Episode 3—Good morning, dark web

Breach podcast - Episode 3
 

Featured guests include:

Nicholas Carlson
Nicholas is the global editor-in-chief and chief content officer at Business Insider. He's also the author of "Marissa Mayer and the Fight to Save Yahoo!" Carlson's coverage of Yahoo won Digiday's award for Best Editorial Achievement of 2014.
Twitter: @nichcarlson

Andrei Soldatov
Andrei is a Russian investigative journalist and co-author of "The Red Web: The Struggle Between Russia’s Digital Dictators and the New Online Revolutionaries."
Twitter: @andreisoldatov

Harri Hursti
Harri is a data security expert and one of the world’s leading authorities in the areas of election voting security and critical infrastructure and network system security. Harri is a recipient of the prestigious EFF Pioneer Award for his work on electronic voting security, featured in the HBO documentary "Hacking Democracy."

Dr. Gavin Hales
Gavin is a Lecturer in the Division of Cyber Security at Abertay University. He covers topics like digital forensics, internet of things security and software development.
Twitter: @gmhales

Katie Moussouris
Katie is CEO and founder of Luta Security. A noted authority on vulnerability disclosure and bug bounties, she developed bug bounty programs for Microsoft and the US Department of Defense. She’s also our favorite hacker.
Twitter: @k8em0

Damon McCoy
Damon is an assistant professor of computer science and engineering at New York University's Tandon School of Engineering.
Website: http://damonmccoy.com/

Dennis Dayman
Dennis is chief privacy and security officer at Return Path. He has more than 20 years of experience combating spam, security/privacy issues, data governance issues.
Twitter: @ddayman

Daniel Clements
Dan is an IT cybersecurity consultant who has worked with many three-letter agencies. We won’t say more than that.

Amy Knight
Amy Knight is a historian of the Soviet Union and Russia. She has been described by The New York Times as "the West's foremost scholar" of the KGB. Her most recent book is "Orders to Kill: The Putin Regime and Political Murder."
Twitter: @aknight613

Arthur Lucchesi
Arthur is a Network Engineer with Layer 8 Security, LLC. He has more than twenty years of experience with network administration and information security.

Ben Johnson
Ben is CTO and co-founder of Obsidian Security. He previously cofounded Carbon Black and most recently served as the company's chief security strategist.
Twitter: @chicagoben

Breach Episode 3 - Transcript

 

ALIA:

I'm gonna pitch to Bob the start of someone's day.   So, you wake up, you get your coffee or your energy drink.  And you put on your favorite music to get you through the next few hours of work, you check your email you make sure you're prioritizing the right tasks today, then you log on, you crack into a database with 50 million users, and you sell it.  And somewhere out there a Fortune 100 CEO, a CISO, and a whole team of lawyers are about to have the worst week of their life.  But for you, it's a great day to be on the dark web.

 

BOB:

That’s a great story, except it almost certainly happened at like three in the morning.  The energy drink part is quite realistic. 

 

ALIA:

So that wasn't totally wrong.  You think you think that that's pretty maybe a legitimate start to hacker’s workday.

 

BOB:

Yeah except for this: one of the things that makes hackers both different and I I think admirable, depending on how they use their skills, is their singular focus. So it's not as if they wake up during the day and decide I'm going to hack Yahoo today and hopefully I'll get it done by my morning break.  They’re trying 100,000 different things, using automated tools to probe all sorts of places, and they might have a hot lead over here. And then they’ll relentlessly attack a place, often in these sort of caffeine or energy drink infused, 20 hour hacking sessions.  They might be working with another friend or two online you know, chatting in a window while they’re discussing techniques or whatnot. and then the success will inevitably come in the middle of the night.  And then all the sudden the rush is certainly akin to something like the rush you get from a pharmaceutical high.

 

ALIA:

So the moment I described to you then, that start of that day, was more like a moment that that person had been working for for who knows how long, maybe even maybe even years.

 

BOB:

Certainly could be years yeah yeah.  Maybe I'm jumping the gun, but we have two hacks we’re talking about.  And what I just described to you sounds to me like the big hack, the 3 billion hack.  Somebody was probably, as is often happens, sending out probes to every single Web server they could think of, and looking for a vulnerability that worked.  And ding ding ding they have a hit, ‘oh turns out it’s Yahoo, great,’ but it could’ve been anybody.  The Russian hack on the other hand was clearly targeted, and that's one of the reasons that that indictment is so chilling to me, is clearly it seems those folks were instructed specifically to attack Yahoo, and within Yahoo specifically to attack specific individual human beings.  They were looking for a needle in a haystack, and so they were probably hired to do a specific job.  In which case your metaphor might work better.

 

ALIA:

Waking up, turning on your computer, a specific target with a deadline. 

 

BOB:

They might even have to show up at meetings, with briefcases and suits on, to explain what they're going to do.  And professional hackers were involved it seems in the Yahoo hack, the Russian Yahoo hack.

 

ALIA:

So I might've been right on point, if we were describing the Russian Yahoo hack.

 

BOB:

Something in me tells me it still happened at three in the morning.  Otherwise, I think you're probably- you’re probably on to something.

 

ALIA:

This is Breach, a podcast investigating history's most notorious data breaches, brought to you by Carbonite, how businesses protect their data.  I'm Alia Tavakolian and I’m falling down this wormhole with cybersecurity journalist Bob Sullivan.  He is the cyber Han Solo to my Chewbacca.  We’re here in episode part three of a series series.  If you haven't listened to episodes one and two, what are you doing?  Go back, listen from the top, I’ll be here when you get back.  

