Data Breach

Russian Spies, Two Others, Indicted in Yahoo Hack

Prosecutors Allege Russian FSB Officers Facilitated 2014 Attack
Russian Spies, Two Others, Indicted in Yahoo Hack
Acting Assistant U.S. Attorney General Mary McCord announces indictments.

Two of the four individuals indicted for hacking Yahoo in 2014, exposing 500 million user accounts, work for a Russian intelligence service unit that the FBI collaborates with on international cybercrime investigations.

See Also: 2017 Predictions on Data Security: Insights on Important Trends in Security for the Banking Industry

The Justice Department announced March 15 the indictments of two members of the Russian intelligence agency FSB's Center for Information Security: Dmitry Dokuchaev and Igor Sushchin. The other two accused hackers, Alexsey Belan and Karim Baratov, worked in partnership with the Russian government, according to federal prosecutors. Baratov was arrested in Canada on March 14 (see Outsourcing Cyber Espionage Landed Russia in Trouble).

"The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI's point of contact in Moscow on cybercrime matters, is beyond the pale," Mary McCord, acting assistant U.S. attorney general, said at a press conference held to announce the indictments.

The Charges

The indictments, handed up by a federal grand jury in San Francisco, accuse the defendants of computer hacking, economic espionage and other criminal offenses in connection with a conspiracy, beginning in January 2014, to access Yahoo's network and the contents of webmail accounts.

Prosecutors say the defendants used unauthorized access to Yahoo's systems to steal information from at least 500 million Yahoo accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists. Others targeted by the hackers, authorities say, included U.S. and Russian government officials and employees of financial, transportation and other companies.

One of the defendants, Belan also exploited his access to Yahoo's network for his personal financial gain by searching Yahoo user communications for credit card and gift card account numbers, redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign, authorities say.

Paul Abbate, executive assistant director of the FBI's Criminal, Cyber, Response and Services Branch, said that it's been "a challenge" for the FBI to cooperate on international cybercrime cases with the FSB, the successor to the KGB. "We need and have to have cooperation from all international partners in order to resolve cases like this, among many other threats that we face," Abbate said. "But when we look at this case ... we expect and hope for their cooperation here. ... I think this case is going to be a great test of that."

The United States and Russia do not have an extradition treaty, and Moscow has never extradited accused cybercriminals.

Indictments Send Critical Message

But as Stuart Baker, head of homeland and cybersecurity practices at the law firm Steptoe & Johnson, points out that "indictments last a very long time, and usually mean that foreign travel for the indicted is very risky. It's a long game."

That's what Baratov found out, and he'll likely be extradited to the U.S. from Canada. "That could lead to a trial that can generate useful information to hit the Russians over the head with," says Martin Libicki, a Rand Corp. scholar who focuses on international cyber policy.

Cybersecurity lawyer and adviser Paul Rosenzweig, who served as DHS deputy assistant secretary for policy during the George W. Bush administration, sees the indictments as a critical message even if no trials take place. "There's lots of value in signaling to the Russians that we know what they are doing, to the rest of the world that we are trying to set norms, to the U.S. business community that we will defend them and even to President Trump that the Russians should not be trusted, he said"

Libicki says no international norm exists that prohibits comingling intelligence activities with a nation-state's tolerance of international cybercrime. With that in mind, he says "we collaborate with our eyes open. Our side can only talk about law enforcement, but maybe their side can drop interesting hints about Russia's cyberspace activities."

Baker, who served as DHS assistant secretary for policy during the Bush administration, agrees the FBI should continue to cooperate with the FSB, "but in a very transactional and wary fashion. We should only cooperate where we're sure we're getting something worthwhile and what we're giving is something we're entirely comfortable. I don't think that cooperating on something like child porn is prevented by the latest news."

Rosenzweig concurs: "Like Reagan said: 'Trust but verify.' We must work with them but with great caution."

Nation-State Activity

McCord said nation-states employing criminals is not uncommon. "I don't think it is necessarily unique to Russia in this particular case, the FSB," she said. "The indictment, I think, alleges in pretty great detail the conspiracy among these four men, the sharing of infrastructure and hacking techniques and tools and procedures, the sharing of the cookies that were minted to be able to gain access to the accounts, and really contracting with Baratov for additional intrusions into account holders at other email providers, such as Google."

The cooperation of Yahoo and Google was critical to the investigation, McCord said. "It is very important for corporations around the country to know, when you are going against the resources and backing of a nation-state, it is not a fair fight, and it is not a fight you are likely to win alone," she said.

Chris Madsen, Yahoo's head of global law enforcement, security and safety, issued a statement expressing gratitude for the FBI investigation and Justice Department decision to indict.

But Sen. Mark Warner, the Virginia Democrat who co-founded the Senate Cybersecurity Caucus, said he believes Yahoo should have publicly reported this breach sooner than it did. "The public and private sectors often move too slowly to address the growing threats posed by cyber criminals," he said.

McCord said the Yahoo investigation is unrelated to the probe into the Russian hacking of Democratic Party computers in last fall's presidential campaign.

Yet Warner, who's the ranking Democrat on the Senate Intelligence Committee, said the indictment provides lessons to those investigating Russian influence over the 2016 election. "The indictments shed a light on the close and mutually beneficial ties between the cyber underworld and Russia's government and security services, and the extent to which Russia leverages these cyber activities to multiple ends: commercial, financial and geopolitical," he said.

Yahoo Breaches

Last Sept. 22, Yahoo warned that a late-2014 breach affected 500 million or more users. The search giant said it learned about the breach from law enforcement agencies.

Then on Dec. 14, 2016, Yahoo said that it had discovered another breach, which it believed occurred in August 2013, that had compromised 1 billion accounts. Yahoo said that breach is separate from the 2014 breach, and to date has revealed no information relating to the potential identity of the attackers.

Yahoo had the misfortune to have discovered the 2013 breach, as well as the full extent of the 2014 breach, after Verizon offered to buy the struggling search giant for $4.83 billion in July 2016. News of the breaches threatened to derail the deal, and ultimately trimmed $350 million off the purchase price.

Last year, Yahoo's board of directors launched an independent investigation into the 2014 breach, which the company had detected. The results of the inquiry found that while the company didn't ignore the breach, the senior management team and legal department failed to fully appreciate or investigate the incident. As a result of the investigation, Yahoo's lead attorney, Ronald S. Bell, resigned, and the board announced that it was denying Yahoo CEO Marissa Mayer a $2 million bonus and up to $12 million in equity awards.

The deal with Verizon, however, now looks set to close by the end of June, according to a March 13 proxy filing by Yahoo. It says that Mayer will be eligible for a $23 million golden parachute in the event that she doesn't get hired by Verizon after it acquires Yahoo's search and other related properties.

Yahoo now faces more than 40 class-action lawsuits filed in the United States and abroad.

(News Editor Howard Anderson and Executive Editor Mathew Schwartz contributed to this story.)


About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network