The Justice Department announced today the indictment of two Russian spies and two criminal hackers in connection with the heist of 500 million Yahoo user accounts in 2014, marking the first US criminal cyber charges ever against Russian government officials.
The indictment targets two officers of the cyber investigative arm of the Russian intelligence agency FSB and two hackers hired by the Russians. One of the criminal hackers was arrested yesterday in Canada. The other three are in Russia.
The charges include hacking, wire fraud, trade secret theft and economic espionage, according to officials. The indictment is part of the largest hacking case brought by the United States to date.
The dozen-plus charges are unrelated to the hacking of the Democratic National Committee and the FBI's investigation of Russian interference in the 2016 presidential campaign. But the move reflects the US Government's increasing desire to hold foreign governments accountable for malicious acts in cyberspace.
"With these charges, the Department of Justice is continuing to send the powerful message that we will not allow individuals, groups, nation-states or a combination of them to compromise the privacy of our citizens, the economic interest of our companies or the security of our country," said acting Assistant Attorney-General Mary McCord.
The United States does not have an extradition treaty with Russia, but those who are charged overseas sometimes slip up and travel to a country that is able and willing to transfer them to the United States for prosecution.
Yahoo reported the 2014 hack last year - in what was then considered the largest data breach in history. The company later disclosed another intrusion affecting more than 1 billion user accounts in 2013, far surpassing the 2014 event. Officials have not determined whether there is a link between the two.
The twin hacks clouded prospects for the sale of Yahoo's core business to telecommunications giant Verizon. The deal is proceeding after Verizon negotiated the price down after the breaches.
According to officials, from early 2014 until late 2016, the two officers of the FSB - a successor to the KGB also known as Russia's Federal Security Service - directed and paid the two criminal hackers in a conspiracy to hack the computer servers of the Silicon Valley tech company and steal information about millions of users. The hackers also filched the firm's source code and proprietary technology to manage users' accounts and password changes.
With access to the technology, the hackers spied on the contents of more than 6,500 individual users, according to the indictment. The victims included a sales manager of a major US financial company, a Nevada gambling official, White House personnel, and US diplomatic and military officials. The FSB also targeted Russian journalists, dissidents and government officials, allegedly seeking information for intelligence purposes.
The compromised accounts may have affected more than just email. Breaking into a Yahoo account would give the hackers access to users' activity on Flickr, Tumblr, fantasy sports and other Yahoo applications.
The FSB officers also allowed the criminal hackers to use the email cache for the officers' and the hackers' financial gain, through spamming and other operations, officials said. For example, one of the criminal hackers charged, Alexsey Belan, a 29-year-old hacker whose baby face and tinted hair have appeared on an FBI Most Wanted poster, manipulated Yahoo search engine servers so that some users were redirected to an online pharmacy site that paid Belan for each diversion.
Belan has been charged twice before in connection with intrusions into three major tech firms, including LinkedIn, in Nevada and California in 2012 and 2013. Interpol had placed a "Red Notice" on Belan, requesting that member nations, including Russia, arrest and extradite him. He was arrested in Greece in 2013, but before he could be extradited, he made his way back to Russia, where he is being protected by authorities, officials said.
The other hacker-for-hire is Karim Baratov, 22, who was born in Kazakhstan but has Canadian citizenship. He was an associate of FSB officer Dmitry Dokuchaev, 33. The two worked together using spear phishing email messages to trick recipients into giving them access to their accounts. Some of the accounts led Baratov to identify users who also had Google mail accounts, which he hacked. He was paid US$100 for each victim's credentials that he passed on to Dokuchaev. He amassed enough wealth to buy a gray Aston Martin DBS and a black Mercedes-Benz C54, according to the indictment.
The charges "illustrate the murky world of Russian intel services using criminal hackers in a wide variety of ways," said Milan Patel, a former FBI Cyber Division supervisory special agent who is now a managing director at K2 Intelligence, a cyber firm.
Although FBI agents have long suspected that the Russians have used cyber mercenaries to do their work, this case is among the first in which evidence is offered to show that.
Dokuchaev, whose hacker alias was "Forb," presents a mysterious case. He was arrested in December in Moscow, according to the news agency Interfax, on charges of state treason for passing information to the CIA. He had reportedly agreed to work for the FSB to avoid prosecution for bank card fraud.
Also indicted was Dokuchaev's superior, Igor Sushchin, 43. Sushchin allegedly had a cover job as head of information security at a Russian bank, where he monitored the communications of employees for the FSB, according to the indictment.
Particularly galling to US officials is that Dokuchaev and Sushchin worked for the FSB's Centre 18 - a rough equivalent of the FBI's Cyber Division. "These are the very people that we are supposed to work with in law enforcement channels," McCord said. Instead, "they turned against that type of work."
The indictments grew out of a nearly two-year investigation by the FBI's San Francisco office with the aid of international law enforcement, officials said. Yahoo cooperated with the FBI from the start, officials said.
Sanctions and criminal charges are two tools that the Obama Administration began using to punish and deter nation-state hackers.
"They have the effect of galvanizing other countries that are watching what's happening," said Luke Dembosky, a former deputy assistant attorney general for national security. "They show that we have the resources and capabilities to identify the people at the keyboard, even in the most sophisticated cases."
Three years ago, the United States charged five Chinese military hackers with economic espionage, marking the first time cyber-related charges were levied against foreign government officials.
After the Chinese military hackers were indicted, officials said their activity seemed to dwindle. And the indictments, Dembosky said, helped wrest a pledge in 2015 from the Chinese to stop economic cyberespionage against US firms.
In early 2015, the Obama Administration imposed economic sanctions on North Korea for its cyberattack on Sony Pictures' systems.
And in late December, the Obama administration levied economic sanctions on Moscow for its election-year meddling. At the same time, the government sanctioned two Russian criminal hackers with no apparent connection to the Kremlin's interference campaign. They included Belan, who is one of the four indicted in the Yahoo case.