 

MONTAGE/THEME

 

In this episode of Breach, we’re going to take you into the basement, into the boiler room, into a place called Center 18.  We’re going to do our best to get to the bottom of what it means to be a hacker.  Who are these people who prowl the dark web?  Specifically, who were the hackers behind Yahoo and why did they do it?

So Bob, what are hackers like?  Like,  what's the profile of a hacker?

 

BOB:

Hackers have an irresistible curiosity for how things work.

 

KATIE:

A hacker is someone who is boundlessly curious, and has figured out ways to use computers and networks in ways that they might not have been designed for in the first place.

 

ALIA:

That's Katie Moussouris, the penetration tester you've heard from in earlier episodes.

 

KATIE:

I'm of the era of the very first generation of hackers on the Internet.  It wasn't a profession back then.  I remember going into the computer lab in my high school, and we all had Tetris loaded up on there, and I discovered that if you answered yes to the question at the very beginning, asking if a joystick was present, if you said yes and there was no joystick, it would slow down the game to a crawl.  So I went around the computer lab and I basically bumped everybody's high scores, but I wanted to make it obvious that I had hacked it, and so you know I kept instead of a regular username for the high score of like a million points, I would be like ‘I hacked this this terminal, terminal hacked by Katie, like duh duh duh duh duh’ and everything, because I wanted everyone to know that I had figured this out.

 

BOB:

One of my earliest memories was taking apart flashlights, much to the annoyance of my father.  I loved to discover I could unscrew things and pull things apart, and that's just the way that hackers look at the world.  First thing they want to do when they see something is how do I take it apart.  And then if I do take it apart, what interesting things can I do that are beyond what it seems- what its designers seemed intended for it to do. 

 

KATIE:

That is the that is the basic definition of what a hacker is.

 

BOB:

But the second thing to know about hackers, is this incredible ability to focus and to just scratch an itch and scratch an itch until they succeed.  I think that is probably what sets apart most computer hackers from civilians, that they can stay on a task and on a problem for hours and hours at a time, even if it's something that seems trivial.  But they will not be defeated by the technology, they're gonna win. 

 

KATIE:

What they do with those special powers and those insights, is what defines whether they are a good hacker or a criminal or something in between.

 

ALIA:

I feel like  I hear so often that the term hacker is synonymous with crime, why is that, does it have to be that way? 

 

GAVIN:

It’s because a lot of people see sort of you know hacking and cybersecurity in the context of films and TV and it’s not always the most realistic shall we say.

 

ALIA:

Well-

 

GAVIN:

Except Mr. Robot, which is very very good.

 

ALIA:

This is Gavin Hales.  He's an educator, working with one of the first universities to have a degree in ethical hacking.

 

GAVIN:

So a lot of people seem to think ‘well, hacker’s quite a negative term.  Are you going to sit there and hack into people’s accounts and stuff like that?’  No.  So what we teach is is legal hacking, white-hat hacking it’s called.

 

ALIA:

Hackers like Gavin are training a whole generation of these white-hat hackers who go on to get jobs like-

 

GAVIN:

Penetration tester, or pen tester for short.

 

ALIA:

That’s what Katie does.

 

GAVIN:

And what that is is it’s somebody who’s been employed by potentially a cyber security company and they go and test other companies’ security.

 

ALIA:

Or maybe they're wired like Gavin.

 

GAVIN:

There’s then people who also have an interest in software development, kind of like myself who don't necessarily want to be trying to break into systems all day, and might focus on helping build software In a secure manner from the ground up.

 

ALIA:

But there are plenty of hackers that don't take the white-hat route.

 

KATIE:

Organized crime clearly got into Internet crime fairly early like maybe a decade or more ago, because they realized that ‘wait a minute, we can rob banks without guns, hold the phone you know.  We would like to rob banks without guns please.’  Because in my day, in my day, when when we were all learning to hack, one there were no banks on the Internet.  So even if any of us were tempted to do so, there was no opportunity for that crime.  So really to quote- to quote the famous hacker manifesto “our crime was curiosity.”

 

ALIA:

If you’re a hacker, and your tireless focus/imagination has led you to crack your way into some information, you still need somewhere to sell it.  Which brings us to the dark web.

 

KATIE:

Well, the dark web is really a name for all kinds of different services that are not usually browsable by your regular web browser.  Usually you need a special kind of web browser to get to the dark web.  So once you're there, you may see all kinds of different services and and people selling things.  So typically, people are selling anything from illegal drugs, to human beings, to data, and passwords, and credit card numbers, and things like that.  So effectively it's kind of a wild West marketplace, that you kind of need to know the secret handshake to get into.  And once you're there, you could pretty much buy and sell anything. 

 

ALIA:

Somebody described it to me as the the upside down of the Internet. 

 

KATIE:

Oh God.  Yeah, that’s absolutely accurate. 

 

BOB:

To you, it would look a lot like scenes you’ve seen from the Chicago Board of Trade, where there’s people yelling prices of pig futures and things like that.  There are essentially stock exchanges for stolen data.  These people are so sophisticated, they even have customer service.

 

KATIE:

These days, people who are doing criminal trafficking of breached data, are not necessarily the same hacker who got access to the data.  There's been a lot of stratification in the world of online crime since the beginning of the Internet.  So, I mean, you know, essentially how the data got there could be directly from the hacker who obtained it, or it could’ve it could literally be a reseller situation.  These things have been commoditized to that to that point.

 

ALIA:

I don't know what I was expecting of the dark web, but I wasn't expecting it to be so organized.  And that's where the Yahoo data was initially found, after the hacker ‘Peace of Mind’ said he had Yahoo info for sale.

 

BOB:

He said he had 200 million Yahoo passwords, and he was selling them for under $2000.

