suspect they also do so under the new USA Freedom collection).

The indictment provides this comment about how many Yahoo user accounts the Russians accessed by minting cookies over the almost three years they were in Yahoo’s networks (January 2014 to December 1, 2016; this may not represent the entirety of the Yahoo content they accessed).

The conspirators utilized cookie minting to access the contents of more than 6,500 Yahoo user accounts.

Compare that to US requests from Yahoo in just 2015. Yahoo turned over content on at least 40,000 accounts under FISA (first half, second half) and content in response to 2,356 US law enforcement requests during a period when government requests averaged 1.8 account per request (so roughly 4,240 accounts).

Once they accessed the accounts, they maintained access to them, as the government does under PRISM.

The conspirators used their access to the AMT to (among other unauthorized actions) maintain persistent unauthorized access to some of the compromised accounts.

The Russians used both the metadata and content stolen from Yahoo to obtain access to other accounts, both in the US and in Russia.

the conspirators used the stolen Yahoo data to compromise related user accounts at Yahoo, Google, and other webmail providers, including the Russian Webmail Provider

Again, this is a key function of metadata requests by the US — to put together a mosaic of all the online accounts of a given target, so they can access all the accounts that may be of interest.

Like PRISM (but reportedly unlike the scan of all Yahoo emails FBI had done in 2015), the Russians were not able to search all of Yahoo’s email for content. Instead they searched metadata to find content of interest.

The AMT did not permit text searches of underlying data. It permitted the conspirators to access information about particular Yahoo user accounts. However, by combining their control of the stolen UDE copy and access to the AMT, the conspirators could, for example, search the UDE contents to identify Yahoo user accounts for which the user had provided a recovery email account hosted by a specific company of interest to the conspirators (e.g., “[email protected]”)­ showing that the user was likely an employee of the company of interest-and then use information from the AMT to gain unauthorized access to the identified accounts using the means described in paragraph 26.

And, as we’ll see below, the Russians “hunted SysAdmins,” as we know NSA does, to get further access to whatever networks they managed.

In other words, aside from the Viagra ads and credit card theft, the Russians were doing stuff that America’s own spies do all the time, using many of the same methods.

Let me be clear: I’m not saying this means America is just as evil as Russia. Indeed, as the list of targets suggests, a lot of this collection serves for internal spying purposes, something the US primarily does under the guise of Insider Threat analysis. Rather, I’m simply observing that except for some of the alleged actions of Belan, this indictment is an indictment for spying, not typical hacking.

The US didn’t indict anyone in China when it hacked Google in 2013. Nor did China indict the US when details of America’s far greater sabotage of Huawei networks emerged under the Snowden leaks. But the US chose to indict not just Belan, but also three people engaged in nation-state spying. Why?

Redefine economic espionage

I find all this particularly interesting given that the government included four charges — counts 2 and 4 through 6 — related to economic espionage for stealing the following:

a. Yahoo’s UDB and the data therein, including user data such as the names of Yahoo users, identified recovery email accounts and password challenge answers, and Yahoo-created and controlled data regarding its users’ accounts;

b. Yahoo’s AMT, its method and manner of functioning and capabilities, and the data it contained and provided; and

c. Yahoo’s cookie minting source code.

The US always justifies its global spying by claiming that it does not engage in industrial espionage, based on the flimsy explanation that it doesn’t share any information with allegedly private companies (including government contractors like Lockheed) they can use to compete unfairly.

But here we are, treating nation-state information collection — the kinds of actions our own hackers do all the time — as economic espionage. The only distinction here is that Belan also used his Yahoo access for personal profit. And yet Sushchin and Dokuchaev are also named in those counts.

Which raises the question of why DOJ decided to indict this as they did, especially since it risks an escalation of spying-related indictments. If I were Russia (maybe even China) I’d draw up indictments of American spies who’ve accessed Vkontakte or Yandex and accuse them of economic espionage.

