Two of the Perpetrators Believed to be Russian Intelligence Officers
Four individuals—two Russian Federal Security Service (FSB) officers and two criminal hackers—have been charged by a federal grand jury in the Northern District of California in connection with one of the largest cyber intrusions in U.S. history, which compromised the information of at least 500 million Yahoo accounts.
One of the criminal hackers was arrested yesterday by Canadian authorities. The two FSB officers and the second hacker, last known to have been in Russia, are currently fugitives wanted by the FBI.
The indictments were announced today by U.S. Department of Justice Acting Assistant Attorney General Mary McCord, FBI Executive Assistant Director Paul Abbate, and Northern District of California U.S. Attorney Brian Stretch during a press conference in Washington, D.C.
The FSB is an intelligence and law enforcement agency of the Russian Federation, and it’s believed that the two FSB officers work in an FSB unit that serves as the FBI’s point of contact in Moscow on cyber crime matters. According to McCord, “The involvement and direction of FSB officers with law enforcement responsibilities make this conduct that much more egregious—there are no free passes for foreign state-sponsored criminal behavior.”
According to the indictment, from about April 2014 up to at least December 2016, FSB officers Dmitry Dokuchaev and Igor Sushchin directed this cyber intrusion conspiracy—which involved malicious files and software tools being downloaded onto Yahoo’s network—that resulted in the compromise of that network and the theft of subscriber information from at least 500 million accounts. This stolen information was then used to obtain unauthorized access to the contents of accounts at Yahoo, Google, and other webmail providers.
The indictment says that Dokuchaev and Sushchin paid, directed, and protected two known criminal hackers who took part in the scheme—Alexsey Belan, a Russian national and resident, and Karim Baratov, born in Kazakhstan and a naturalized Canadian citizen and resident. Belan, who has been indicted twice in the U.S. in the past for cyber-related crimes, is currently on the FBI’s Cyber’s Most Wanted list and is the subject of a Red Notice for Interpol nations, which includes Russia.
“This is a highly complicated investigation of a very complex threat. It underscores the value of early, proactive engagement and cooperation between the private sector and the government.”
FBI Executive Assistant Director Paul Abbate
The information stolen from the 500 million user accounts came from Yahoo’s proprietary user data base, which contained information such as users’ names, recovery e-mail addresses, phone numbers, and certain information needed to manually create account authentication web browser cookies.
What were the alleged perpetrators after? In part, they used access to Yahoo’s networks to identify and access accounts of possible interest to the FSB, including those of Russian journalists, U.S. and Russian government officials, and employees of U.S., Russian, and other providers whose networks the conspirators sought to exploit. Additional victim accounts belonged to private sector employees of financial, transportation, and other types of companies.
However, the co-conspirators were not above using the information they stole for personal financial gain. For example, Belan allegedly searched Yahoo user communications for credit card and gift card account numbers. He also leveraged the contact lists obtained from at least 30 million Yahoo accounts to perpetrate his own spam scheme.
Computer intrusions, by their very nature, are international in scope, so they require an international effort to unmask the worldwide hacking networks responsible for them. And this case was no different. Abbate expressed the Bureau’s gratitude to our international partners for their assistance and support leading up to these criminal charges today—specifically mentioning the Royal Canadian Mounted Police, the Toronto Police Service, and the United Kingdom’s MI5.
Another important aspect of this case involved the victim companies—including Yahoo and Google—coming forward and working with law enforcement. This collaboration ultimately resulted in countering the malicious activities of state actors and bringing criminals to justice. It also illustrates that the FBI can successfully work these kinds of investigations with victim companies while respecting the various concerns and considerations businesses might have about the impact of going public.
“This is a highly complicated investigation of a very complex threat,” said Abbate. “It underscores the value of early, proactive engagement and cooperation between the private sector and the government.”
Among the FBI’s major investigative priorities are to protect the U.S. against foreign intelligence operations and espionage and to protect the U.S. against cyber-based attacks and high-technology crimes. This case involved both. And it doesn’t matter to us whether the perpetrators of such crimes are run-of-the-mill criminals or sophisticated foreign states and their agents. With the help of our partners here and/or abroad, we will identify those responsible and hold them accountable for their actions.