The indictment on Wednesday of four men including two Russian intelligence agents on charges of massive data theft from Yahoo has been hailed as part of an ongoing breakthrough in the war on cybercrime by US authorities.
Announcing the indictment, US Attorney General Jeff Sessions praised the “tireless efforts by US prosecutors and investigators” that led to the identification of the four individuals.
Speaking of his agency’s role in the case, FBI Director James Comey said: “Today we continue to pierce the veil of anonymity surrounding cyber crimes. We are shrinking the world to ensure that cyber criminals think twice before targeting U.S. persons and interests.”
And in a similar vein Acting Assistant Attorney-General General Mary McCord said: “the Department of Justice is continuing to send a powerful message that we will not allow individuals, groups, nation-states, or a combination of them to compromise the privacy of our citizens, the economic interests of our companies, or the security of our country.”
However it seems that national security interests may have trumped citizens’ privacy concerns in the FBI’s pursuit of the case.
FBI agent Jack Bennett told media his investigators had worked on the case for two years, “although the inquiry intensified last year”. Yahoo did not inform its users of the data breach until September 2016, when it advised them to change their passwords.
An internal investigation by the company’s board found that some senior executives and information security personnel were aware of the breach shortly after it occurred in 2014 but “failed to properly comprehend or investigate” the situation.
Last month the company’s top lawyer, Ronald S. Bell, resigned over the episode, and its chief executive, Marissa Mayer, lost her 2016 bonus and 2017 stock compensation. The affair has been blamed for wiping $350 million off the acquisition price for Yahoo offered by Verizon.
Assistant Att-Gen McCord would not comment on Wednesday on media speculation that the four indicted individuals might also have been involved in the theft of e-mails last year from the US Democratic National Committee.
Democrats have alleged that that data breach was part of a Russian sponsored campaign to influence the result of the US presidential election.
Intense controversy over that claim may have added to pressure on US authorities to go public with some of their findings on the Russian Federal Security Service (FSB)’s alleged involvement in cyber attacks in the US.
The Yahoo case is the first time federal prosecutors have brought cyber crime charges against Russian intelligence officials.
The indictment names FSB agents Dmitry Dokuchaev and Igor Sushchin as well Alexsey Belan, a Russian national and Karim Baratov and Canadian and Kazakh national.
Officials said the main purpose of the Yahoo hack was to gather political and economic intelligence. The hackers stole a database of 500 million Yahoo users and other Yahoo software code which they used to falsify cookies, a technique that gave them full access to millions of Yahoo accounts without needing the passwords.
They found accounts of interest by searching non-Yahoo, recovery email addresses that users provided, allowing them to target employees of specific companies or organizations for other attacks. At least 50 Gmail accounts were targeted, as were accounts at financial firms and other technology providers.
Media reports say Alexsey Belan was making money on the side from the Yahoo accounts, using them to steal credit card and gift card numbers. He has been indicted twice before for attacks against US e-commerce firms and has been named as one of the FBI’s most wanted cybercriminals.
One of the suspects, Karim Baratov, was arrested by the authorities in Canada on Tuesday. The other suspects are in Russia, and are unlikely to be handed over. There has been no official comment from Moscow on the indictment.
Nonetheless, officials said they believe criminal charges are a powerful defence against cyberattacks. For example, they said, China’s hacking against United States targets decreased after charges were brought against five military officials there in 2014 over damaging attacks against government and private-sector systems.
Although US authorities did not mention it on Wednesday, the FSB agent and suspect Dmitry Dokuchaev has been in custody in Russia since last December. No official reason has been given for his arrest but Sputnik, a Russian state sponsored publication, reported this week that Dokuchaev, and his former boss, Sergei Mikhilov, who was arrested at the same time, are accused of passing state secrets to US intelligence.
Reuters reported last month that another former FSB agent, Pavel Vrublevsky, is claiming to have lodged an allegation of collaborating with the CIA against the two FSB officials in 2010.
Vrublevsky is named in Brian Krebs’ expose of Russian cyber crime networks “Spam Nation” as being one of the internet’s most notorious spammers while at the same time chairing an anti-spam working group advising the Russian telecoms ministry. He was convicted and jailed for nine months for a DOS attack in 2013.
Details will probably remain murky, but long running in-fighting within FSB (of which Vrublevsky was also a victim) suggests the FBI has had the two Russian intelligence agents in its sights for some time.
Yahoo had previously blamed state sponsored hackers for the 2014 breach, and has thanked the FBI for confirming that statement. Special agent Jack Bennett on Wednesday said the FBI is still investigating a separate, larger breach of one billion Yahoo accounts that occurred in 2013 but was not disclosed by the company until three months ago.
Commenting on the indictment, Tom Patterson, chief trust officer and vice president of security at Blue Bell, Pennsylvana.-based Unisys, told the technology publication CRN that it shows hackers can still be prosecuted for attacks, even as it becomes “harder and harder” for companies to fight back from and identify attacks from a nation-state attacker.
“It’s good to have some consequences applied to people that are doing harm,” Patterson said.
But, he added, it is next to impossible for victim companies to prove who is behind a cyber attack.
He advised companies to put their efforts into better defence, including patching, better passwords, analytics and segmentation.