The U.S. Department of Justice today indicted four individuals, including two Russian FSB officers, it alleges are connected to a massive breach of Yahoo’s network and the theft of information associated with 500 million accounts.
One of the men, Karim Baratov, 22, was arrested March 14 in Canada, while the others are Russian nationals. While DOJ officials said in a press conference they are working on Baratov’s extradition to the U.S., no extradition treaty exists with Russia and it would be up to the government to turn those men over to U.S. authorities.
The two FSB officers, Dmitry Aleksandrovich Dokuchaev, 33, and Igor Anatolyevich Sushchin, 43, worked in the FSB Center for Information Security, also known as Center 18. This organization is the FBI’s point of contact in Moscow on matters of cooperation related to cybersecurity incidents.
“These are the very people we are supposed to work with cooperatively in law enforcement channels,” said acting Assistant Attorney General Mary McCord of the National Security Division. “And rather than do that, they turned against that type of work.”
Executive Assistant Director of the FBI’s Criminal, Cyber Response and Services Branch Paul Abbate said there has been limited cooperation in the past with Center 18. Abbate said that the fourth man indicted today, Alexsey Alexseyevich Belan, 29, had been arrested before in Europe but managed to escape to Russia before his scheduled extradition. “We have asked for his return in 2014 through official channels to the Russian government, and we have had no response. And I think that is reflective of the relationship and the approach we needed to take in this case. We need and have to have cooperation from all international partners to resolve cases like this.”
The indictment alleges that the FSB partnered with Belan and Baratov, known cybercriminals, to breach Yahoo’s network and access not only account information but also proprietary information on the creation of cookies used to access Yahoo accounts. The DOJ said in the indictment that the FSB “protected, directed, facilitated and paid criminal hackers” to carry out hacks in the U.S. and elsewhere. While this is not an unusual strategy for nation-state actors, in this case, the attacks were not only for intelligence gathering, but also for-profit operations.
“What the indictment alleges is that these FSB officers used criminal hackers to gain information that clearly some of which has intelligence value, but in doing so, the criminal hackers used this opportunity also to line their own pockets for private financial gain,” McCord said.
The attacks against Yahoo’s network were disclosed last September, but began perhaps as early as 2013. The company from the beginning said state-sponsored hackers were responsible for the intrusions, despite some claims from experts to the contrary.
The DOJ alleges that Dokuchaev and Sushchin used Belan to hack Yahoo rather than turn him over to the U.S. Belan is alleged to have stolen a copy of at least a portion of Yahoo’s User Database, which the DOJ calls a trade secret that contained not only user information, but also proprietary information need to craft authentication cookies used to access accounts. Belan also gained access to Yahoo’s Account Management Tool, which is also proprietary software used to log changes to user accounts.
“Belan, Dokuchaev and Sushchin then used the stolen UDB copy and AMT access to locate Yahoo email accounts of interest and to mint cookies for those accounts, enabling the co-conspirators to access at least 6,500 such accounts without authorization,” the DOJ said in a press release.
The 6,500 accounts had intelligence value to the FSB and belong to users in the public and private sectors. The attackers, Abbate said, used spearphishing emails to gain a foothold on Yahoo’s network, enabling them to later install malicious files and code. They also leased servers used for command and control at hosts in the U.S. and elsewhere to carry out their operation undetected, as well as to register email accounts using phony subscriber data.
The DOJ also alleges that the FSB officers supported Belan’s other criminal enterprises with law enforcement and intelligence information he could leverage to avoid detection by U.S. authorities and other authorities outside of Russia.
“Additionally, while working with his FSB conspirators to compromise Yahoo’s network and its users, Belan used his access to steal financial information such as gift card and credit card numbers from webmail accounts; to gain access to more than 30 million accounts whose contacts were then stolen to facilitate a spam campaign; and to earn commissions from fraudulently redirecting a subset of Yahoo’s search engine traffic,” the DOJ said.
Baratov’s role in the operation came when the FSB officers wished to obtain access to a Gmail account belonging to another target of interest. Baratov was compensated, the DOJ said, to gain access to more than 80 accounts.
“The Department of Justice is continuing to send a powerful message that we will not allow individuals, groups, nation states, or accommodation of them to compromise the privacy of our citizens, the economic interests of our companies, or the security of our country,” McCord said. “The involvement and direction of FSB officers with law-enforcement responsibilities makes this conduct that much more egregious. There are no free passes for foreign state-sponsored criminal behavior.”