I’ve got several suggestions:

  • To leverage Baratov to learn more about the other three indictees (and FSB Officer 3, who is also mentioned prominently in the indictment)
  • To expose Russia’s targets
  • To expose FSB’s internal spying

Leverage Baratov to learn more about the other three indictees (and FSB Officer 3)

The US is almost certainly never going to get custody of Sushchin, Dokuchaev, or Belan, who are all in Russia safe from any extradition requests. That’s not true of Baratov, who was arrested and whose beloved Aston Martin and Mercedes Benz will be seized. These charges are larded on in such a way as to incent cooperation from Baratov.

Which means the government probably hopes to use the indictment to learn more about the other three indictees.

Remember: Belan was named in the sanctions on the DNC hack. So it may be that DOJ wants more information about those he works with, possibly up to and including on the DNC hack.

Expose Russia’s targets

Then there are the very long descriptions of the kind of people the accused collected on. The indictment highlights these three examples.

For example, SUSHCHIN, DOKUCHAEV, and BARATOV sought access to the Google, Inc. (“Google”) webmail accounts of:

a. an assistant to the Deputy Chairman of the Russian Federation;

b. an officer of the Russian Ministry of Internal Affairs;

c. a physical training expert working in the Ministry of Sports of a Russian republic;

Then provides this list of people hacked at Yahoo:

  • a diplomat from a country bordering Russia who was posted in a European country
  • the former Minister of Economic Development of a country bordering Russia (“Victim A”) and his wife (“Victim B”)
  • a Russian journalist and investigative reporter who worked for Kommersant Daily
  • a public affairs consultant and researcher who analyzed Russia’s bid for World Trade Organization membership
  • three different officers of U.S. Cloud Computing Company 1
  • an account of a Russian Deputy Consul General
  • a senior officer at a Russian webmail and internet-related services provider

And this list of people targeted by Belan (who may or may not have been related to his own efforts rather than FSB’s):

  • 14 employees of a Swiss bitcoin wallet and banking firm
  • a sales manager at a major U.S. financial company
  • a Nevada gaming official
  • a senior officer of a major U.S. airline
  • a Shanghai-based managing director of a U.S. private equity firm
  • the Chief Technology Officer of a French transportation company
  • multiple Yahoo users affiliated with the Russian Financial Firm

And this list of people Baratov hacked at Gmail and other ISPs:

  • an assistant to the Deputy Chairman of the Russian Federation
  • a managing director, a former sales officer, and a researcher, all of whom worked for a major Russian cyber security firm;
  • an officer of the Russian Ministry of Internal Affairs assigned to that Ministry’s “Department K,” its “Bureau of Special Technical Projects,” which investigates cyber, high technology, and child pornography crimes;
  • a physical training expert working in the Ministry of Sports of a Russian republic;
  • a Russian official who was both Chairman of a Russian Federation Council committee and a senior official at a major Russian transport corporation
  • the CEO of a metals industry holding company in a country bordering Russia
  • a prominent banker and university trustee in a country bordering Russia
  • a managing director of a finance and banking company in a country bordering Russia
  • a senior official in a country bordering Russia

For those who weren’t alerted by Yahoo or Google they’d been hacked, these descriptions provide enough detail (as well as partial email addresses for some targets) to figure it out from the indictment.

Expose FSB’s internal spying

As these descriptions make clear, some of these targets are potentially well-connected people in Russia: a Russian Deputy Consul General, someone from Department K, the office of the Deputy Chairman of the Russian Federation, the Chairman of a Russian Federation Council committee (who also happens to be a businessman). Perhaps those people were targeted for sound political reasons — perhaps counterintelligence or corruption, for example. Or perhaps FSB was just trying to gain leverage in the political games of Russia.

Remember: One of the guys — Dokuchaev — is already being prosecuted in Russia for treason. These details might give Russia more details to go after him.

Sushchin is a special example. As the indictment explains, he was working undercover at some Russian financial firm, but it’s unclear whether his firm knew he was FSB or not.

SUSHCHIN was embedded as a purported employee and Head of Information Security at the Russian Financial Firm, where he monitored the communications of Russian Financial Firm employees, although it is unknown to the grand jury whether the Russian Financial Firm knew of his FSB affiliation.

But it’s clear that Sushchin’s role here was largely to conduct some very focused spying on the firm that he worked for.

