The US has charged four people - including two Russian spies - over the 2014 hack of Yahoo, which exposed 500 million accounts.
The US Department of Justice (DoJ) alleges that members of Russia’s Federal Security Agency (FSB) conspired with criminal hackers to breach Yahoo’s defenses, targeting Russian journalists, Russian and US government officials and employees of an unnamed Russian cybersecurity company.
According to Reuters, this is the first time US officials have criminally charged Russian spies for cyber-offences.
In total, 47 charges have been filed against the defendants. These include: conspiracy, computer fraud and abuse, economic espionage, theft of trade secrets, wire fraud, access device fraud and aggravated identify theft, Reuters said.
The DOJ named the suspects as FSB officers Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin. According to the charges they worked closely with Russian national Alexsey Belan and Karim Baratov, a resident of Canada. It is alleged that the FSB officers passed sensitive “law enforcement and intelligence information that would have helped him avoid detection by US and other law enforcement agencies outside Russia.”
Additionally, it is alleged that Belan used his access to Yahoo’s database to steal financial information such as credit cards and gain access to around 30 million accounts whose contacts he stole to facilitate a massive spam campaign.
Belan is no stranger to US authorities. He has been indicted twice before, for computer fraud and abuse, access device fraud and aggravated identity theft involving three US-based e-commerce companies. He is also on the FBI’s Cyber Most Wanted list.
“The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cybercrime matters, is beyond the pale,” Acting Assistant Attorney General Mary McCord said at a press conference announcing the charges.
These charges relate only to the 2014 Yahoo hack, which Yahoo revealed in September 2016. At the time the company said it believed a "state-sponsored" actor was behind the intrusion. Information stolen included names, email addresses, telephone numbers, dates of birth and hashed passwords. No credit card or payment information was stolen.
A separate data breach, dating back to 2013 but only revealed in December 2016, exposed account information belonging to one billion users. An investigation into that breach is ongoing.
Responding to these charges, Yahoo said in a statement: “The indictment unequivocally shows the attacks on Yahoo were state-sponsored. We are deeply grateful to the FBI for investigating these crimes and the DOJ for bringing charges against those responsible.
“We appreciate the FBI’s diligent investigative work and the DOJ’s decisive action to bring to justice to those responsible for the crimes against Yahoo and its users,” the statement said.
Details about the breaches came out as Yahoo was in the process of being taken over by telecoms giant Verizon. The revelations forced Yahoo to accept an offer lower than originally agreed. Yahoo has been heavily criticized for its handling of the breaches.