The United States Department of Justice has indicted two agents of the Russian Federal Security Service (FSB) and two hackers with criminal charges related to the 2014 hack of Yahoo! Mail and related services.
The DoJ alleges that FSB officers Dimitry Dokuchaev and Igor Sushchin “protected, directed, facilitated and paid” criminal hackers Alexsy Belan and Karim Baratov for the undertaking of massive hacking operation that stretched from 2014 to late 2016 and affected at least 500 million Yahoo Mail users.
The attack breached user account information including names, email addresses, telephone numbers, dates of birth, bcrypt hashed passwords and encrypted or unencrypted security questions and answers.
According to the indictment, the four defendants then leveraged some of the stolen information to gain access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies. Employees of a prominent Russian cybersecurity company were also targeted.
One of the defendants is also accused of exploiting his access to Yahoo’s network for his personal financial gain, by searching Yahoo user communications for credit card and gift card account numbers, redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign.
Though Attorney General Jeff Sessions said that “The United States will vigorously investigate and prosecute the people behind such attacks to the fullest extent of the law,” the identification of individual Russian agents is “largely symbolic,” says Robert Cattanach, partner at the international law firm Dorsey & Whitney, where he specializes in regulatory litigation including cybersecurity and data breaches.
“There’s probably little likelihood that the identified hackers will ever face justice in the United States. The US has no extradition treaty with Russia,” Cattanach told Solutions Review.
At press time, Karim Baratov, Kazakh national and resident of Canada, is the only one of the four accused hackers who has been arrested in connection with the case. He was detained by the authorities in Canada on Tuesday.
However, the DoJ’s disclosure of the hacker’s identities is nonetheless significant, says Cattanach.
“[The disclosure] underscores the very cozy relationship between Russian state security apparatus and for-hire Russian hackers. Not only have individual hackers operated with impunity inside Russia, but US security officials increasingly suspect that they are tacitly encouraged by the Russian government, which can then leverage their techniques and intrusions to obtain sensitive information,” Cattanach says.