The U.S. Department of Justice (DOJ) yesterday announced the indictment of two officers with Russia's FSB security agency in connection with the hacks of some 500 million Yahoo user accounts between 2014 and last year. U.S. officials also charged two other men, a Russian national and a Canadian/Kazakh national, for participating in the major Yahoo security breaches.
Acting Assistant Attorney General Mary B. McCord called the indictments a "major law enforcement action related to one of the largest data breaches in U.S. history."
The attacks, first revealed by Yahoo in September, had also threatened to derail Verizon's planned acquisition of a large portion of Yahoo's business. Verizon is proceeding with the deal, expected to close in the second quarter of this year, after cutting $350 million from the price, which now totals $4.48 billion.
Among those named in the indictment, filed Feb. 28 in the U.S. District Court for the Northern District of California, are FSB officer Dmitry Aleksandrovich Dokuchaev, 33; FSB officer Igor Anatolyevich Sushchin, 43; Alexsey Alexseyevich Belan, 29; and Karim Baratov, 22.
'No Free Passes' for State-Sponsored Crime
In a Washington, D.C., press conference announcing the charges yesterday, McCord noted that Dokuchaev and Sushchin both worked for the FSB's Center for Information Security, also known as Center 18, part of the Russian agency that handles cybercrime investigations. Center 18 is also "the FBI's point of contact in Moscow for [cybercrime] matters," she added.
"The involvement and direction of FSB officers with law enforcement responsibilities makes this conduct that much more egregious," McCord said in a statement. "There are no free passes for foreign state-sponsored criminal behavior."
According to the indictment, instead of detaining Belan, who had been named to the FBI's Cyber Most Wanted list in November 2013, Dokuchaev and Sushchin enlisted his help to gain unauthorized access to Yahoo's network. Belan had been indicted in 2012 and 2013 for hacking e-commerce data and was arrested in Europe in June 2013. Before he could be extradited to the U.S., however, Belan escaped to Russia, where he began working with Dokuchaev and Sushchin.
Using information obtained from the Yahoo hacking, the two FSB officers later engaged the help of Baratov to gain unauthorized access to other accounts outside of Yahoo, the indictment stated. Baratov was arrested Tuesday by authorities in Canada.
Did 'Weak Link' Baratov Help Unravel Case?
"The indictment unequivocally shows the attacks on Yahoo were state-sponsored," Chris Madsen, Yahoo's assistant general counsel and head of global law enforcement, security and safety, wrote yesterday on the company's Tumblr blog. "We appreciate the FBI's diligent investigative work and the DOJ's decisive action to bring to justice to those responsible for the crimes against Yahoo and its users."
In his analysis of the indictment yesterday, IT security writer Brian Krebs noted that Dokuchaev was reportedly also known by the hacker name "Forb" and was arrested by Russian authorities in December on treason charges for allegedly providing information to the U.S. Central Intelligence Agency. It was Baratov, however, who appeared to be the weak link that might have helped U.S. authorities to unravel the Yahoo case, Krebs said.
Baratov "appears to have been the least careful about hiding his activities, leaving quite a long trail of email hacking services that took about 10 minutes of searching online to trace back to him specifically," Krebs said. "Security professionals are fond of saying that any system is only as secure as its weakest link. It would not be at all surprising if Baratov was the weakest link in this conspiracy chain."
Kevin Bocek, chief security strategist for the enterprise security firm Venafi, told us in an email that it's not surprising to find out that Russian hackers may be behind the Yahoo attacks.
"The ugly truth is that it's nearly impossible for any organization to detect unauthorized, encrypted traffic coming in or out unless they have very strong cryptography practices," Bocek said. "Cyber criminals know how rare encryption protection is, and that's why attacks that leverage stolen or forged cryptographic controls are so successful."
Venafi's evaluation of Yahoo's cryptographic risk posture showed the company lacked "deep visibility into many serious cryptographic risks," Bocek added.
"Unfortunately, this is pretty typical even in large organizations with deep investments in security," he said. "The problem is that organizations use encryption to secure everything -- but without a comprehensive understanding of cryptographic risks, there is absolutely no way for any organization to be confident about security or privacy."