U.S. Indicts 2 Russian Security Officials Over Yahoo Hack

Enlarge this image toggle caption Courtesy of FBI Courtesy of FBI

Updated at 2:40 p.m. ET

The Justice Department has announced charges against four people, including two Russian security officials, over cybercrimes linked to a massive hack of millions of Yahoo user accounts.

Two of the defendants — Dmitry Dokuchaev and his superior Igor Sushchin — are officers of the Russian Federal Security Service, or FSB. According to court documents, they "protected, directed, facilitated and paid" two criminal hackers, Alexsey Belan and Karim Baratov, to access information that has intelligence value. Belan also allegedly used the information obtained for his personal financial gain.

"The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI's point of contact in Moscow on cybercrime matters, is beyond the pale," Acting Assistant Attorney General Mary McCord said.

Enlarge this image toggle caption Courtesy of FBI Courtesy of FBI

She told reporters that U.S. investigators believe Dokuchaev and Sushchin were working in their official capacity as FSB agents at the time.

Baratov was arrested Tuesday in Canada. NPR's Greg Myre reports that the U.S. plans to seek his extradition, and that three other defendants are in Russia, which has no extradition treaty with the U.S.

Belan is one of the world's most notorious hackers. There's an Interpol "Red Notice" for his arrest, and he has been listed as one of the FBI's Most Wanted hackers since 2012.

"Rather than arrest him, however, the FSB officers used him," the indictment reads. It alleges that the officers also "provided him with sensitive FSB law enforcement and intelligence information that would have helped him avoid detection by law enforcement."

The massive hack against at least 500 million Yahoo user accounts happened in 2014. The company publicly acknowledged the breach last September, saying at the time that it believed a "state-sponsored actor" was responsible, without naming any foreign government. The disclosure prompted an investigation by U.S. authorities.

Some of the accounts breached had obvious intelligence value. According to court documents, these included: "Russian journalists and politicians critical of the Russian government; Russian citizens and government officials; former officials from countries bordering Russia; and U.S. government officials, including cyber security, diplomatic, military, and White House personnel."

Other targets included businesses, such as a Russian investment banking firm as well as "a French transportation company; U.S. financial services and private equity firms; a Swiss bitcoin and banking firm; and a U.S. airline."

The court documents state that Belan "provided his FSB conspirators ... with the unauthorized access to Yahoo's network." He is also accused of using the access to the network for personal financial gain. For example, he allegedly stole financial and gift card information from the Yahoo accounts, and implemented a spam marketing scheme that impacted millions of users, according to the documents.

Baratov allegedly helped the FSB agents access accounts at other providers such as Google, often assisted by information stolen from the breached Yahoo accounts. He was allegedly paid about $100 per account accessed.

You can read more details of the allegations in the indictment:

The company has also indicated in regulatory filings that forged cookies may have been used to access user accounts. It said today that those cookies are also part of the alleged Russian security breach.

"We appreciate the FBI's diligent investigative work and the DOJ's decisive action to bring to justice those responsible for the crimes against Yahoo and its users," the company said in a statement Wednesday. "We're committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cybercrime."

This wasn't the only major breach Yahoo has reported in recent years. The company revealed an even larger hacking incident impacting more than 1 billion accounts that occurred in 2013, as we reported. It's not clear whether the intrusions are related.

Today's charges are also distinct from the U.S. intelligence community's conclusion that Russia launched an "influence campaign" in order to help President Trump win the election.

The Department of Justice is trying to ratchet up pressure on foreign hackers accused of carrying out cyberattacks on U.S. targets. Federal officials have also recently charged individuals from China and Iran over hacking allegations.

In 2014, as NPR's Carrie Johnson reported, the Department of Justice "charged five uniformed members of Unit 61398 of the People's Liberation Army of China with stealing secrets from American business competitors."

Last year, U.S. officials indicted seven hackers with links to the Iranian government for cyberattacks. "Court papers said the intruders attacked the web sites of dozens of major U.S. banks and breached controls at a dam in Rye, N.Y., raising alarms about safeguards in American infrastructure," Carrie reported.