U.S. to Charge Russian Hackers in Massive Yahoo Data Breach

(CN) – The United States on Wednesday charged four defendants, including two Russian security services officers, in connection with a massive data breach at Yahoo two years ago.

According to the Justice Department, Dmitry Dokuchaev and Igor Sushchin, both FSB officers, protected, directed, facilitated and paid criminal hackers to collect information through computer intrusions in the U.S. and elsewhere.

Through their hacking of Yahoo, co-defendants Alexsey Belan and Karim Baratov obtained access to the email accounts of an estimated 500 million Yahoo users.

Baratov, who also used the aliases “Kay,” “Karim Taloverov” and “Karim Akehmet Tokbergenov,” has reportedly been arrested in Canada.

Dokuchaev, Sushchin,  and Belan, also known as “Magg,” are all Russian nationals and remain at large.

Getting to them might not be easy. The United States does not have an extradition treaty with Russia.

However, even if three individuals are not taken into custody, U.S. officials said they hope the mere filing of the charges and other steps the government might take will serve as a deterrent to future hacks.

The charges stem from the heist of 500 million Yahoo user accounts in 2014 and are the first to be brought against Russian government officials.

They include hacking, wire fraud, trade secret theft and economic espionage, according to officials, who spoke on condition of anonymity because the charges have not yet been announced.

The indictments are part of the largest ever hacking case brought by the United States.

According to the Justice Department, the defendants gained unauthorized access to Yahoo’s systems to steal information from the Yahoo accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers.

Among the known victims of the hack were Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies.

One of the defendants also exploited his access to Yahoo’s network for his personal financial gain, by searching Yahoo user communications for credit card and gift card account numbers, redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign, the government said.

Belan was previously indicted in September 2012 and June 2013 and was named one of FBI’s Cyber Most Wanted criminals in November 2013.

An Interpol Red Notice seeking his immediate detention has been lodged (including with Russia) since July 26, 2013. Belan was arrested in a European country on a request from the U.S. in June 2013, but he was able to escape to Russia before he could be extradited.

It was then that Dokuchaev and Sushchin began using him to gain unauthorized access to Yahoo’s network.

In late 2014, the government says, Belan stole a copy of at least a portion of Yahoo’s user database, a Yahoo trade secret that contained, among other data, subscriber information including users’ names, recovery email accounts, phone numbers and certain information required to manually create, or “mint,” account authentication web browser “cookies” for more than 500 million Yahoo accounts.

Belan also allegedly obtained unauthorized access on behalf of the FSB conspirators to Yahoo’s account management tool, which was a proprietary means by which Yahoo made and logged changes to user accounts.

Belan, Dokuchaev and Sushchin then allegedly used the stolen UDB copy and AMT access to locate Yahoo email accounts of interest and to mint cookies for those accounts, enabling the co-conspirators to access at least 6,500 accounts without authorization.

Yahoo didn’t disclose the 2014 breach until last September when it began notifying at least 500 million users that their email addresses, birth dates, answers to security questions and other personal information may have been stolen.

Three months later, Yahoo revealed it had uncovered a separate hack in 2013 affecting about 1 billion accounts, including some that were also hit in 2014.

The charges are unrelated to the hacking of the Democratic National Committee and the FBI’s investigation into Russian interference in the 2016 election.

Representatives of the Justice Department declined to comment on the reports.