In one instance, in or around April 2015, SUSHCHIN ordered DOKUCHAEV to target a number ofindividuals, including a senior board member ofthe Russian Financial Firm, his wife, and his secretary; and a senior officer ofthe Russian Financial Firm (“Corporate Officer l “).

[snip]

[I]n or around April 2015, SUSHCHIN sent DOKUCHAEV a list of email accounts associated with Russian Financial Firm personnel and family members to target, including Google accounts. During these April 2015 communications, SUSHCHIN identified a Russian Financial Firm employee to DOKUCHAEV as the “main target.” Also during these April 2015 communications, SUSHCHIN forwarded to DOKUCHAEV an email sent by that “main target’s” wife to a number of other Russian Financial Firm employees. SUSHCHIN added the cover note “this may be of some use.”

Maybe that operation was known by his employers; maybe it wasn’t. Certainly, his cover has now been blown.

All of which is to say that — splashy as this indictment is — the unstated reasons behind it are probably far more interesting than the actual charges listed in it.

 

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

10 replies
  1. SpaceLifeForm says:

    Sorry, sorta OT but it really is related:

    Memo to Zack Whittaker:

    It is really a good thing that you reported on the latest data breach…

    http://www.zdnet.com/article/millions-of-records-leaked-from-huge-corporate-database/

    “Exclusive: The database contains more than 33 million records from government departments and large corporate clients which get sold onto marketers.”

    But are you aware that *YOU* are part of the story?

    https://www.troyhunt.com/weve-lost-control-of-our-personal-data-including-33m-netprospex-records/

    I now know where you work, where you live.

    You should be extremely pissed off.

    I expect you to be on a proverbial mission.

  2. SpaceLifeForm says:

    Spear-phishing?  Or other avenue of attack?

    The FBI has no clue.  They really do not know for sure what really happened.  Yahoo was hacked way before 2014.  And what do they mean by semi-privileged?  Was Yahoo using SELinux?

    https://arstechnica.com/tech/policy/2017/03/fbi-hints-that-hack-of-semi-privileged-yahoo-employee-led-to-massive-breach/

    SAN FRANCISCO—The indictment unsealed Wednesday by US authorities against two agents of the Russian Federal Security Service, or FSB, (Dmitry Dokuchaev and Igor Sushchin) and two hackers (Alexsey Belan and Karim Baratov) provides some details of how Yahoo was pillaged of user data and its own technology over a period of over two years. But at a follow-up briefing at the FBI office here today, officials

    -gave fresh insight into how they think the hack began—with a “spear phishing” e-mail to a Yahoo employee early in 2014.

     
    Malcolm Palmore, the FBI special agent in charge of the bureau’s Silicon Valley office, told Ars in an interview that the initial breach that led to the exposure of half a million Yahoo accounts likely started with the targeting of a “semi-privileged” Yahoo employee and not top executives. He said social engineering or spear phishing “was the likely avenue of infiltration” used to gain the credentials of an “unsuspecting employee” at Yahoo.
    Palmore declined Ars’ request to elaborate during a brief interview inside the San Francisco FBI office, and he would not say whether the government or Yahoo discovered the breach. He also would not say how long the intrusion lasted before it was cut off.

  3. PeasantParty says:

    I didn’t say that right above. What I meant to say is, COULD some of this Russian spying have been collected by accident within the large metadata groups circulating to Israel, which Russia certainly spies on too. Aaack! I’m not being very good wordy today.

  4. Avattoir says:

    Re your first suggestion: leverage Baratov

    It’s been a while since I had dealings with extraditions from Canada. The treaty’s the same, plus I doubt the legal standards have changed much if at all (pretty sure I’d be aware of that).

    I’ll open here with caveat: there’s a big distinction between extradition and deportation, and some of that engages Baratov’s status in Canada. If he’s in Canada somehow ‘illegally’, the federal government of Canada can always decide to deport him. There are court review features in deportations out of Canada, plus there’s the question of what country he gets deported TO, but generally it’s a dramatically easier & narrower process than with extradition & takes way less time.

