Security Experts:

U.S. Government Indicts Two Russian FSB Officers Over Yahoo Hack

U.S. Government Indicts Four Over 2014 Yahoo Hack, Including Two Russian FSB Officers

The US government today announced the indictment of four individuals charged with computer hacking, economic espionage and other offenses in connection with the 2014 breach of Yahoo that involved the theft of information on at least 500 million user accounts. Three of the accused are Russian nationals currently living in Russia. The fourth, Karim Baratov, is a Canadian and Kazakh national who was arrested in Canada on Tuesday.

Two of the Russian nationals, Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin are serving officers of the Russian Federal Security Service (FSB). In announcing the indictments, Acting Assistant Attorney General Mary McCord of the National Security Division made it clear that the US believes they were acting in their capacity as FSB officers. 

The third Russian national is Alexsey Alexseyevich Belan. This is not the first time he has been indicted by the US. He was indicted on different charges in 2012 and 2013, and is on the FBI's 'Cyber Most Wanted' List. He is currently the subject of an Interpol Red Notice. He was arrested in a European country in June 2013, but managed to escape to Russia before he could be extradited to the US.

The belief is that the FSB officers employed cyber criminals (Belan and Baratov) to do the hacking. It suspects that the FSB's primary objective was espionage. Targets included the private accounts of Russian journalists; Russian and U.S. government officials; and employees of a prominent Russian cybersecurity company. The two non-FSB cyber criminals then used the stolen data for more traditional criminal activities.

"We've known for some time that spies have targeted email accounts as a primary vector to collect information," comments Eric O'Neill, a former FBI counter-terrorism operative who helped capture Russian spy Robert Hanssen -- and now national security strategist with Carbon Black. "Global communications, both personal and business, often rely on email as the first method of communication.  This creates a detailed record that can be used for a variety of purposes.  Infiltration into email accounts allows spies to collect credentials that provide access to targeted systems.  Monitoring government agency systems informs policy decisions, collects information on defense and attack capability, and can provide an economic boost to foreign nations."

Belan also obtained access to Yahoo's Account Management Tool. Used in conjunction with the stolen account database, he and the FSB officers were able to locate Yahoo email accounts of interest and manually create cookies to allow unauthorized access to at least 6,500 accounts.

In a separate statement today, Yahoo commented, "the U.S. Department of Justice announced the indictment of four defendants, two Russian intelligence officers and two state-sponsored hackers, for the theft of Yahoo user data in late 2014, as well as cookie forging to obtain access to user accounts on our network in 2015 and 2016." Yahoo has always maintained its original position that the hack had been state-sponsored, and it is now vindicated. 

"We appreciate the FBI's diligent investigative work and the DOJ’s decisive action to bring to justice those responsible for the crimes against Yahoo and its users." For its part, the government acknowledged the help of both Yahoo and Google in its investigations, and also acknowledged help from the Canadian authorities and the UK's MI5.

The US hopes, and (officially) expects the three Russians be turned over to the US for trial. "We would hope they would respect our criminal justice system, and respect these charges, and what they need to do," said McCord.

The reality is there is no extradition treaty with Russia, and this is unlikely to happen. Russia has already ignored two requests on Belan, and a third is expected to be issued tomorrow.

"Instead of detaining him [Belan, under the Red Notice] the FSB officers used him to break into Yahoo's networks. Meanwhile, Belan used his relationship with the two FSB officers and his access to Yahoo to commit additional crimes to line his pockets with money," said McCord.

Belan used his access to steal financial information such as gift card and credit card numbers from webmail accounts; to gain access to more than 30 million accounts whose contacts were then stolen to facilitate a spam campaign; and to earn commissions from fraudulently redirecting a subset of Yahoo’s search engine traffic.

The indictment of two Russian security officers will undoubtedly put further pressure on already strained US/Russian relations.

Asked if it would be possible to maintain a good working relationship with the FSB following these indictments, McCord replied, "I think that is a challenge. It is something we will continue to look at. I think this case is going to be a great test of that."

"Any indictment of Russia by the US DOJ will likely be met with recrimination and denial," adds O'Neill. "Russia will likely use the same playbook that China used when we charged five Chinese military spies for cyber espionage against U.S. corporations and a labor organization in 2014... China vehemently denounced the indictment and stated that the US used 'fabricated facts' and that it 'grossly violates the basic norms governing international relations and jeopardizes China-U.S. cooperation'."

“These accounts contain a tremendous amount of personal information, including personally identifiable information, financial account passwords, workplace account passwords, information about investments and financial issues, or details around the workplace projects and business plans of CEOs, attorneys, and high net worth investors, as well as politicians, military officers, or other government officials,” Steve Grobman, Intel Security’s CTO, told SecurityWeek.  

“The public disclosure of such material could be sensitive enough to destroy careers, enable blackmail, endanger a mission, or influence high-level negotiations and decisions. The weaponization of such information in the realm of economic espionage presents unlimited opportunities for monetization," Grobman added.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.