 

ALIA:

But again, what's so unusual about the Yahoo hacks, is that we have an indictment, which gives us information we almost never have with a hack: who the alleged hackers were behind the keyboard.  And even more surprisingly, the Yahoo hack doesn't just indict individual Russians, it specifically ties them to the FSB.

 

ANDREI:

And it’s a very large organization, it’s got many thousands of people, and it’s a direct successor to the KGB.

 

BOB:

When we talk about this Russian conspiracy, we have to be very precise that these are allegations by the US government against Russian actors, a couple of whom also worked for the FSB or the Russian government.  But that doesn't necessarily mean we can make the leap and say the Russian government hacked Yahoo.  We have to be precise about that.

 

ALIA:

That makes sense.

 

BOB

These are allegations.  You know. 

 

ALIA:

Alleged. 

Anyways, we have four characters named in the indictment, with alleged connections to or alleged orders from Russia's FSB, or Federal Security Service.

 

ANDREI:

And it’s avery large organization, it’s got many thousands of people, and it’s a direct successor to the KGB.

 

ALIA:

That’s Andrei Soldatov - he’s a Russian journalist based in Moscow, so he’s very busy, and also in a pretty high-risk job- so we couldn’t get him in studio, but he was kind enough to hop on the phone and give us a Russian perspective. 

 

ANDREI:

The FSB, the Federal Security Service is the main and the largest counterintelligence, counterterrorism agency in Russia.  And with Putin in power, it became the most important security agency.

 

ALIA:

So how is it different from the KGB? 

 

ANDREI:

Well, after the collapse of the Soviet Union in 1991, the KGB was split in different parts and the FSB finally emerged as the biggest agency.

 

ALIA:

So then government agencies are no longer under Communist control, but as Andrei explains, this first government under Yeltsin, failed to produce any democratic control or parliamentary control, or any way the FSB could be held accountable by the media or by society at large.  I asked if they’re closer to the USA's FBI or NSA but-

 

ANDREI:

I don’t think it’s actually comparable, because these guys they have a very distinctive culture. 

 

ALIA:

Less of an agency, more of a family business. If you were currently serving in the FSB, Andrei explains, you would mostly likely be able trace your relatives back to the KGB of the 50s and 60s. You didn’t interview to join the FSB, you were tapped on the shoulder by your brother or uncle.

 

ANDREI:

So it’s quite normal to be a bit attached to this system.

 

ALIA:

A system that according to Andrei is built around counterintelligence.

 

ANDREI:

Counterintelligence.  In a way, it means control.

 

ALIA:

Counterintelligence used to be about keeping American spies out of Russian banks or out of various Russian industries. 

 

ANDREI:

These days, of course, it’s not about spies, it’s about control.

 

ALIA:

So the FSB has different counterintelligence units that are no longer just about keeping the US out, but exist to infiltrate and control many different parts of Russian life.  The FSB has the right to send agents inside any Russian financial institution or big business, just to keep them in line.  And in 2002, Putin even gave the FSB power to spy on the GRU, the military agency.  So the FSB is in charge of controlling things in the Army. 

 

ANDREI:

And of course the GRU is not very happy about it.

 

ALIA:

It just sounds to me like the FSB is like an octopus with tentacles on everything. 

 

ANDREI:

Yeah, absolutely.

 

ALIA:

So we have this giant agency, the FSB, with power all over the place.  And inside the FSB, is a special division in charge of cyber activity. 

 

ANDREI:

And officially Information Security Center is in charge of hunting down cyber criminals.

 

ALIA:

And this is where our story begins: the Center for Information Security, A.K.A. Center 18. When we started this project, I always pictured Center 18 as this buzzing modern complex, giant ominous architecture, servers on servers, perhaps an omniscient cyborg submerged in goo, and lots of people wearing sunglasses indoors.

 

ANDREI:

You mean the information security building?  Yeah, it’s a it’s a ugly rectangular building.  And it’s gray.

 

ALIA:

While it may not look very cool, Center 18 the Information Security Center, plays an incredibly important role. While the FSB agents at Center 18 are in charge of gathering cyber intelligence online, they’re also in charge of hunting, tracking, and prosecuting cyber criminals. So imagine you’re working at Center 18, in Russia which has a huge community of hacking talent, and you’re job is to: identify and prosecute the most sophisticated local hackers AND to pull off sophisticated hacks.

 

ANDREI:

It means that it makes this unit uniquely positioned to recruit these hackers, because they are in charge of sending them to jail.

 

ALIA:

And those criminal hackers’ actions wouldn't necessarily be traced back to your work at Center 18 since, ostensibly, you’re busy prosecuting them. And the local hackers aren’t in any position to disclose anything you’re doing at Center 18.

 

ANDREI:

Because they understand that they are completely under control.

 

ALIA:

A pipeline of hackers who can accomplish your goals without incriminating you.  And best of all, you have control.

 

ANDREI:

That makes hackers, real criminal hackers, so precious.

 

ALIA:

Which leads us to Yahoo. 

 

ANDREI:

To be honest it was the very first time, the very first case when we see, when we see an FSB officer recruiting a Russian hacker to do something, in this case against Yahoo.   The problem here, and just to give you another layer of complexity-

 

ALIA:

Oh good, another layer of complexity.

 

ANDREI:

Whether he acted as just a guy, a corrupted guy, or he was (active) because he was ordered to recruit criminal hacker.

 

ALIA:

In other words, in the case of the FSB using Center 18 to recruit hackers to breach Yahoo, it's hard to tell who started it.  Who recruited whom?  Who was going to go to jail if they didn't do it, or was already hacking into Yahoo and Center 18 found out and wanted to use it?

 

ANDREI:

The biggest problem is to understand and to identify a final mastermind. 

