What Russian Hackers Teach About America's Spies

A close read of the sensational Yahoo indictment

The Justice Department announced charges against four defendants, including two officers of Russian security services, for a mega data breach at Yahoo.
The Justice Department announced charges against four defendants, including two officers of Russian security services, for a mega data breach at Yahoo. (Susan Walsh / AP)

On Wednesday, the Department of Justice unsealed an indictment against the Russian hacker Alexsey Belan and three others as the culprits behind a massive cyber attack of Yahoo disclosed in September. The indictment alleges that Belan did the kinds of things criminal hackers do all the time; namely that, after hacking into Yahoo’s servers, he stole information from millions of accounts to target them with spam marketing. Belan also allegedly stole credit and gift card information from within selected accounts, and rejiggered Yahoo’s search returns for erectile dysfunction drugs to send more traffic to a website that gave him commissions in return. This appears to be the kind of thing Belan excels at. Indeed, accusations of past hacks of U.S. companies had already gotten him indicted twice before, and named to FBI’s Most Wanted list.

It’s charges concerning Belan’s other activities that make this indictment remarkable. There are 47 charges altogether, 38 of which name him. Those charges allege that Belan helped two spies from Russia’s Federal Security Service (FSB), and one other hacker, to spy—in much the same way America’s own National Security Agency does—in Russia, in its neighboring countries, and in the United States (the FSB officers were themselves also indicted). Other countries have hacked U.S. tech companies before. China, for instance, hacked Google in 2010. But no one, Chinese spy or not, was indicted in that attack, as they were here.

By indicting the FSB officers along with Belan, the U.S. Justice Department has revealed many of the advantages American spies have over their Russian counterparts, thanks to the fact that so many of the world’s tech companies are located in the United States.

The alleged Russian effort to spy on targets by hacking Yahoo worked much the same way the NSA’s spying does. By the indictment’s account, in 2014, Belan started by stealing a massive amount of metadata, ultimately downloading a database including account users’ names, secondary email addresses, phone numbers, and password challenge questions and answers from 500 million Yahoo customers. As the NSA did with the bulk internet and phone metadata databases it collected until 2011 and 2015, respectively—and still collects overseas—the Russians are alleged to have used that metadata to pick which Yahoo accounts they wanted content from, as well as to identify accounts from other email providers that might be of interest. From there, the Russian hackers would collect the email content of targeted accounts on an ongoing basis, according to the indictment.

That’s where this alleged Russian hack and NSA spying methods diverge. Because Yahoo and most major global internet companies like Google and Microsoft are located in the United States, it’s much easier for the NSA to spy on selected targets than it is for the Russians. Under the authority of Section 702 of the FISA Amendments Act, often referred to as PRISM, the U.S. government can simply hand Yahoo a directive listing the account identifiers it wants to collect, and Yahoo provides the content and other account information in response. In other words, for a great deal of its collection, the NSA can just ask nicely using a lawful order rather than breaking in. To obtain emails, Russia and all other countries (aside from America’s closest allies), by contrast, must break into the server, as they allegedly did with Yahoo, or conduct individualized phishing attacks like the type Russian hackers used to target John Podesta last year.

Perhaps as a result, the U.S. government gets its hands on the content of more Yahoo customers than Russia did here. According to the new indictment, Belan and the FSB officers collected metadata on 500 million Yahoo users, then created counterfeit digital cookies instead of account passwords to get the content from over 6,500 users from early January 2014 until December 1, 2016. By comparison: In 2015 alone, Yahoo provided content in response to U.S. law enforcement requests for foreign-intelligence gathering purposes on roughly 4,000 accounts, and provided content on over 40,000 accounts in response to these requests. We don’t know how many Americans that affects: The intelligence community has refused, through six years of requests from Senator Ron Wyden, to reveal how many Americans are swept up in that foreign intelligence dragnet simply because they happen to email a targeted person.

Still, under PRISM, analysts can only access information for specific purposes, including preventing terrorist attacks, tracking the proliferation of weapons of mass destruction, and detecting foreign espionage. Even for collection overseas, an Obama-issued directive limits the use of information collected in bulk to those and a few other purposes, like cybersecurity and tracking transnational crime. And law-enforcement officers must get a warrant to obtain the content of a Yahoo customer’s email for a criminal investigation.

Judging from what’s in the indictment, a number of the many targets described in the Yahoo operation don’t sound like they’d fit into the categories the NSA is limited to: The Russians allegedly targeted a journalist, a physical training expert, the chair of a Russian Federation Council committee within Russia, lots of bankers, and other financial professionals both within and outside of Russia. Because of different definitions of national security, NSA’s spying doesn’t target dissidents or collect information to blackmail political enemies, as its Russian counterparts do.

But comparing how the United States and Russia conduct this nation-state spying helps quantify how much the NSA benefits from the cooperation it receives from Silicon Valley. It also shows the lengths Russia takes—allegedly permitting Belan to enrich himself off Viagra marketing even as he was collecting on the FSB’s targets—to solve a problem the United States also faces: how to recruit talented hackers for government spying.

The comparison also highlights one of the most remarkable parts of the indictment. Among the 47 charges leveled against the Russian hackers, four accuse them of economic espionage for stealing metadata and the tools they needed to manipulate and break into accounts. The NSA does do similar things when it hacks companies overseas. Documents leaked by Edward Snowden show that in 2010 the NSA’s elite Tailored Access Operations hackers stole the source code for a number of products made by Chinese telecom giant Huawei to facilitate collection from its networks. In 2013, it even stole metadata and content from Yahoo and Google servers located overseas. Presumably, the NSA hacks into Russian tech companies like Vkontakte (Russia’s version of Facebook, used extensively by the Boston Marathon bombers) and Yandex (an email provider) to target their users as well.

That’s awkward, since the NSA and other government officials insist they don’t engage in economic espionage. “The United States government does not engage in cyber economic espionage for commercial gain,” Barack Obama said in a speech in 2015. As suggested by Obama’s caveat—for commercial gain—U.S. intelligence officials mean something different by the term “economic espionage”: For them, it refers to collecting information to give U.S. companies a competitive advantage over foreign companies.

But if the Justice Department starts charging foreign intelligence officials engaged in nation-state spying with economic espionage for stealing information needed to spy, as they’ve done in the Belan indictment, other countries are likely to point to this expanded definition to refute America’s claims to avoid economic espionage. The indictment against Yahoo’s hackers alleges what is clearly criminal behavior: both Belan’s attempts to monetize his Yahoo hack and the nation-state spying. It provides a persuasive claim about who exposed millions of Yahoo’s customers. But the inclusion of all these details in a criminal indictment shines new lights on international spying that could lead to retaliatory claims against America’s spies overseas. By bringing indictments under these specific charges, the Justice Department may make it more likely that other countries will start treating American spies similarly.