The U.S. Department of Justice has charged four people with ties to Russian intelligence agencies with computer hacking, economic espionage and other criminal offenses in connection with hacking Yahoo’s network and email accounts.
Yahoo disclosed two big hacks late last year. News of the first breach came in September, when Yahoo disclosed that at least 500 million user accounts were compromised in late 2014. That was followed by a second disclosure in December, when Yahoo said another attack, this one in 2013, affected more than 1 billion user accounts. The DOJ press release does not address the 2013 attack.
The Washington Post indicates that today’s indictments represent the first time the U.S. has charged Russian government officials with cyber crimes. The suspects include two members of FSB, the Russian intelligence service, and two for-hire hackers.
The implicated FSB officers are Dmitry Dokuchaev and his superior Igor Sushchin. Ironically, these two work in the division of the FSB tasked with investigating cyber crimes, The Post reports.
One of the suspected hackers, Alexsey Belan, is on the FBI’s most wanted list and is alleged to have committed attacks against e-commerce companies in Nevada and California. He was arrested at the request of the U.S. in Europe but later escaped to Russia, where U.S. officials allege he is being protected and used by the FSB.
The other is Karim Baratov, a Canadian citizen born in Kazakhstan. He was arrested on Tuesday, according to The Post.
“Silicon Valley’s computer infrastructure provides the means by which people around the world communicate with each other in their business and personal lives,” U.S. Attorney Brian Stretch said in a statement. “The privacy and security of those communications must be governed by the rule of law, not by the whim of criminal hackers and those who employ them. People rightly expect that their communications through Silicon Valley internet providers will remain private, unless lawful authority provides otherwise. We will not tolerate unauthorized and illegal intrusions into the Silicon Valley computer infrastructure upon which both private citizens and the global economy rely.”
The indictment sheds more light on the 2014 Yahoo hack, and how hackers used the information they obtained. Here’s how the FSB agents and their hackers gained access to Yahoo accounts, from the DOJ press release:
In or around November and December 2014, Belan stole a copy of at least a portion of Yahoo’s User Database (UDB), a Yahoo trade secret that contained, among other data, subscriber information including users’ names, recovery email accounts, phone numbers and certain information required to manually create, or “mint,” account authentication web browser “cookies” for more than 500 million Yahoo accounts.
Belan also obtained unauthorized access on behalf of the FSB conspirators to Yahoo’s Account Management Tool (AMT), which was a proprietary means by which Yahoo made and logged changes to user accounts. Belan, Dokuchaev and Sushchin then used the stolen UDB copy and AMT access to locate Yahoo email accounts of interest and to mint cookies for those accounts, enabling the co-conspirators to access at least 6,500 such accounts without authorization.
The hacks were meant to obtain information from various targets of interest to FSB. In addition, Belan allegedly enriched himself by searching user accounts for credit card and gift card information, redirecting some Yahoo search engine web traffic so he could make commissions and stealing email contacts for a spam campaign.
Documents show that the hackers used the intrusion to gain access to the Yahoo accounts of three officers at an unnamed U.S. cloud computing company. The hackers also got into a Yahoo account of an unnamed U.S. technology company officer and searched for passwords and VPN information.
We’ve reached out to several tech and cloud companies with a presence in the Seattle area, and so far only Microsoft has responded. The tech giant said in a statement it was unaware of any Microsoft connection to the Yahoo hack.
The hacks also gave FSB and the hackers access to personal accounts belonging to Russian journalists; Russian and U.S. government officials; employees of a prominent Russian cybersecurity company; employees of a Swiss bitcoin banking firm; a sales manager at a major U.S. financial services company; a Nevada gaming official; a senior officer at a major U.S. airline; a managing director of a U.S. private equity firm; and a chief technology officer at a French transportation company.
To cover their tracks, the hackers used a program called “log cleaner,” which removes traces of the intrusion and makes the hackers harder to find.
Following news of the hacks last year, Verizon dropped its purchase price of Yahoo by $350 million, from $4.83 billion to $4.48 billion. The breaches, however, were not enough to scuttle the deal entirely. Verizon still wants access to Yahoo’s global audience of more than 1 billion users, including more than 600 million mobile users, as a way to increase its mobile advertising presence.
Russian-involved cyberattacks have been a hot topic in recent months. The most well known incident came during the presidential election when two groups of Russian hackers used a blend of spearphishing, booby-trapped websites and remote-access malware to worm their way into the Democratic National Committee’s computers and hurt the party’s prospects in the election, experts from the FBI and the Department of Homeland Security concluded in December.
In January, then president-elect Donald Trump promised within 90 days to deliver “a major report on hacking defense.” At that time, Trump signaled that he accepted findings from U.S. intelligence agencies on Russian hacking after weeks of questioning their conclusions.
“How do we stop this new phenomenon, this fairly new phenomenon, because the United States is hacked by everybody,” he said. “That includes Russia, and China, and everybody.”
Here is the full indictment related to the Yahoo breach:
Developing story, more to come