 

ALIA:

More on how we might go about identifying a criminal mastermind in a minute.  But first, we’re going to to take a quick break, so Bob can show me to surf the dark web.  Do you know how to do that? 

 

BOB:

Yeah, but I’m not going to show you. 

 

ALIA:

Why not?

 

BOB:

Because then you’d become a hacker.  It’s a lot easier way to make money than the way you’re making money right now, let me tell you. 

 

ALIA:

What if I want to become a hacker?  I kinda do.

 

BOB:

You’re on your own.

 

JANIELLE:

Dear Hackers,

Hi, my name is Janielle Kastner, but you know that already.  I’m assuming if you’re interested in poking around my inbox, it’s because of my work on Breach.  I hope you like what I’ve written, or at least appreciate my attempt to lend a narrative arc to the convoluted story around the Yahoo hacks.  I try and find an empathetic route into complicates human situations and celebrate the twisty, lovely, dark, honest parts of our shared human experience.  I have nothing but respect for your line of work, reverence really.  I think it would be extraordinary to have that kind of power, which reminds me of what Voltaire/Spiderman’s uncle Ben said: ‘With great power, comes great responsibility.’  This brings me to my point.  Here is what I ask of you responsibility wise: please don’t tamper with my creative work.  I try to back it up frequently, but I’m not great at that, and would be so upset if I lost a rewrite of a script, whether Breach or otherwise.  Honestly, at this point, I assume much of my data is out in the world for the taking.  I’ve checked the ‘accept terms and conditions box’ so liberally, have eaten every cookie there is, am certain I’ve been phished, not even spearphished, straight-up dumbly trusting phished.  Oh, and I have a good credit score, against all odds.  Could you leave that be?  I am so poor.  It’s really helpful to have that good credit score, so people will rent to me, because my income, or lack thereof, freaks landlords out.  That is all.

Thank you in advance,

Janielle 

 

ANDREI:

The biggest problem is to understand and to identify a final mastermind.  Who actually was behind this operation?  That’s the biggest problem.

 

ALIA:

Maybe we don't know the final mastermind, but we have four alleged criminals outlined in the Russian Yahoo indictment.  First is Igor Sushchin.  He's the first of our indicted four.  We need a theme for indicted four.

So Igor Sushchin is the most mysterious.

 

BOB:

Yeah, so we know he is described as an FSB officer, but it doesn't seem that he worked for the Center for Information Security.

 

ANDREI:

Well with Sushchin, it seems to be another FSB officer.  But with him, to be honest, it’s very difficult to understand anything about his role, because he is officially not part of the Information Security Center.

 

BOB:

Yeah, there’s not much we know about him.  But we do know that he worked information security at Renaissance Capital.  It sounds like his job was to monitor employees there.  But he was also in some sort of management role at the Russian FSB.

 

ANDREI:

He probably was attached to this company to supervise things there.  Or probably it was a kind of intelligence cover for him.

 

BOB:

So, in other words it doesn’t seem like he worked in the same department as Dokuchaev at the FSB.

 

ALIA:

One other thing we also know about him, is that he told Dokuchaev to direct hackers for the Yahoo hack.

 

BOB:

Yes, he appears to be Dokuchaev’s boss in this operation.

 

ALIA:

So, he's kind of like the head suit. 

 

BOB:

Yeah, he’s management.

 

ALIA:

Dokuchaev being Dmitry Dokuchaev.  Dmitry Dokuchaev is the hacker turned kind of suit, allegedly leading the attack on Yahoo from Center 18, the Information Security Service within the FSB.

 

BOB:

So he's interesting, because he's probably the most classic hacker of this group.  In other words he started life as a traditional credit card trader, probably as a teenager, and apparently worked his way up to the point where he's an operative of, allegedly, the Russian FSB.

 

ANDREI:

Actually you cannot just join the FSB, you should be recommended.  And in many cases you are recommended by your relatives.  But for Dokuchaev it was different.  Dokuchaev was unusually a hacker.  He was a kind of criminal hacker, and it looked like he was recruited by the FSB.  Then he was promoted from say, from from being an asset an agent, to he actually he became an officer of the FSB.  It’s very unusual, I would say, and he became very successful.

 

BOB:

He was actually relatively famous in the carder world, he had lots of nicknames.  And then at some point he I guess upped his game and then started to work at the FSB.  Other things that are important to know about Dokuchaev, right after the Trump election there was a serious shakeup in Moscow, and it was right after Obama had announced sanctions because of alleged Russian interference in the US election.  A couple of folks were arrested by Russian authorities and charged with treason.  One was a security head at a huge international Russian antivirus company.  That was the more famous of the two, but Dokuchaev was the other one.  It’s not clear why he was arrested.  He was arrested and allegedly charged with treason there.  There is some suspicion that he may have had a role in telling the US what Russia did during the election. 

 

ALIA:

So he might've been a double agent?

 

BOB:

People think he might be a double agent.  We don't know, he's locked up in a prison right now.

 

ALIA:

So nobody from the press, nobody at all can talk to him. 

 

BOB:

As far as we know, he hasn't spoken to anybody.

 

ALIA:

That's fishy.  Yeah that seems really convenient that he's in prison where he can't speak to anybody, because even if he talked to the US, nobody can prove it.

 

BOB:

Sometimes prisons are the safest place for people.  He might be safe from Russian authorities, he might be safe from US authorities, he might be safe from other people he's angered in the underground.  But where he is, he's unavailable to talk about what he did, and that's clearly in someone's interest.

 

ALIA:

If Sushchin is our management, if we can kind of stay in that sort of business lingo for a second, what is Dokuchaev? 

 

BOB:

He's the middle manager.

 

ALIA:

He's middle-management.

