The U.S. Department of Justice on Wednesday announced charges against four individuals, including two officers of Russia’s Federal Security Service, or FSB, for carrying out the massive cyberbreach that affected about 500 million Yahoo account holders in 2014.
The FBI carried out the investigation with the assistance of the Royal Canadian Mounted Police, RCMB Sergeant Harold Pfleiderer told the E-Commerce Times.
A federal grand jury in Northern California charged the defendants — the FSB officials and two Russian cybercriminals — with using stolen data to gain illegal access to the accounts of Russian journalists, Russian and U.S. government officials, and private sector employees of financial, transportation and other companies.
The indictment alleges that Dmitry Aleksandrovich Dokuchaev, 33, a Russian officer in the FSB, and Igor Anatolyevich Sushchin, 43, Dokuchaev’s superior, directed, facilitated, paid and provided protection for criminal hackers to collect information using cyberintrusions in the U.S. and elsewhere.
Yahoo and Beyond
At the direction of the FSB agents, Alexsey Alexseyevich Belan, aka “Magg,” 29, a Latvian-born Russian national, in late 2014 allegedly stole a copy of at least part of Yahoo’s secret User Database, which contained usernames, emails, recovery emails, phone numbers, and information to create “mint” Web browser cookies for about 500 million Yahoo members.
He also allegedly gained access to Yahoo’s Account Management Tool, proprietary software that allowed users to log changes to their accounts.
The co-conspirators also used spear phishing tactics to trick users into giving up access to their accounts, according to court filings.
After the suspects learned they had information to customer accounts outside of Yahoo, the fourth suspect, Karim Baratov, aka “Kay,” a 22-year old Canadian and Kazakh national, allegedly gained access to 80 accounts in exchange for commission payments.
Kay was arrested in Canada on Tuesday, following the DoJ’s issuance of a provisional warrant to Canadian officials last week.
The Justice Department has charged all four defendants with conspiracy to commit computer fraud and abuse, carrying up to 10 years in prison.
The DoJ also charged Dokuchaev, Sushchin and Belan with conspiracy to commit economic espionage, carrying 15 years in prison; theft of trade secrets, 10 years; conspiracy to commit wire fraud, 20 years; and counterfeit access device fraud, among other charges.
Baratov and both FSB officers were charged with conspiracy to commit access device fraud, carrying 7 1/2 years in prison; and wire fraud, carrying 20 years in prison. Dokuchaev and Baratov also were charged with aggravated identity theft, carrying two years.
“With these charges, the United States Department of Justice is continuing to send the powerful message that we will not allow individuals, groups, nation states, or a combination of them to compromise the privacy of our citizens, the economic interests of our companies or the security of our country,” said Mary McCord, acting assistant AG for national security.
Belan has been indicted twice before in the U.S. for three cyberattacks into e-commerce companies that impacted millions of customers, McCord noted, and has been one of the FBI’s most wanted cybercriminals for three years.
Despite his history and an Interpol red notice, the FSB failed to detain Belan but continued to use him for illegal hacking, McCord said.
The charges announced Wednesday are consistent with Yahoo’s prior disclosures about the hack, said Chris Madsen, assistant general counsel and head of global law enforcement, security and safety at Yahoo.
Yahoo last fall disclosed that it believed a state-sponsored attack had resulted in the theft of a copy of certain information for about 500 million user accounts as of late 2014.
Yahoo later disclosed further details on the forging of cookies to gain access to user accounts without a password and linked some of that activity to the same state-sponsored actor, according to Madsen.
“We’re committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cybercrime,” he said.
Due to the lack of a U.S. extradition treaty with Russia, it’s unlikely there will be more evidence concerning Russian involvement unless there are further proceedings involving Baratov, who was arrested in Canada, suggested Mark Nunnikhoven, vice president for cloud research at Trend Micro.
In any case, the Yahoo and Verizon names will continue to be linked to this case while the companies focus on “recovery and strengthening defenses” going forward, Nunnikhoven told the E-Commerce Times.
The charges come amid congressional investigations into the Russian interference in the U.S. presidential election. No direct link has been established between the Yahoo hack and the election, but the case at best reflects the United States’ wide vulnerability to attacks by foreign state actors.
“State-sponsored activity such as this is being carried out by all well-resourced nations, which include Russia, China — and of course, the U.S.,” noted Troy Hunt, a Microsoft regional director and MVP – developer security.
“What it shows us is how valuable digital capabilities are becoming,” he told the E-Commerce Times.
“The reach, effectiveness and cost efficiency of cyberactivities like these make enormously attractive ‘weapons.’ As we digitize and connect more and more critical infrastructure, their effectiveness only increases — and consequently, so does the threat,” Hunt explained.
“Obviously, the U.S. needs to strengthen cybersecurity,” said Marc Rotenberg, president of the Electronic Privacy Information Center, “but EPIC also believes there should be greater focus on specific threats to personal information.”
The U.S. needs a data protection agency similar to agencies in other democratic governments, he told the E-Commerce Times.
EPIC sent a letter to the Senate Judiciary Committee on Russian interference in the election, Rotenberg noted, and has submitted two Freedom of Information Act requests seeking additional details.