Yahoo breach exposes the drawbacks of state-sponsored hacking

Relying on private hackers gives governments some deniability, but it can bring the whole scheme down

When governments turn to private hackers to carry out state-sponsored attacks, as the FBI alleges Russia did in the 2014 breach of Yahoo, they're taking a big risk.

On the one hand, it gives them a bit of plausible deniability while reaping the potential spoils of each attack, but if the hackers aren't kept on a tight leash things can turn bad.

Karim Baratov, the 22-year-old Canadian hacker who the FBI alleges Russia's state security agency hired to carry out the Yahoo breach, didn't care much for a low profile.

His Facebook and Instagram posts boasted of the million-dollar house he bought in a Toronto suburb and there were numerous pictures of him with expensive sports cars -- the latest an Aston Martin DB9 with the license plate "MR KARIM."

But forget those for a moment and consider he wasn't very careful in hiding his hacking work.

His name is registered to several Russian-language websites that offer email hacking for between $80 and $90 per account. In the domain name records, he listed his home address.

“When you bring in amateurs who don’t follow standard protocol, that carries risk,” said Alex Holden, chief information security officer at Hold Security.

screen shot 2017 03 16 at 2.36.44 pm Piknu

Pictures from Baratov's Instagram account.

The breach of Yahoo happened in 2014. At the time, the company notified the FBI but only believed 26 accounts had been targeted. It wasn't until mid 2016 that the true enormity of the hack started to become apparent.

Security experts say it’s possible Baratov or a second hacker hired to help might have bragged online about the hack at some point, tipping off U.S. investigators.

And then in August 2016 a database allegedly stolen from Yahoo was found circulating on the black market.

“Some of the information about this hack was basically leaked,” Holden said. “That’s not a sign of a mature intelligence operation.”

So why did Russia turn to a 22-year-old from Canada? Language might have played a role.

According to the indictment, Baratov broke into the accounts through spear phishing email attacks, which are often designed to dupe victims into handing over password information.

However, spear phishing only works best if the emails appear authentic.

“The benefit of having Karim, the Canadian, on the team probably allowed creation of far more believable phishing attacks due to his being a native English speaker,” said Chester Wisniewski, a research scientist at security firm Sophos, in an email.

In addition to Baratov, the Russian agents allegedly hired a 29-year-old Latvian named Aleksey Belan, who pulled off the main hack against Yahoo, and stole the database involving 500 million user accounts.

By outsourcing the operation to Belan, Russia probably wanted to conceal the true motives for the Yahoo breach, Wisniewski said. Prior to Wednesday’s indictment, Belan himself was already a wanted man for hacks against U.S. e-commerce companies.

“Who better to assist in a break-in?” he said. “There is also the ‘cover’ of criminal actions to potentially obfuscate the spying that was allegedly the real purpose.”

In response to Wednesday's criminal indictments by the FBI, the Russian government is denying any involvement, and calling the allegations a distraction.

Baratov, who has been arrested in Canada, is also claiming innocence, according to his lawyer. Meanwhile, Belan remains at large.

But if the allegations are true, it does show one example of how Russia is harnessing the power of cybercriminals for spying purposes -- and how it can get sloppy.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Michael Kan

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?