 

BOB:

Yeah, he's he's taking orders from Sushchin and he's giving them to other people.  So he is the connection between the FSB and the hacking underworld.  He came from that world, so he clearly has connections there, so he's managing the outside hackers. 

 

ALIA:

He's the man for the job.

 

BOB:

He’s giving marching orders, specific marching orders.

 

ALIA:

And the hacker getting these marching orders from Center 18 is Alexsey Belan.

So Alexsey Belan, he's our main Yahoo hacker.

 

BOB:

He’s a bit of a legend in the Russian hacking world.  What we know is that he's been involved in some really big profile attacks, not just Yahoo, but dating way back to one of the big retail hacks.  He was probably behind the Zappos hack for example.  He may have been involved even in hacking the Obamacare exchanges right after Obamacare launched.  And there’s a whole other series of hacks.  Somebody added them all up and suggested that he has been connected to the theft of 1.2 billion credentials in his hacking career.  He's also interesting, because on a couple of occasions he was nearly, well he was in custody, and got away.  So at one point he was arrested in Greece and indicted, but in 2013 mysteriously escaped and no one seems to know how.  We believe that he is in Russia, but we don't know for sure.  He's probably there, pretty well protected.  In the underground he has a whole long set of aliases, A.K.A., M4G, Magg, Fedyunya, Quarker.

 

ALIA:

What does Fedyunya mean?

 

BOB:

I don't know, sorry.  You finally got me.  All right.

 

ALIA:

That’s right, you’re gone, you’re fired.  

So we tried to figure out what Fedyunya actually means, but we’re still just as clueless as we were.  Sorry, Bob.  So he's highly skilled, I mean he’s so experienced, again he's kind of the man for the job.  I mean I'm getting the sense that we’re building a dream team. 

 

BOB:

This is maybe an Olympic team of hackers involved in this project. 

 

ALIA:

I mean, we’re talking about champions here.

 

BOB:

Yeah yeah and people with experience and people who've shown their wares, and also in the case of Alexsey Belan at least, people who know how to play the hacker game, which is you take an assignment like this and somehow you get compensated for doing it, but then you also make a little bit of money on the side.  So Alexsey is clever enough that while he was rooting around Yahoo emails, he wasn't just sending the data back to Russia, he was also using it in this clever complex email spam scheme, where he would email people and he would hack search results so that his Viagra links would come up at the top, and so he would make advertising commission.  So he was kinda playing both sides on this too. 

 

ALIA:

God, so like while I'm getting paid for my time here at my day job, I should also use the printers to print out my headshots and résumés. 

 

BOB:

That's an interesting metaphor.

 

ALIA:

I've never done that.

 

BOB:

I think a better example would be hiring the company printer out to print jobs for other people.  Okay so, I think the really important point about Belan, is we need to understand that he's much much more than a professional spammer.  Although he is good at that, he's the guy who when it came right down to it did the real hacking work.

 

ALIA:

Belan is a very impressive hacker, and the indictment outlines several methods he allegedly used to hack his way into Yahoo.  The first, we've already discussed: phishing and spearphishing. 

 

KATIE:

Ah, phishing and spearphishing, these are similar terms.  Phishing is when an attacker sends out something like an email.  That email is forged and tricks the user into clicking on something.  Spearphishing on the other hand is much more targeted, users in a network who are going to be more valuable to compromise than others..

 

ALIA:

This is the most basic bread-and-butter way that Belan would first work his way into the Yahoo network.

 

BOB:

He used a technique that's called cookie minting, which for starters just shows that this is much more serious than your run-of-the-mill hack. 

 

ALIA:

Cooking minting.

So you probably have a sense of what cookies are.

 

KATIE:

So you've got a legitimate session, and your browser is basically sending these cookies you know back-and-forth to make sure that you're still logged in when you're supposed to be.

 

CARSON:

Hey it’s Carson.  Don't log me out, I'm still here shopping online for cute dog toys. 

 

ALIA:

Or if you x’d out of a website but wanted to come back, the cookie would make sure you didn't have to enter your password again, because you were just there an hour ago. 

 

CARSON:

Hey it’s Carson.  Remember me?  I was shopping online for cute dog toys and now I’m back.

 

BOB:

Well he developed a way so that he could manufacture those cookies for almost anyone, so he could trick Yahoo into thinking whatever computer he was at was anyone else's Yahoo account 

Computer.  So it was as if he could show up on your account and the remember me box would already be checked and you wouldn’t need to enter a password.  In other words he could mint cookies and read anyone's email.

 

KEITH (AS CARSON):

Hey it’s Carson.  Remember me? I was shopping online for cute dog toys, and now I'm back.

 

ALIA:

And if I changed my password would he automatically get that update?

 

BOB:

Well yes, for the reason that comes next, which is in addition to cookie minting, he also had access to Yahoo's user database and their account management tool.  And so he probably was getting real-time updates.  And so even if you had a sense something might be wrong, and you changed your password, or you added maybe even a two factor thing, he would know that too.   And he could change them or he could just play along with their rules and get into your account .

 

ALIA:

The user database is what functions as a searchable database of millions of emails.  The account management tool does exactly that, stores all the info for managing your account.  In other words, you could change your password if you were worried you'd been hacked, and that new password you set would quickly be updated and stored on the account management tool, which Belan had full access to.  Or you could update your security questions, and Belan could control F them by searching through the user database.  And then there was something called a log cleaner, which Belan used to cover their tracks and erase any Yahoo logs of network activity. So I is a user was pretty much powerless. 

 

BOB:

You were completely powerless.  The assumption that you had that you were engaged in some kind of private communication was wrong.

