This is a big deal. The Yahoo hack was one of the largest cyber crimes in history. This is also the first time the US government has ever brought charges against Russian officials for cyber-related crimes.
The US Federal Bureau of Investigation has been investigating the intrusion for two years.
Here's how the FBI says they did it:
The hack began with a spear-phishing email sent in early 2014 to a Yahoo company employee. It's unclear how many employees were targeted and how many emails were sent, but it only takes one person to click on a link, and it happened.
Once Aleksey Belan, a Latvian hacker hired by the Russian agents, started poking around the network, he looked for two prizes: Yahoo's user database and the Account Management Tool, which is used to edit the database. He soon found them.
So he wouldn't lose access, he installed a backdoor on a Yahoo server that would allow him access, and in December he stole a backup copy of Yahoo's user database and transferred it to his own computer.
The database contained names, phone numbers, password challenge questions and answers and, crucially, password recovery emails and a cryptographic value unique to each account.
It's those last two items that enabled Belan and fellow commercial hacker Karim Baratov to target and access the accounts of certain users requested by the Russian agents, Dmitry Dokuchaev and Igor Sushchin.
The account management tool didn't allow for simple text searches of user names, so instead the hackers turned to recovery email addresses. Sometimes they were able to identify targets based on their recovery email address, and sometimes the email domain tipped them off that the account holder worked at a company or organization of interest.
Once the accounts had been identified, the hackers were able to use stolen cryptographic values called "nonces" to generate access cookies through a script that had been installed on a Yahoo server. Those cookies, which were generated many times throughout 2015 and 2016, gave the hackers free access to a user email account without the need for a password.
Throughout the process, Belan and his colleague were clinical in their approach. Of the roughly 500 million accounts they potentially had access to, they only generated cookies for about 6,500 accounts.
The hacked users included an assistant to the deputy chairman of Russia, an officer in Russia's Ministry of Internal Affairs and a trainer working in Russia's Ministry of Sports. Others belonged to Russian journalists, officials of states bordering Russia, U.S. government workers, an employee of a Swiss Bitcoin wallet company and a U.S. airline worker.
So clinical was the attack that when Yahoo first approached the FBI in 2014, it went with worries that 26 accounts had been targeted by hackers. It wasn't until late August 2016 that the full scale of the breach began to become apparent and the FBI investigation significantly stepped up.
Russian strategic doctrine suggests that it sees cyber espionage as a valid and increasingly important kind of warfare. In an influential 2013 article, Russian Chief of the General Staff Valery V. Gerasimov argued that "non-military means,” including “new information technologies,” have eclipsed traditional weaponry in their strategic importance.
This is why it makes sense to hack Yahoo, even at the expense of exposing tens of millions of innocent people to email scams from a random hacker. Putin’s regime sees the world as existing in a perpetual gray area of pseudo-conflict; stealing information on dissidents and corporations that play major roles in the US economy is one way of strengthening Russia’s hand in that fight. The Kremlin doesn’t really care who gets hurt in the process.