Russian! spies! 'brains! behind!' Yahoo! mega-hack! – four! charged!
Two FSB agents and two stooges fingered for 2014's 500m webmail account raid
Two Russian spies and two hackers were the miscreants who broke into Yahoo!'s servers and swiped at least 500 million user account records.
That's according to the US Department of Justice, which today indicted [PDF] four men – including two senior officers in the FSB, the Russian Federal Security Service born from the Soviet-era KGB.
In a joint statement, Attorney General Jeff Sessions and FBI Director James Comey claimed Russian agent Dmitry Dokuchaev and his boss Igor Sushchin "protected, directed, facilitated and paid" two hackers to ransack Yahoo!'s systems. The team then used information purloined from the US biz's servers to spy on American and Russian government officials, journalists, and computer security professionals, we're told.
(Slightly bafflingly, Dokuchaev was arrested in December last year, and charged with high treason. He allegedly leaked files to the CIA. The plot thickens.)
"Today we have identified four individuals, including two Russian FSB officers, responsible for unauthorized access to millions of users' accounts," Sessions said today. "The United States will vigorously investigate and prosecute the people behind such attacks to the fullest extent of the law."
The indictment states that in 2014, Dokuchaev and Sushchin hired Latvian hacker Alexsey Belan, aka "Magg," 29, who was already on the FBI's Most Wanted list with a $100,000 bounty on his head, and Karim Baratov, aka "Kay," 22, a Kazakh national and resident of Canada, for the Yahoo! incursion.
According to the charges, in November and December 2014, Belan penetrated Yahoo!'s corporate security and stole at least a chunk of its user account database that included enough information to mint account authentication cookies for Yahoo! email inboxes – meaning the miscreants could use these cookies to log into Yahoo! accounts, rifle through their documents and messages, and masquerade as strangers, without having to crack or type in a login password.
Belan is also accused of gaining unauthorized access to Yahoo!'s internal account management tool, which is used to create, manage, and log changes in accounts.
The FSB officers are accused of monitoring and advising on the operation using information from their own government hacking teams and telling Belan what accounts they wanted access to. The indictment says 6,500 targeted accounts of Russian and US government officials, foreign intelligence and law enforcement service staff, journalists, and "employees of a prominent Russian cybersecurity company" were accessed by the FSB.
These accounts were mined for information and passwords that could be of use to the FSB, according to US claims. But Belan is also accused of running a little side business of his own while romping through Yahoo!'s poorly protected servers.
"The indictment unequivocally shows the attacks on Yahoo! were state-sponsored," said Chris Madsen, assistant general counsel and head of global law enforcement at Yahoo!. "We're committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cybercrime."
The indictment states that Belan dug into accounts on his own, looking for credit card and gift card details. As many as 30 million accounts were scanned in this way and he was also able to "earn commissions from fraudulently redirecting a subset of Yahoo!'s search engine traffic," the US claims. The contacts were then sold to a spammer service for an additional profit for Belan.
That would certainly fit with FBI information on Belan. In 2013 Belan made it to the FBI's Most Wanted list after accusations that he hacked three major US e-commerce companies in California and Nevada and used the information for fraud and identity theft. The FBI put a $100,000 bounty on his head but found no takers.
Today's statement claims that Belan was arrested in Europe in June 2013 but "was able to escape to Russia before he could be extradited." Since then he has been operating in Russia under the protection of the FSB, Sessions said.
"Today we continue to pierce the veil of anonymity surrounding cyber crimes," said Director Comey. "We are shrinking the world to ensure that cyber criminals think twice before targeting US persons and interests."
The net widens
When the FSB saw that some of their targets had other webmail accounts besides the ones on Yahoo!, the FSB hired Baratov to crack them, the indictment states. Baratov was hired on a commission basis and the US authorities claim he successfully broke into 80 million accounts – many of them at Google, which has also been helping the FBI with its inquiries.
Yahoo! has since said that it called in the government in 2014 when it became aware of the hacking. Around the same time, it hired security guru Alex Stamos as chief security officer, although he jumped ship to Facebook less than two years later after reportedly getting frustrated at the lack of attention Yahoo!'s senior management were giving to security.
Two years later, the web giant decided to go public and admitted it had been thoroughly hacked, sparking a mass panic. CEO Marissa Mayer had to forgo her annual bonus, and the value of her business dropped for potential suitor Verizon. Yahoo! said today's charges are unrelated to a separate break-in of its email system that led to the theft of more than a billion webmail account records in 2013.
Baratov was identified by the FBI over the course of their investigation into the Yahoo! hacks and a warrant was issued for his arrest on March 7. The Canadian police caught him seven days later and he's currently in custody.
The indictment states that Dokuchaev, 33, is an officer in the FSB Center for Information Security and resident in Russia, while his boss Sushchin has a cover position as CSO for a Russian investment bank. Belan is also thought to be in Russia, and Interpol (of which Russia is a member) has put out a Red Notice calling for his immediate arrest and extradition to the US.
"Once again, the Department and the FBI have demonstrated that hackers around the world can and will be exposed and held accountable," said Acting Assistant Attorney General of the Department of Justice, Mary McCord.
"State actors may be using common criminals to access the data they want, but the indictment shows that our companies do not have to stand alone against this threat. We commend Yahoo! and Google for their sustained and invaluable cooperation in the investigation aimed at obtaining justice for, and protecting the privacy of, their users."
The list of charges is extensive: they range from conspiring to commit computer fraud and abuse to conspiring to engage in economic espionage and theft of trade secrets. ®