 

ALIA:

The work Belan was doing, pulling off sophisticated cookie minting processes and accessing the user database and AMT, coordinating with Dokuchaev and Sushchin on specific targets, all that feels really different than our final of the four indicted Yahoo hackers, Karim Baratov. 

Devious Music Cue

That theme isn’t really right for Karim, the 22-year-old Kazakh in Toronto, who unlocked Gmail account for Dokuchaev.  Karim’s the only one in US custody.  He's currently in a California state prison, where he is awaiting sentencing.

If I'm looking at envelope number one and envelope number two, I would think two different people sent me these letters. 

And where he’s also become my penpal. 

Because the handwriting is totally different, purposefully.  He acknowledges this in the letter. 

 

BOB:

He has alias handwriting?  Wow.

 

ALIA:

When I open the package the envelope here Bob, pops out first this this little piece of origami, it's pink, it’s a star.  If you look closely you'll see that it's a character from SpongeBob SquarePants.  I believe his name is Patrick.  And on the back it says ‘made in jail.’

 

BOB:

It's one-of-a-kind. 

 

ALIA:

It's one-of-a-kind.  Then, we have a piece of paper that's folded up, and it says “poem I wrote as a joke.  Please read the letter first.”  Then there's this letter.

At the time of recording, Karim has not given me permission to disclose anything we’ve talked about.  It's nothing too groundbreaking, but privacy is privacy, not that he was a big respecter of privacy.  He made his money as an email hacker for hire.

 

BOB:

He had a website up that had notes like this: ‘quality mail hacking to order, without changing the password.  The main advantages of working with us, we guarantee 100% confidentiality, hacking made without prepayment, first hack then payment.’ 

 

ALIA:

So he's like he's like an entrepreneur, he’s like an entrepreneur hacker.

 

BOB:

Yeah, I am impressed by the fact that he accepts all of these various payment systems so. 

 

ALIA:

Wow.  Karim’s lawyers said that yes he hacked around eighty accounts, but he didn't know he was working for Russian agents connected to the Yahoo breach.  Other reports explain that Dokuchaev reached out to Karim as a hacker for hire, used the alias Patrick Nagel, and asked Karim to hack in emails for the low rate of $100 per account.  You could paint a picture where Karim was freelance, working ad hoc, completely unaware his hacking is connected to a Russian conspiracy, or even a Yahoo data breach.  None of the emails he hacked were even Yahoo addresses.  It's a picture I wanted to paint. 

 

BOB:

Yeah he's the- he's the mercenary here.  He's a-

 

ALIA:

He's the mercenary in the bar at Star Wars.

Oh my God, ‘at Star Wars.’  It’s not a theme park.  I promise I know what Star Wars is.  And it’s a canteena.  Come on, Alia.  Jesus.

 

BOB:

Yes.  Yeah, he’s the- he’s the mercenary here.   He's a talented guy and he'll probably work for anyone who pays him, and-

 

ALIA:

He's young.

 

BOB:

He’s young.  And it's pretty exciting to have that rush we talked about in the middle of the night, hacking into someone some important person’s Gmail account on order.  But it’s even a bigger rush if someone pays you enough money so that you can end up buying $50,000 cars with the money that you make.

 

ALIA:

And a house, mortgage a house as a teenager.

 

BOB:

So, he took orders to hack into specific Gmail accounts.  So, we can presume that what happened was they gave him partial tools.  Here's here's a Yahoo account here's a password even, here’s some other information, figure out maybe using phishing maybe using something else how to get access to their Gmail account, one at a time.  And he got $100 for each Gmail account.  And as you just mentioned he parlayed that into expensive cars and a house, so he must've hacked a lot of accounts at a hundred dollars a clip. 

 

ANDREI:

It’s quite interesting that this guy was so open about his lifestyle.  He posted lots of information about his luxury cars and he attracted a lot of attention, which again I don’t quite understand why he was not warned by his handlers to be a bit more cautious.

 

ALIA:

And now, he is sitting in a prison in Oakland California.  Oh Karim, sweet Karim.  I have such an affinity for Karim.

 

BOB:

You keep falling for your subjects.

 

ALIA:

Bob, I know it's like terrible right?  You’re not supposed to, right?  Isn’t that how that goes?

We’re gonna take a quick break, so I can go write another letter to Karim. 

 

CARSON:

And now it's time for hack facts.  Kevin Poulsen, former computer hacker, is best known for his hack of radio show phone lines in the 1990s.  Poulsen would hack the system and take over all the phone lines leading to a particular radio station, ensuring that he was the only caller to get through.  Now I personally would use this power to request Africa by Toto over and over again, Poulsen use this to collect radio show prizes.  Most famously, he won a Porsche, $20,000 in cash, and two Hawaiian vacations.  After being featured on an episode of unsolved mysteries, he was eventually caught by the FBI, after being recognized and tackled in a shopping center.  He served five years. Poulsen is now a contributing editor for Wired magazine, and he founded Wired's ‘threat level blog.’  This has been hack facts, because I guess we’re actually calling it that. 

 

ALIA:

Okay so I'm going to read through some of the instances outlined in the indictment, and maybe we can get a sense of their actual workflow.  ‘Sushchin also identified accounts to target that were associated with the Russian financial firm.  For example, in or around April 2015, Sushchin sent Dokuchaev a list of email accounts associated with Russian financial firm personnel and family members to target, including Google accounts.  During these April 2015 communications, Sushchin identified a Russian financial firm employee to Dokuchaev as the quote “main target.”  Also during these April 2015 communications, Sushchin forwarded to Dokuchaev an email sent by that “main target’s” wife to a number of other Russian financial firm employees.  Sushchin added the cover note quote “this may be of some use” end quote.’  So Bob, what- this Russian financial firm, Sushchin asked Dokuchaev to identify some accounts to target in this Russian financial firm.  Are we talking about the same Russian financial firm, Renaissance Capital, that Sushchin works for?

