DoJ accuses two Russian spies and two criminals of 2014 Yahoo hack

The U.S. Department of Justice has confirmed earlier reports and accused two Russian FSB officers and two criminal hackers of being behind the hacking of at least 500 million Yahoo accounts — saying the conspiracy to exploit illegal access and stolen data began at least as early as January 2014, with info garnered via the intrusion continuing to be utilized by the group at least until December 2016.

In a press release announcing the indictment of the four defendants, the DoJ accuses them of using unauthorized access to Yahoo’s systems to steal information from “about at least 500 million Yahoo accounts” and then using some of the stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers — including the accounts of Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies.

One of the defendants is also accused of exploiting his access to Yahoo’s network for personal financial gain — by searching Yahoo user communications for credit card and gift card account numbers, redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign.

The four defendants are identified as:

  • Dmitry Aleksandrovich Dokuchaev, 33, a Russian national and resident, and, at the time of the hack, an officer in the FSB Center for Information Security, aka “Center 18”
  • Igor Anatolyevich Sushchin, 43, a Russian national and resident, and an FSB officer, a superior to Dokuchaev within the FSB (though apparently embedded as a purported employee and Head of Information Security at a Russian investment bank)
  • Alexsey Alexseyevich Belan, aka “Magg,” 29, a Russian national and resident who has been indicted twice by U.S. Federal grand juries, in 2012 and 2013, for computer fraud and abuse, access device fraud and aggravated identity theft involving three U.S.-based e-commerce companies; he also has been on the FBI’s “Cyber Most Wanted” list, and is currently the subject of a pending “Red Notice” requesting that Interpol member nations (including Russia) arrest him pending extradition
  • Karim Baratov, aka “Kay,” “Karim Taloverov” and “Karim Akehmet Tokbergenov,” 22, a Canadian and Kazakh national and a resident of Canada

In a summary of the allegations, the DoJ asserts that the FSB officer defendants, Dokuchaev and Sushchin, “protected, directed, facilitated and paid criminal hackers to collect information through computer intrusions in the U.S. and elsewhere” — working with co-defendants Belan and Baratov specifically to obtain access to the email accounts of “thousands” of individuals.

It writes:

In or around November and December 2014, Belan stole a copy of at least a portion of Yahoo’s User Database (UDB), a Yahoo trade secret that contained, among other data, subscriber information including users’ names, recovery email accounts, phone numbers and certain information required to manually create, or “mint,” account authentication web browser “cookies” for more than 500 million Yahoo accounts.

Belan also obtained unauthorized access on behalf of the FSB conspirators to Yahoo’s Account Management Tool (AMT), which was a proprietary means by which Yahoo made and logged changes to user accounts. Belan, Dokuchaev and Sushchin then used the stolen UDB copy and AMT access to locate Yahoo email accounts of interest and to mint cookies for those accounts, enabling the co-conspirators to access at least 6,500 such accounts without authorization.

The DoJ says some victim accounts were of “predictable interest” to the FSB, Russia’s foreign intelligence and law enforcement service, such as personal accounts belonging to Russian journalists; Russian and U.S. government officials; employees of a prominent Russian cybersecurity company; and numerous employees of other providers whose networks the conspirators sought to exploit. But it also notes that other personal accounts belonged to employees of commercial entities — such as a Russian investment banking firm, a French transportation company, U.S. financial services and private equity firms, a Swiss bitcoin wallet and banking firm and a U.S. airline.

The indictment says the two FSB officers facilitated Belan’s other criminal activities by providing him with sensitive FSB law enforcement and intelligence information that the DoJ says would have helped him avoid detection by U.S. and other law enforcement agencies outside Russia, including “information regarding FSB investigations of computer hacking and FSB techniques for identifying criminal hackers.”

The other co-conspirator, Baratov, was allegedly used by the FSB agents to obtain unauthorized access to other (non-Yahoo) webmail accounts of “targets of interest” — with the hacker providing access to more than 80 accounts in exchange for commissions, according to the DoJ.

Given three of the four defendants are residents of Russia, it’s unlikely they can be forced to appear in U.S. court, as the U.S. has no extradition treaty with Russia, but The Washington Post suggests officials may seek to impose sanctions as a deterrent.

In the case of Baratov, a provisional arrest warrant was submitted for him on March 7 to Canadian law enforcement authorities, and on March 14 he was arrested in Canada — the DoJ says the matter is now “pending with the Canadian authorities.”

The FBI, led by the San Francisco Field Office, conducted the investigation. The case is being prosecuted by the U.S. Department of Justice National Security Division’s Counterintelligence and Export Control Section and the U.S. Attorney’s Office for the Northern District of California, with support from the Justice Department’s Office of International Affairs.

Commenting in a statement, Attorney General Sessions said: “Cyber crime poses a significant threat to our nation’s security and prosperity, and this is one of the largest data breaches in history… The United States will vigorously investigate and prosecute the people behind such attacks to the fullest extent of the law.”

“This is a highly complicated investigation of a very complex threat. It underscores the value of early, proactive engagement and cooperation between the private sector and the government,” added executive assistant director Abbate in another supporting statement. “The FBI will continue to work relentlessly with our private sector and international partners to identify those who conduct cyber-attacks against our citizens and our nation, expose them and hold them accountable under the law, no matter where they attempt to hide.”

The 2014 Yahoo breach was only publicly disclosed by the company last September. It has also subsequently disclosed an earlier hack, dating from 2013, that is thought to affect more than one billion user accounts — believed to be separate and distinct from the state-sponsored 2014 hack which today’s indictment pertains to.

The reputational damage of the two massive hacks is reported to have shaved some $350 million off the acquisition price tag of Yahoo that buyer Verizon had agreed to pay last year, prior to the disclosures.

In a statement responding to today’s indictment, Yahoo’s assistant general counsel, Chris Madsen, said: “The indictment unequivocally shows the attacks on Yahoo were state-sponsored. We are deeply grateful to the FBI for investigating these crimes and the DOJ for bringing charges against those responsible.”

Disclosure: Verizon, which owns Aol, which owns TechCrunch, is in the process of buying Yahoo