Spear-Phishing Attack Leads to 500 Million Yahoo Accounts Hacked

On Wednesday, March 15, 2017, the U.S. Justice Department unsealed a federal indictment of four individuals, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal offenses in connection with a conspiracy.

The indictment alleges that two FSB cyber spies, Igor Sushchin and Dmitry Dokuchaev, hired and provided direction to two non-government hackers, Alexsey Belan and Karim Baratov, to carry out their spying activities against enemies of the state. The FSB spies charged Belan with Baratov with obtaining access to Yahoo email files for thousands of targets.

Belan and Baratov targeted Yahoo due to the sheer volume of email and other personal data available through various other social media sites that are owned by Yahoo. It is reported that they initially gained their foothold into Yahoo’s network through spear-phishing. Spear-phishing is a social engineering attack method that fools the user into clicking on a malicious link or opening a file with a malicious script that creates a hidden backdoor.

Once the hackers were inside Yahoo’s network they obtained access to a backup copy of Yahoo’s user database and other powerful internal tools such as Yahoo’s account management tool. They used their access over an extended period of time to steal information related to as many as 500 million accounts belonging to users all over the world. While the “hackers-for-hire” were engaged to steal email and other data related to thousands of specific targets of the Russian government, they used their access to obtain data on far more victims than they were charged to spy on.

The indictment has already led to one arrest. Karim Baratov, a Canadian and Kazakh national who lives in Canada, was arrested on March 14, 2017. Unfortunately, the others named in the indictment may never see the inside of a court room since they are Russian nationals living in their homeland, which does not have an extradition agreement with the United States.

This case brings many lessons learned to mind:

• Phishing is a major threat, but it can be mitigated in more ways than one. While training is a must, there are new technical capabilities, including email security tools, which can play a major role in preventing these types of attacks. Schneider Downs can help you with training and offers these tools to improve defenses.

  Identify the weaknesses before the hackers do. Regular penetration tests, that include social engineering, can identify issues such as human and technical susceptibility to phishing attacks and other unique hacker methods. Their methods change often, so perform these regularly.

• Standard antivirus tools are not enough to protect your user devices. These types of attacks prove that standard antivirus can be easily circumvented. Advanced endpoint protection that identifies behaviors of malware and backdoors are a must.

• Watch what is leaving your network. Everyone also focuses on what is or isn’t allowed into the network, but very few monitor the data that is leaving their networks.A database containing information on 500 million accounts leaving the network should have set off multiple alarms.

For more information on how Schneider Downs can assist you or your company with protecting your network, contact Eric Wright at 412-697-5328 | ewright@schneiderdowns.com or Dan Desko at 412-697-5285 | [email protected].