 

BOB:

In the indictment, when they refer to Russian financial firm, it appears that they are using that as a euphemism for Renaissance Capital. 

 

ALIA:

Oh, so in his own company, in the company he works for, he's asking-

 

BOB:

This this reads as if he's yes he's spying on his own employees and their family members.

 

ALIA:

‘In another example between in or about December 2015 and May 2016, Sushchin directed Dokuchaev who in turn directed Baratov to obtain unauthorized access to the Google and other accounts of victims A and their family.’

 

BOB:

What strikes me about this passage, is again they’re not just hacking the targets, they’re hacking the family members, they’re hacking the wives.  Like you can see how this spiderwebs into an incredible sea of espionage.

 

ALIA:

‘December 21, 2015, Dokuchaev sent a cookie for victim B's account to Sushchin, who later sent Dokuchaev a report on victims A and B.’  What does that mean?

 

BOB:

That's just straightforward dossier creation.  And there's that word that's in the ether right now.  But what happened was they read all his email, and boiled it down to a couple of interesting pages, and gave the report back. 

 

ALIA:

Okay last one: ‘May 20, 2016, Belan minted cookie for same victim B account.’  Why?

 

BOB:

For some reason they needed a fresh one.

 

ALIA:

They changed the password? 

 

BOB:

They logged out, or maybe just Yahoo after a certain amount of time insists on you logging back in.  So they would have needed a fresh minted cookie.  What’s interesting about that is again let's look at the timeline.  It's happening over two years, but the hacking spans from December 2015 to at least May 2016.  So essentially for five or six months, they’re just reading all this person's email.

 

ALIA:

Anything that comes in and out. 

 

BOB:

This is one example of what believe to have happened over and over again.

 

ALIA:

Of the roughly 500 million accounts the hackers potentially had access to, they only generated cookies for about 6500 accounts.  So what does that mean? 

 

BOB:

Well, that's- that's the number that's in the indictment. and when you're charging someone with a crime, you often don't necessarily include everything that you know, you just include all that you need to reach the level of a certain crime. 

 

ALIA:

So if we read in the indictment, they list tons of these specific targets, no names, victim A and B and the like, but in some cases it gets incredibly specific about their jobs.

Diplomat from a country bordering Russia posted in Europe, Minister of economic development from a border country, his wife, employees of US cloud computing company, senior officer at Russian webmail and Internet services provider.

 

BOB:

After that indictment was filed by the US government, Yahoo then came forward in early 2017 and said ‘actually, there were 32 million accounts that were accessed using forged cookies.’

 

ALIA:

So, I mean earlier when you said that the hackers when they hacked into Yahoo weren't looking for haystacks, they were looking for needles, to me that meant this was a hyper specific hack.  They were looking for specific people, specific Intel.  How does this new knowledge that they accessed 32 million accounts, which does not feel specific at all, change that?  Like is this still a hyper specific thing?

 

BOB:

I think the truth is it's both.  From from what I know about a pretty standard Russian hacking technique, is it would begin as this spycraft initiative, led perhaps by the government perhaps not, but somebody has- is assigned to go after some very specific individuals.  It’s very narrowly tailored.  Also I think critically, the the more narrow the less likely you are to be detected.  You leave less footprints when you're walking around the digital building.  So initially, it's about it's about statecraft and spy craft.  Then once the access is used up for that purpose, as long as you're in there, you might as well monetize the thing.  And so then the hack expands and maybe other actors are invited in.  That does two things.  For one, of course you might as well make money while you can so that's happening.  But also now you are flooding the attack with footprints, and that helps muddy the waters when it comes time to investigate.  And you know one of the goals here if you were a state-sponsored actor, you would break in, take what you need, and then open the doors to the wolves, let the wolves in, and then you could say it wasn't us look at all these other people that were in here. 

 

ALIA:

There is this list of different people that had Yahoo accounts or other accounts that were accessed by these hackers, right.  Like for example, we have the minister of economic development from a border country, his wife, a Russian journalist, a public affairs consultant, a Nevada gaming official, 14 employees of Swiss bitcoin wallet and banking firm. 

 

BOB:

You have a Russian journalist and investigative reporter working for Kommersant daily.  Even a- the senior officer at Russian webmail and Internet service provider is really fascinating.

 

ALIA:

Yeah, or an employee of a major Russian cyber security firm.  So, what could even just access to one of these people's account mean?

 

BOB:

Well, to play game of hopscotch, imagine what you could learn if you had a senior officer from a Russian webmail service.  When you want access to a specific piece of information or a dataset like every email from a Russian webmail provider, your goal as an identity thief is to identify who or what person under what circumstances would have access to that information, and then become that person under those circumstances. 

 

KEITH (AS ALEX):

Hi, it's Alex the Russian webmail executive.  Remember me?

 

BOB:

So, become that executive who could ask for the password to the user database.

 

ALIA:

Whatever these hackers wanted, whether the alleged Russian breach in 2014 to 2016, where they accessed 500 million accounts and cookie minted around 30 million, or the prior 2013 hack of 3 billion accounts, that we have no idea who did, the Yahoo hacks are still rippling through the hacking community.  Maybe now's a good time to mention, Spoke Media, our  production company, was hacked too.   We were talking with two hackers.  They had agreed to go on record.  They- one of them I'd been emailing with, and the other one I had been talking- I’d done a pre-interview on the phone with.  And he talked to me for about 30 or 45 minutes.  And then, a couple weeks later, within days of each other, these two hackers wrote to me and said ‘I can't talk to you about this for unknown reasons.’  They both used that terminology.  And they both went dark.  Flash forward a few weeks later, it's the beginning of the year, and I'm looking back at that audio that one of our producers has gone through, from that hacker, from that phone call, and it's gone.  It's as if it were never in our file sharing database. 