    Okay, back to extradition: on a ‘gross’ level, first understand that the things described in the indictment as being done by Baratov may not count as ‘felony’ level offenses if done IN CANADA – or criminal offenses, or even offenses at all.

    I’d expect the behavior described in the indictment to bring into play a number of what are called “regulatory offenses” under Canadian “administrative law”. But there’s an extradition-relevant problem with relying on those: the standard of proof in prosecuting Canadian regulatory offenses is categorically distinct from the same activity as described in a criminal statute here. Indeed, the difference can be so basic, it can constitute a barrier to extradition.

    I’m still thinking thru this at the ‘gross’ level, so this could be too broad, but anyway: 1. All offenses committed in Canada are either criminal or regulatory. 2. Regulatory offenses committed in Canada fall into two broad categories: A. where there’s some intention involved on the part of the person being prosecuted (I’ll call those R1 here.), and B. those in which the intent of the person being prosecuted doesn’t matter (in Canada those are called “strict liability”; I’ll call them R2 here.).

    In a lot of R2 offenses, most for all I know, there’s no ‘right to remain silent’. That’s also the case with some R1 level offenses, with the distinctions I’m pretty sure being the head waters for some very lucrative attorneys’ bills.

    Put another way, the ‘right to remain silent’, which is embodied right in Canada’s constitution, 1. applies at all stages of all ‘criminal’ level offenses, 2.A. generally applies to at least the prosecution stage of R1 level offenses (tho not necessarily to the investigation and charging stages), and 2.B. applies only very narrowly & very technically to aspects of the prosecution stage in R2 level offenses.

    That might be important because the U.S. has to apply to the Canadian government for extradition out of Canada, and then the Canadian government has to send in lawyers to the court that has the judges who decide on applications for such orders – being the Federal Court of Canada, a court that’s actually outside the regular criminal law offenses / civil law claims system.

    The FCC was originally set up to deal with things like private interests suing the federal government, disputes over federal tax bills and liability, patent & trademark challenges, and enforcement of international and federal-provincial jurisdictional disputes, largely in commerce & trade. It’s also the court to go for judicial review of deportation orders and for hearing extradition applications because those engage international borders & treaties.

    Now, the judges that hear extradition applications are required under the terms of the applicable treaty whether the behavior that the applying country is alleging qualifies as criminal in the deciding country, is in fact an offense that’s roughly ‘comparable’ to some offense in Canada. And given the far more draconian penal consequences in this country (Canada doesn’t have the death penalty, nor does it have consecutive life offenses, nor does ‘life mean life’ there, AOT), it can be a pretty lively issue.

    I’ll add this further caution: the Canadian security forces have a very, very, very bad track record with the Canadian FCC, not least owing to a number pretty horrifying (for Canada at least) cases occurring during the GW Bush administration. And in the time since the Canadian security policing service (“CSIS”) was founded, taking over that role from the RCMP, CSIS in particular has managed to build up a lot of bad will with the FCC.

    IOW, I incline towards recommending against assuming that getting Baratov extradited from Canada to here is a given.

  5. generalwarrant says:

    emptywheel Michigan winter end requiem: 3 tart Rhubarb/King/small strawberry pies, 5 pints of splendid winter pickles made w NatSec herbs and spices specially grown in twitter garden w suggested replies of CIA spices and alt reality jars to store and disseminate at later Irish family fest 3/17. Celebrate #potato famine analogy. Meanwhile fortune cookie say… meh.

  6. qpl23 says:

    EW! An uninformed reader could easily come away from your seriously unpatriotic writing thinking that the US of A is in virtual lockstep with the Russians in their hacking efforts, separated only by single figure factors from Kremlin crackers in compromise counts!

    Why no mention of the WebCam Gap?!

    Never let it be forgotten that NSA/GCHQ lead the world where it concerns Yahoo! webcam monitoring. 1.8 million Yahoo users in 6 months alone, Marcy! Facial recognition! 3%-11% of inages captured with “undesirable nudity!”

    I’m only trying to help. Continuing to omit mention of the Webcam Gap will inevitably lead to accusations of being squishy-soft on Putinism, EW, and no-one wants to see that!

    ( https://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo )

Comments are closed.