The Justice Department accused two Russian intelligence agents and two alleged criminal hackers Wednesday of breaking into Yahoo’s networks and stealing information on 500 million account users, one of the biggest computer intrusions in U.S. history.
U.S. prosecutors said the two Russian agents acted on behalf of the Federal Security Service, or FSB, the successor agency to the KGB, a charge that is likely to further poison tense U.S.-Russian relations.
The indictment opens a window on what U.S. officials say is the reliance of Russia’s intelligence community on a thriving criminal underground to achieve foreign policy objectives, flouting global anti-crime conventions and treaties.
Yahoo has faced at least two massive hacks, one in 2013 and another in 2014, and it was the first major U.S. company to see its stock valuation affected by its cyber vulnerabilities, an increasingly common occurrence.
One of the two Russian officers of the FSB, Dmitry Dokuchaev, was reportedly arrested in Russia in December and faces treason charges, raising questions about his allegiances and to whom the Kremlin thinks he was passing information.
The other indicted officer, Igor Sushchin, was a superior to Dokuchaev in the Information Security Center, the FSB’s cybercrimes unit.
The alleged use by Russian intelligence of criminal elements to conduct foreign hacking is part of a broader worldwide trend by nations to hide their digital footprints by employing criminal hackers to do their dirty work.
We are certainly seeing more and more use by nation states of criminal hackers.
Mary B. McCord, acting assistant attorney general for national security
“We are certainly seeing more and more use by nation states of criminal hackers,” said Mary B. McCord, acting assistant attorney general for national security.
McCord and other officials at the Justice Department said the two FSB officers worked with two hackers, Alexsey Belan, a 29-year-old Latvian-born Russian, and Karim Baratov, a 22-year-old Kazakh living in Canada who was arrested in Toronto on Tuesday.
The 34-page criminal indictment says the FSB officers “protected, directed, facilitated and paid” the hackers to conduct the computer intrusions in the United States.
“The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cybercrime matters, is beyond the pale,” McCord said.
In using the two hackers, the FSB shrugged off multiple signs that other countries already had the two, particularly Belan, in their sights.
U.S. prosecutors indicted Belan in 2012 and again in 2013, and the FBI listed him as one of its Cyber’s Most Wanted worldwide in 2013.
The hack at the heart of the indictment occurred in late 2014 but was not made public until last September. The indictment says the two FSB officers told Belan to steal a portion of Yahoo’s user database in November and December 2014. That database includes usernames, recovery email accounts, phone numbers and other information.
Belan also hacked Yahoo’s account management tool, proprietary software that allows administrators to log changes to Yahoo accounts, the indictment says. The two FSB officers and Belan than sifted down the hacked accounts to some 6,500 of interest to them, it adds.
Those accounts belonged to a variety of entities worldwide, including a French transport company, a Swiss bitcoin wallet and banking firm, a U.S. airline, Russian and U.S. government officials, Russian journalists and an official at the International Monetary Fund, the indictment says.
The case further blurs the lines between the Russian government and cybercriminals. One of the two FSB officers, Dokuchaev, is known to have been a hacker himself prior to joining the FSB. A McClatchy story Feb. 17 noted allegations that he’d been involved in credit card fraud, and had interacted with others on criminal forums on the dark web with the username “Forb.”
Recent events at the FSB only add to mysteries. One of Dokuchaev’s FSB supervisors, Sergei Mikhailov, was also charged with treason in late December, and a pro-Kremlin television network, Tsargrad TV, said Mikhailov had passed information to U.S. agents that led Washington to issue a report in January alleging Russia had hacked computers belonging to the Democratic National Committee in an effort to influence the U.S. elections.
The indictment says Belan, one of the independent hackers, was doing criminal business on the side while working with the FSB. It said he used his access to Yahoo networks to steal gift and credit card numbers from webmail accounts, facilitate a spam campaign involving 30 million Yahoo accounts and redirect anyone using Yahoo’s search engine to an online pharmacy website with the aim of earning commissions. Belan allegedly targeted anyone searching for erectile dysfunction medication.
After the Yahoo breach occurred, the two FSB officers tasked Baratov, the Kazakh living in Canada, with hacking 80 targeted accounts at other email service companies, like Google’s Gmail. He was paid $100 for each successfully hacked account, the indictment says. The accounts were for targets that included an assistant to the deputy chairman of the Russian Federation, an officer in the Russian Foreign Ministry and a counterpart in the Interior Ministry’s Department K (cybercrimes bureau), the indictment says.
U.S. officials said Baratov did not succeed in hacking the Gmail accounts.
A grand jury seated in northern California, near the Sunnyvale headquarters of Yahoo, handed down 47 counts against all those indicted, ranging from aggravated identity theft and unauthorized access to protected computers to economic espionage, wire fraud and theft of trade secrets.
Those indicted had leased servers and used virtual private networks in the United States and other countries, the indictment says.
U.S. prosecutors may never get their hands on Dokuchaev, Sushchin and Belan, all of whom are protected in Russia. Canada is likely to prosecute Baratov on its own.
We do not have an extradition treaty with Russia.
Paul Abbate, executive assistant director of the FBI
“This case is going to be a great test,” said Paul Abbate, executive assistant director of the FBI. “We do not have an extradition treaty with Russia.”
McCord praised Yahoo and Google for cooperating with the FBI in the hacking investigation, and she called on other U.S. companies to understand that foreign countries may ultimately be behind hacks, not just rogue young hackers.
“It is very important for corporations around the country to know, when you are going against the resources and backing of a nation state, it is not a fair fight, and it is not a fight you are likely to win alone,” McCord said.
Yahoo announced last December that a 2013 hack was even bigger than the 2014 hack that got information on 500 million Yahoo accounts. The 2013 hack affected 1 billion accounts, it said.
McCord declined to say whether there were any similarities between the Yahoo intrusions and the Russian state penetrations in 2015 and 2016 of the Democratic National Committee. Following the DNC hacks, the anti-secrecy group WikiLeaks published thousands of emails from Democratic Party officials and from John Podesta, the campaign chairman for Hillary Clinton.
The U.S. intelligence community released a report Jan. 6 that said those hacks had been conducted with the knowledge of the Kremlin and with the intent of swaying the campaign in favor of Donald Trump.