A grand jury in California has charged four people — including two Russian intelligence officers — in a pair of computer hacks against Yahoo that victimised hundreds of millions of consumers, the US Justice Department said on Wednesday.
The men penetrated Yahoo’s email accounts, often using “spear phishing” emails, and used information they obtained to access other accounts at Yahoo and Google. Among those targeted were Russian journalists, US and Russian government officials, a Russian cybersecurity firm, a Russian investment bank, a French transportation company, US financial services and private equity firms, a Swiss bitcoin wallet firm and a US airline, prosecutors said.
The defendants are charged with computer hacking, economic espionage and other criminal offences. Those charged included two officers of Russia’s Federal Security Service, the KGB’s successor spy agency, who worked for the Moscow unit that is the FBI’s point-of-contact on cybercrime.
“Cyber crime poses a significant threat to our nation’s security and prosperity, and this is one of the largest data breaches in history,” said Attorney-General Jeff Sessions. “The United States will vigorously investigate and prosecute the people behind such attacks to the fullest extent of the law.”
Dmitry Aleksandrovich Dokuchaev, 33, and Igor Anatolyevich Sushchin, 43, the FSB officers, hired two criminal hackers to penetrate email networks in a marriage of state-sponsored espionage and traditional criminal thievery, prosecutors said.
Starting in 2014, the FSB officers first hired Alexsey Alexseyevich Belan, aka “Magg,” 29, who previously had been indicted in Nevada and California on charges including identity theft and computer fraud and was named to the FBI’s most wanted list in November 2013. Earlier that year, he escaped from a European jail and fled to Russia.
“Rather than arrest him, however, the FSB officers used him,” the indictment says.
Cyber crime poses a significant threat to our nation’s security and prosperity, and this is one of the largest data breaches in history
In late 2014, Mr Belan is alleged to have stolen a copy of Yahoo’s User Database (UDB), a proprietary file containing users’ names, recovery email accounts, phone numbers and some of the information needed to manually create account authentication “cookies” for more than 500 million Yahoo accounts.
Using those details and a separate account management tool that he had stolen, Mr Belan broke into Yahoo’s email system.
The FSB officers also helped Mr Belan exploit the Yahoo hack for traditional criminal purposes giving him sensitive law enforcement intelligence that enabled him to steal credit card and gift card details from compromised Yahoo email accounts, mount a massive spam campaign using details from 30 million Yahoo accounts and earn financial commissions for redirecting Yahoo search engine traffic, including online searches for erectile dysfunction drugs, prosecutors said.
When the Russian intelligence operatives learned that one of their targets had an email account at another internet service, they hired Karim Baratov, 22, a Canadian and Kazakh national who lived in Canada, to hunt them down. Mr Baratov intruded into 80 separate accounts, including ones belonging to the assistant to the deputy chairman of the Russian federation and an officer of the Ministry of Internal Affairs, it is alleged.
US authorities delivered a provisional arrest warrant for Mr Baratov to their Canadian counterparts on March 7. He was taken into custody on March 14.
Cooperation by Yahoo and Google was essential in bringing charges, according to Mary McCord, acting assistant attorney-general for national security.
Yahoo disclosed last fall that more than 500 million customers had their personal data stolen when hackers backed by a “state-sponsored actor” broke into its network. That followed a separate digital break-in disclosed less than a year earlier, which affected more than one billion users.
The second attack was made public just two months after Verizon had agreed to acquire Yahoo in a nearly $5bn deal. Amid the fallout from the pair of hacks, Verizon negotiated a $350m discount on the purchase price. The deal, slated to close in the second quarter, is now valued at $4.5bn.
The DoJ action comes just days after the disclosure that Yahoo CEO Marissa Mayer stands to receive a $23m “golden parachute” if she is let go following her company’s sale to Verizon.
Also on Monday, Ronald Bell, Yahoo general counsel, resigned after the company admitted that some top executives knew of the attacks for at least two years before the company said anything publicly. In December, the Securities and Exchange Commission opened a formal probe of the company’s delay in reporting the attacks.