Four men, including two Russian intelligence agents, have been indicted for the theft of Yahoo user data in late 2014, as well as cookie-forging to obtain access to user accounts on the Yahoo network in 2015 and 2016.
The 2014 hack of Yahoo resulted in the exposure of 500 million user accounts. Another even larger breach affecting one billion accounts was announced by the company a few months later. However, no link between the two hacks has been detected.
The four men – two members of Russia's Federal Security Service, known as the FSB, and two hackers hired by the Russians – are looking at 47 criminal charges, including conspiracy, computer fraud, economic espionage, theft of trade secrets and aggravated identity theft, according to a news release from the Justice Department.
"The defendants used unauthorized access to Yahoo's systems to steal information from about at least 500 million Yahoo accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies," the DoJ stated.
The defendants are Dmitry Aleksandrovich Dokuchaev, 33, a Russian national and resident; Igor Anatolyevich Sushchin, 43, a Russian national and resident; Alexsey Alexseyevich Belan, aka “Magg,” 29, a Russian national and resident; and Karim Baratov, aka “Kay,” “Karim Taloverov” and “Karim Akehmet Tokbergenov,” 22, a Canadian and Kazakh national and a resident of Canada.
According to the allegations of the indictment: The FSB officer defendants, Dmitry Dokuchaev and Igor Sushchin, protected, directed, facilitated and paid criminal hackers to collect information through computer intrusions in the U.S. and elsewhere. In the present case, they worked with co-defendants Alexsey Belan and Karim Baratov to obtain access to the email accounts of thousands of individuals.
“The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI's point of contact in Moscow on cybercrime matters, is beyond the pale,” said Acting Assistant Attorney General Mary B. McCord. “Once again, the Department and the FBI have demonstrated that hackers around the world can and will be exposed and held accountable. State actors may be using common criminals to access the data they want, but the indictment shows that our companies do not have to stand alone against this threat."
She commended Yahoo and Google for their "invaluable cooperation" in the investigation.
In a statement on the Yahoo site, Chris Madsen, assistant general counsel, head of global law enforcement, security & safety, wrote:
"The indictment unequivocally shows the attacks on Yahoo were state-sponsored. We are deeply grateful to the FBI for investigating these crimes and the DoJ for bringing charges against those responsible."
The indictment validates Yahoo's claim in September 2016 that state-sponsored actors were behind the hack of Yahoo, Madsen wrote.
He expressed appreciation to the FBI for its investigation and the DoJ for its actions in bringing the defendants to justice.
Commenting on the cookie forging used by the defendants, Guy Guzner, CEO at Fireglass, told SC Media on Wednesday, that using forged cookies is a known method to authenticate and access accounts without the need to type passwords – while bypassing multi-factor authentication.
"What's even worse than getting access to the actual emails is that attackers can easily infect devices of the account holder or even any of their contact list," Guzner told SC.
For instance, he explained, attackers have recently been known to alter existing emails and add malicious links or attachments which gain control over devices once opened. Such emails, he said, seem very legitimate and have high success infection rates.
"Enterprises allowing access to Yahoo! (and any webmail sites) should be very concerned and consider blocking access to the site to avoid infections. Today's security solution are unable to detect well-disguised attacks and as long as web content is allowed to enter the organization, they will be at considerable risk.”
UPDATE 3/21
Karim Baratov, the 22-year-old Canadian resident accused in the massive hack of Yahoo emails, has been called a flight risk and, in papers filed on March 20, authorities urged the court to arrest him and detain him.
The alleged "hacker-for-hire" was reportedly in the service of the Russian Federal Security Service, known as the FSB, in its attack against Yahoo.
“Given the serious nature of his conduct, the public impact of his hacking-for-hire conduct, his substantial earnings as a result of the unlawful hacking, and his ties to foreign intelligence officers with nation state resources at their disposal, he should be arrested on an urgent basis and detained,” the documents stated.
Authorities feared not only that the suspect had enough money to flee the country, but that he had the capability of destroying evidence – even while in flight.
Baratov, who is of Kazakh origins, was arrested last Tuesday and accused by U.S. authorities on Wednesday, along with three others – including two members of Russia's Federal Security Service – of computer hacking, economic espionage and a number of other crimes.
Baratov's lawyer argued that the accusations against his client were unfounded.
The suspect appeared in court (via a video link on March 17) and a bail hearing was scheduled for April 5.
U.S. authorities urged the court to not release Baratov before his court date, citing the fact that one of his alleged co-conspirators, Alexsey Belan, had done just that – fleeing law enforcement after being released on bail following an arrest in Greece in 2013.
Baratov lived an opulent lifestyle. On social media, he posed with a number of high-end luxury vehicles – including a Lamborghini, a Porsche, a Mercedes and an Aston Martin – and he was known in his Ontario neighborhood for throwing lavish parties.