On Wednesday, the Department of Justice indicted four people for crimes related to a massive hack of email giant Yahoo, including two officers of the Russian Federal Security Service (FSB), one of the country's intelligence and security agencies. The group allegedly used information stolen in the breach to target a myriad of US and Russian government officials, Russian journalists, and private sector employees, according to the indictment.
As well as showing an attack on a US company allegedly carried out to the benefit of the Russian government, the news highlights the already suspected close links between Russian authorities and criminal hackers.
Dmitry Aleksandrovich Dokuchaev, 33 and Igor Anatolyevich Sushchin, 43 are the two FSB officers. Alexsey Alexseyevich Belan, aka "Magg," 29; and Karim Baratov, aka "Kay," 22, are two alleged criminal hackers also included in the indictment. Baratov is a Canadian resident, according to the Department of Justice. The charges include economic espionage and theft of trade secrets.
News of the impending indictment was first reported by Bloomberg on Tuesday. Judging by the indictment, these charges have nothing to do with the likely Russian interference around the recent US election.
In August last year, Motherboard reported Yahoo was investigating an advertisement on a dark web marketplace for millions of alleged Yahoo accounts. It is unclear whether the specific accounts for sale were in fact genuine, but during that probe, Yahoo found it had suffered a 500 million account data breach in 2014. This is the breach that the indictment relates to.
"As part of this intrusion, malicious files and software tools were downloaded onto Yahoo's computer network, and used to gain and maintain further unauthorized access to Yahoo's network and to conceal the extent of such access," the indictment reads. Belan allegedly stole a backup copy of Yahoo's User Database (UDB) in around November or December 2014, according to the document.
The hackers also stole Yahoo's source code for generating authorization cookies, and created their own tokens to log into over 6,500 accounts, the indictment reads. (Yahoo had hinted at this in a December SEC filing). The group didn't just target Yahoo accounts, but Google ones too, the indictment continues.
Perhaps most importantly of all, the indictment shines a light on alleged links between the Russian government and criminal hackers. When the US government issued a Red Notice on Belan related to a previous hacking campaign, instead of detaining him, Dokuchaev and Sushchin used Belan to gain access to Yahoo's network, according to the indictment. One of the FSB officers would pay Baratov whenever he successfully compromised a target email account, the document adds.
In a separate case, but one worth remembering for these links between hackers and the Russian government, Evgeniy Bogachev, the creator of the prolific Zeus criminal botnet, allegedly helped Russian intelligence services gather information on US government targets.
According to the indictment, Belan also leveraged his access to Yahoo's data for his personal gain, using it to manipulate Yahoo search results for erectile dysfunction drugs, and ripping credit card information from Yahoo email accounts.
Even though the data was allegedly stolen back in 2014, it appears the database was still useful for years afterwards. According to the indictment, the hackers used stolen information right up to December 2016.
"We appreciate the FBI's diligent investigative work and the DOJ's decisive action to bring to justice those responsible for the crimes against Yahoo and its users. We're committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cybercrime," Chris Madsen, Yahoo's assistant general counsel wrote in a statement.
Yahoo also recently disclosed another seemingly unrelated and even more serious attack. According to the company, hackers compromised over one billion accounts in 2013. Cybersecurity researchers discovered a group of hackers trading this data in August last year for around $300,000, according to The New York Times . One of the customers was allegedly interested in espionage.
After Yahoo announced the breaches, Verizon, which has long been negotiating a takeover of Yahoo, slashed its offer price by some $350 million. In late February, Verizon said it had agreed to a purchase price of $4.48 billion.
A slew of so-called mega breaches emerged throughout 2016, affecting sites such as VK, Myspace, and Tumblr. In October, US prosecutors indicted a Russian named Yevgeniy Aleksandrovich Nikulin for allegedly hacking Dropbox, LinkedIn, and Formspring. He is currently detained in Prague; however, both Russia and the US are seeking his extradition.
The US does not have an extradition treaty with Russia, so it is unclear whether those allegedly behind the Yahoo breach will be arrested anytime soon. Indeed, Belan was put on the FBI's Cyber Most Wanted list back in 2013, according to the Department of Justice press release.
State-sponsored hackers have targeted email giants before. Chinese attackers managed to compromise Google systems back in 2010, likely in an attempt to gain information on US surveillance targets.
Lorenzo Franceschi-Bicchierai contributed reporting.
Subscribe to pluspluspodcast , Motherboard's new show about the people and machines that are building our future.