Instead, Belan escaped to Russia, where the U.S. charges didn’t hamper his job prospects. Rather than handing Belan over to the U.S., Russia’s Federal Security Service (FSB) enlisted the man to help the agency hack into American Internet companies, including Yahoo! Inc.
The conspiracy, laid out in an indictment in Federal Court in San Francisco, reveals the internal workings of Russia’s state cyber-spying regime, implicated in alleged attempts to influence the U.S. election last year. Increasingly, it’s a system that capitalizes on a vast and talented pool of Russian-speaking cyber criminals, blurring the lines between profit and intelligence gathering.
"We believe that their technical capabilities are not where they’re purported to be and they’re using criminal hackers," said Jack Bennett, the San Francisco Division Special Agent in Charge of the Federal Bureau of Investigation’s San Francisco office. He spoke at a press conference on Wednesday.
Besides Belan, the U.S. indicted two FSB officials, Dmitry Dokuchaev and Igor Sushchin, and a second hacker, Karim Baratov, a Kazakh living in Canada. It’s a first for the U.S., which has never before indicted anyone from the FSB for cyber-crimes, said Edward McAndrew, a former federal cybercrime prosecutor and now co-chair of the privacy and data security group at the law firm Ballard Spahr LLP.
"It obviously comes at a very intense time in our relationship with Russia and its cyber activities," he said. "It also provides the public with fresh insight into the way that nation-state actors are enlisting cyber criminals of all types, from syndicates to lone wolves, to engage in sophisticated cyber campaigns."
The indictment offers a lot of new information about the hack into Yahoo in 2014 that affected some half a million accounts. Yahoo disclosed the breach last year, and pointed the finger at a "state-sponsored actor." The intrusion, along with a second, earlier hack that exposed even more accounts, has complicated Yahoo’s planned acquisition by Verizon Communications Inc.
"The indictment unequivocally shows the attacks on Yahoo were state-sponsored," Chris Madsen, an assistant general counsel for security and law enforcement at Yahoo, said in a statement. "We’re committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cybercrime."
Belan, also known as "Magg," was born in Latvia but holds a Russian passport, according to the FBI. He has a fondness for hair dye, based on an FBI wanted poster that features three snapshots of the baby-faced hacker with three different-colored manes. The FSB recruited Belan in part by providing him with information that helped him avoid detection by law enforcement, according to the indictment. He quickly repaid his handlers with access to Yahoo’s computer network; by early 2014 he’d gotten them inside Yahoo’s system, and from there into the internal control center for Yahoo email accounts, the tool the company used to administer changes to accounts, like new passwords.
That allowed them to see things like recovery email accounts, indicating specific companies and institutions of interest to the FSB, which helped them zero in on which of the stolen accounts might be of most use. In November or December of that year, according to the indictment, he copied and exported a backup of Yahoo’s User Database.
The hackers then used the database to forge credentials, tricking Yahoo servers into recognizing them as an account holder who had essentially stayed logged in. The maneuver, appetizingly called "cookie minting," allowed them to read the contents of some 6,500 Yahoo accounts without even needing a password or username.
Proving yet again how difficult intrusions can be to detect, the hack unrolled through 2015 to the end of 2016. Many of the targets were Russian: journalists, employees of a Russian cybersecurity company, and officials, even someone described as a physical training expert working in the Ministry of Sports. (The Justice Department did not release names of victims, only general descriptions.) They also included 14 employees of a Swiss bitcoin banking firm, a Nevada gaming official, a senior officer of a major U.S. airline, a Shanghai-based managing director of a U.S. private equity firm, and the chief technology officer of a French transportation company.
The hackers got personal once they’d focused on a particular target, identifying spouses and children and sending malware-laden emails to gain even more information about their victims. Baratov, the second hacker, who lives in Hamilton, a city near Toronto, was apparently the phishing expert -- crafting emails that lured victims into giving up sensitive information. Baratov was paid to gain access to 80 email accounts, including 50 Google accounts, according to the indictment. The indictment doesn’t detail how the FSB recruited Baratov.
Belan, meanwhile, found opportunities to make some money on the side. While he gave the FSB access to Yahoo’s networks, he also used Yahoo servers for his own gain, manipulating search results for erectile dysfunction medication to send people to the website of one particular online pharmacy. That pharmacy paid Belan to drive traffic to the site, according to the indictment.
As much as the indictment reveals about the secretive hack, the allegations leave many unanswered questions: how the alleged FSB-led breach relates to the earlier, even bigger intrusion, in 2013, that affected more than a billion accounts; how Belan and co-conspirators got into Yahoo’s network to begin with; and how the FSB may have used the information they obtained.
Perhaps the closest precedent for today’s indictment is the 2014 case against five Chinese military hackers for spying against U.S. companies, including U.S. Steel and Alcoa. Hailed as a breakthrough at the time, the five remain beyond the reach of U.S. prosecution. This case shows more promise for real courtroom action; one of the suspects has already been apprehended.
Baratov appeared in a Canadian court on Wednesday, telling the judge, in a soft voice, that he planned to apply for bail but needed to find legal counsel first. He was taken out by court officers and will be in police custody until his next appearance, a bail hearing scheduled for March 17.
A Facebook profile belonging to a Karim Baratov showed the same young man pictured in the indictment. The profile features pictures of him standing in front of a large suburban home with several luxury cars including an Aston Martin and Mercedes. Both cars’ license plates match those mentioned in the indictment as property that is subject to forfeiture.
"We’ve reached the point that name and shame indictments are no longer sufficient, we really need to follow through with successful convictions," said McAndrew. "It’s important for private companies to see that more will come from their cooperation in these investigations than merely naming individuals in an indictment who will never actually see the inside of a courtroom. We need to put people in jail."
Belan remains at large in Russia. So does Sushchin.
Dokuchaev, who worked in the FSB’s information-security division, was detained in December by Russian law enforcement, on suspicion of having links to U.S. intelligence agencies, and may face as many as 20 years in prison if convicted on treason charges, Ivan Pavlov, a lawyer involved in case, said at the time. Pavlov declined to comment on Wednesday’s indictments.
Putin’s spokesman Dmitry Peskov, asked about the possibility of cooperation on the Yahoo case, told Bloomberg that Russia is interested in cooperating with U.S. against cyber threats. The FSB did not respond to a request for comment.
The FBI’s Bennett said that though the U.S. doesn’t have an extradition agreement with Russia, he was confident the three suspects would not remain at large. "These guys will travel one day somewhere. There are countries that have extradition treaties with the United States and we will take advantage of that," he said. "The world is a small place."