 

BOB:

I think one thing that's hard to appreciate is because this is all digital stuff that we’re talking about, it feels sort of unreal.  But if you were having similar conversations say with CIA agents about something happening in a ground battle in the Middle East, you would expect that kind of behavior, right.  It really isn't that much different.  We’re talking about dangerous things.  You know we’re talking about powerful people, we’re talking about nationstates, we’re talking about a lot of interests that are money and beyond money, and it's not a game.

 

ALIA:

And the hack of 3 billion accounts, prior to the Russian breach, that still hasn't surfaced on the dark web. 

 

BOB:

Whoever stole 3 billion usernames and passwords, long since has gotten whatever they want out of that, and now- well there are two possibilities, one is whoever it is is sitting on the data for the rest of time and maybe it's going to be used in an intelligence database, or the other option is they’ve rung all the intelligence they need out of the data and then they’ve passed it on to the next group of hackers, who will do the same thing and monetize it in some way and so on and so forth, until it sort of leaks from the very dark web, where nobody knows about it, on to what we all think of as the dark web, which is more like kids trading information or horse trading on semi-public places that we can observe.  And this data still hasn't really made it even onto that kind of gray dark web yet, which is concerning, because that means there's somebody who still finds value in it.  You know one day somebody will probably offer 3 billion Yahoo passwords for sale, and and then we’ll we’ll kind of know that the worst is over.  But the worst may very well not be over.

 

ALIA:

Whatever those 3 billion accounts were used for, whatever the Yahoo hacks were about for Russia, whatever they mean to the United States, it's clear they matter. 

 

BARACK OBAMA:

In early September, when I saw Pres. Putin in China, I felt that the most effective way to insure that that didn’t happen, was to talk to him directly, and tell him to cut it out.  There were gonna be some serious consequences if he didn’t.  And in fact, we did not see further tampering of the election process.  But, the leaks through Wikileaks had already occurred.  

 

BOB:

So, in response to Russian hacking of the 2016 election, Pres. Obama ordered sanctions against nine Russian entities, including the FSB and the GRU.  They also took the time to sanction two civilians.  One of them, perhaps the world's most successful bank robber.  The second was a hacker, a hacker who knew how to get into large databases and make complicated cookies, so he could assume the identity of whoever he wanted.  That's our very own Alexsey Belan.  He was also sanctioned in that list of sanctions by the US government in response to the DNC hack.  So to answer your question, ‘what could someone do hacking all of these billions of Yahoo accounts?’  Maybe they can steal a lot of gift cards or PayPal accounts, or or rummage through your emails to your old boyfriends, or maybe they can threaten the cornerstone of democracy.

 

ALIA:

On the next episode of Breach.

 

MICHAEL:

So if you had a senior official implicated in the Yahoo attack, it raises the question, ‘what did his bosses know, and did Alexander Bortnikov himself, the Putin crony going back many decades, was he also directly implicated in the Yahoo attack?’

 

BOB:

I mean your mind wanders to how useful would it be if you were trying to commit these larger nationstate hacks to have access to every Yahoo email ever?

 

MICHAEL:

Oh, I mean- it would be an enormous intelligence trove.

 

ALIA:

Can we get out the red yarn Bob? Like can we connect the alleged Russian Yahoo hack to the alleged Russian DNC hack and election interference?  Can we do that?

That's next time, on Breach. 

Breach is a branded podcast by Carbonite, in partnership with Midroll and Spoke Media.  If you like what you’re hearing, tell your friends.  Leave us a review.  Reviews are really important for some reason.  And if you’re a hacker, definitely don’t flood the podcast app with tons of glowing bot reviews.  We really don’t want you to do that.  If cybersecurity reporting was the Joker, Bob Sullivan is Commissioner Gordon.  Our show is produced by Alia Tavakolian - that's me -  and Janielle Kastner, with associate producers Stephen Gardner and Carson McCain.  When Bob and I are in the studio, we’re recorded by Jared O'Connell.  Our show is mixed and sound designed by Mark Moncrieff.  The songs you hear are brought to you by APM music.  Our executive producers are Alex DiPalma and Keith Reynolds, who is barely able to operate his MacBook air, let alone hack into a major database, and undermine democracy.  Special thanks to Gavin Hales, Andrei Soldatov, Harri Hursti, Jaime Leifer, Dennis Dayman, Carl Greenberg, NYU's Tandon School of Engineering, Damon McCoy, and Katie Moussouris

 

BOB:

So, you're you're holding that SpongeBob-like creation in your hands.  Do you feel that it's made by the same hands of somebody who was involved in this vast Russian conspiracy?

 

ALIA:

No.  I'm holding something that looks like it was made by a child.  It's like very sweet and and silly.  This does not say Russian conspiracy to me.  This doesn't feel like a criminal's calling card.  This isn’t the Joker leaving a card in my hotel as a threat.

The U.S. Department of Justice indicted four defendants in connection with the Yahoo data breach—including two officers in the Russian Federal Security Service (FSB), a direct successor to Soviet-era KGB. The indictment alleges that the FSB officers protected, directed, facilitated and paid criminal hackers to access millions of email accounts.

In this episode of Breach, we dig deep into the U.S. government's indictment. You'll learn:

  • The identities of alleged hackers behind the Yahoo data breach
  • Why the U.S. believes there is a direct connection to the Russian government
  • How the hackers targeted specific individuals

Finally, you'll hear about Spoke Media, the production company who created this podcast—and got hacked in the process.


[ About this series ]