US charges Russian intelligence agents with 2015 Yahoo Breach

News by Max Metzger

A Northern California court has issued an indictment for four individuals - two Russian hackers and two Russian intelligence officials for the massive breach on Yahoo in 2015

The US has charged two Russian intelligence officials with the 2015 hack on Yahoo. Dozens of charges have been filed by the US Department of Justice (DOJ) against the two intelligence officials as well as two hackers hired for the operation.

The charges amassed against the suspects include conspiracies to commit computer fraud, economic espionage, steal trade secrets, wire fraud and a variety of fraud and computer misuse charges. The amassed charges, if vindicated, are likely to offer a great deal of prison time for the four defendants.

The news comes just hours after an anonymous source told Bloomberg that the DOJ was ready to issue indictments and would be serving them soon.

The indictment's account of events is plain. In around 2014, FSB officers Dmitry Dokuchaev and Igor Sushchin employed Alexsey Belan and Karim Baratov to help them gain unauthorised access to a variety of computers and steal information.

Though the suspects are charged with the 2015 Yahoo breach, the indictment talks of a far reaching campaign which sought to exploit  international financial and private equity services, a French transportation company, a US airline and a Swiss banking firm.

In return for those services, the indictment states, the FSB offered Baratov and Belan  protection, money and information that would help them avoid detection.

Using a variety of email accounts, international servers and virtual private networks, the conspirators avoided the detection of law enforcement for quite some time. They would commonly employ spear-phishing emails to exploit their targets but perhaps their most noted tactic was the creation of authentication cookies, known as ‘minting'. The cookies allowed the adversaries access into accounts even if users had changed their credentials.

Jeremiah Grossman, chief of security strategy at SentinelOne, told SC Media UK that the presence of these cookies indicates “a deep level of intrusion. There probably wasn't much they couldn't access. With that level of access, and if they were on Yahoo's system for months/years, how do you even trust your own source code?”

At least 6,500 accounts were accessed this way. The indictment alleges that the targets were mainly those affiliated with webmail providers and cloud computing companies as well as critics of the Russian government such as journalists, dissidents and government officials and politicians from the US and countries bordering Russia.

Belan even enriched himself through access to those accounts, retrieving financial information, selling access to the accounts and minting cookies for 30 million accounts to further his own spam marketing scheme.

Tim Matthews, vice president at Imperva, told SC that this case should prove that nation states aren't only interested in other nation states: “Now we have learned that elite teams of state sponsored conspirators and hackers are also seeking access to corporate data.”

What's more, added Matthews, is that “the state sponsored conspirators of this cyber-war are, as in ancient times, giving the spoils of this war to their hacker combatants.”

Yahoo did not respond to a request for comment in time for publication. This article will be updated when the company does respond.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews