Russian Agents Accused by U.S. of Masterminding Yahoo Hack

(Bloomberg) -- The U.S. government accused Russia of directing some of the world’s most notorious cybercriminals to break into computer systems, namely a half-billion accounts at Yahoo! Inc., in a broad scheme that married illicit profits and intelligence gathering.

The broadside against the Russian government appeared in an indictment unsealed Wednesday in San Francisco federal court alleging a widespread conspiracy by two Russian FSB security agents and a pair of hackers. One of the hackers was arrested in Canada. While the U.S. government has little chance of getting the others extradited from Russia, it used the announcement to make a public and detailed case that Moscow is orchestrating criminal hacks and shielding those who commit them.

“We have reason to believe, based on our evidence, they were acting in their capacity as FSB officials,” said Mary McCord, acting assistant attorney general for the Department of Justice’s national security division.

Prosecutors outlined a scheme of economic espionage, wire fraud and theft of trade secrets, accusing the two Russian agents of conspiring with a hacker in the 2014 breach of Yahoo. The other hacker, a Kazakh-born Canadian citizen, is accused of targeting people inside Russia in related information-gathering schemes.

Details of the 2014 Yahoo hack, and another breach of the company in 2013, threatened to derail its pending acquisition by Verizon Communications Inc. and ultimately led to a lower proposed purchase price.

The U.S. indictment appears to pull back the curtain on the use of criminal hackers by Russia’s spy agencies to attack key U.S. targets, including the largest purveyors of web-based email, Google and Yahoo. Russian intelligence agents are able to recruit some of the country’s best hackers by threatening them with charges if they don’t cooperate, according to the U.S. indictment. The FSB agents sheltered one of the accused hackers from prosecution and gave him sensitive information that helped him evade international law enforcement, it said.

Together, the conspirators gained unfettered access to operate inside Yahoo’s network. Breaching a database of at least 500 million Yahoo email accounts, they looked for people of political interest and keywords in ordinary people’s accounts that would make them vulnerable to financial fraud.

They also stole the secret cryptographic values that Yahoo assigns to each user for generating cookies, the files on a person’s computer that contain details of their login history. The attackers then generated their own cookies, bypassing passwords and tricking Yahoo’s server into letting them into accounts, ultimately stealing contents of 6,500 Yahoo accounts.

“­The indictment unequivocally shows the attacks on Yahoo were state-sponsored” as the company had initially disclosed, ­­said Chris Madsen, an assistant general counsel for security and law enforcement at Yahoo. Shares of the company finished 0.2 percent lower in Wednesday trading, to $46.29.

Spy Agencies

The list of hacking victims in the U.S. was diverse, including the White House and its military and diplomatic corps. Conspirators also reaped information on a swath of global companies and their executives, including a U.S. financial services company, an airline and a private equity firm, the U.S. said, without identifying them.

It’s the second instance in recent months in which the U.S. accused Moscow of using cyberattacks to undercut U.S. institutions. Justice Department officials said Wednesday there was no link between the Yahoo case and a national security probe into Russian interference in the U.S. presidential election.

A Putin spokesman, Dmitry Peskov, didn’t directly address the charges against Russian security officials but said Moscow was interested in cooperating with the U.S. to combat cyber threats. The press office for the FSB, the main successor to the Soviet KGB that is known formally as the Federal Security Service, didn’t answer phone calls. 

Washington didn’t contact Moscow over the allegations, a senior Russian official told Russia’s Interfax news agency. The unidentified official dismissed the topic as part of an internal U.S. political struggle.

Ratcheting Up

The U.S. government has been ratcheting up pressure on Russian hacking networks over the last few months. In December, the Treasury Department imposed sanctions on two Russians -- Evgeniy Mikhailovich Bogachev and Aleksey Alekseyevich Belan –- for engaging in “malicious cyber-enabled activities.” The announcement was made as President Barack Obama took steps against Russia for attempting to interfere with the U.S. presidential election.

One of those hackers, Belan, was charged in the Yahoo case. He has been charged twice previously for cyberattacks of technology companies. 

The U.S. indicted Igor Sushchin, who it said worked for the FSB and specialized in cyber investigations, and Dmitry Dokuchaev, described as a hacker for hire who was pressed into working for the FSB to avoid prosecution for bank-card fraud. The indictment said Dokuchaev worked with an FSB unit known as “Center 18,” the point of contact for the U.S.’s Federal Bureau of Investigation for probes into cybercrimes. He was detained in December by Russian authorities and accused of “interacting” with U.S. intelligence.

The defendants couldn’t immediately be reached for comment.

The U.S. alleged that the fourth man, Kazakh-born Canadian citizen Karim Baratov, helped gather information on Russians in league with the FSB. He was arrested Tuesday by the Royal Canadian Mounted Police and awaits an extradition hearing. Amedeo DiCarlo, a lawyer in Hamilton, Ontario, said he had been retained by Baratov’s family to defend him and declined to comment on the case.

Bounty Payment

Belan was already an accomplished hacker and international fugitive when the Yahoo hack began in 2014. He had been indicted twice in the U.S. for defrauding e-commerce sites, and in 2013 landed on the FBI’s Cyber Most Wanted List. The U.S. wanted poster identified him as a Russian-speaking Latvian operating under multiple aliases (Magg, M4G and Moy.Yawik) and possibly traveling in disguise. In late 2013, he fled to Russia after being arrested in Europe on a U.S. warrant, the Justice Department said.

Working with Dokuchaev and Sushchin, Belan pilfered Yahoo accounts to line his own pockets: He stole gift card and credit card numbers, earned commissions by fraudulently redirecting Yahoo search traffic and mounted a spam campaign using his access to 30 million emails, according to the indictment.

The FSB agents also paid him to gather intelligence, the U.S. said. The Yahoo email accounts he breached almost certainly provided sensitive personal data to Russia’s increasingly unpredictable spy agencies.

The FSB agents directed hacking that stretched beyond the U.S., as well. They enlisted Baratov to target some critics of the Russian government, including journalists and politicians, a board member and senior officer of a Russian financial firm, and a senior officer of a Russian email provider, the indictment said. In one mission, the hackers were instructed to compromise Google accounts belonging to an officer of the Russian Ministry of Internal Affairs and a training expert for Russia’s Sports Ministry.

Russian Targets

As outlined by the U.S. government, Baratov was paid to gain access to 80 email accounts, including 50 Google accounts. He mounted spear-phishing attacks, used fake emails to compel targets to provide sensitive information and sold passwords he obtained to Dokuchaev.

Google declined to comment.

The U.S. is seeking forfeiture of funds held in a PayPal accounts controlled by Baratov and Dokuchaev, and two luxury cars -- a gray Aston Martin DBS with a “Mr. Karim” vanity plate and a black Mercedes Benz C54.

Earlier Breach

The 2014 hack outlined in the U.S. indictment was the second major breach of Yahoo’s systems in recent years. In December, the company said user data had been stolen from more than 1 billion accounts in August 2013. The company said in a filing this month that it wasn’t able to identify the intruders associated with that breach.

A Bloomberg News review of the trove purloined in that attack showed that the hackers had obtained access to email accounts of at least 150,000 people working across the U.S. government -- in intelligence, the military, the White House and on Capitol Hill.  Such a leak could allow a foreign intelligence service to identify employees and hack their personal and work accounts for surveillance or blackmail.

The 2013 breach was discovered by Andrew Komarov, chief intelligence officer for InfoArmor, who had been tracking a prolific Eastern European hacker group that he spotted offering 1 billion Yahoo accounts for $300,000 in a private sale.

By watching the group’s communications, he was able to determine that it sold the database three times. Two buyers were large spamming groups. The third buyer provided a list of 10 names of U.S. and foreign government officials and business executives to verify that their logins were part of the database, Komarov said. The unusual request, Komarov said, indicated that the buyer might be linked to a foreign intelligence agency.

It’s unclear whether the 2013 Yahoo hack has any connection to the subsequent one now attributed to the Russians. The earlier intrusion is still under investigation, a U.S. official said Wednesday.

--With assistance from Jordan Robertson Josh Wingrove Brian Womack Gerrit De Vynck David McLaughlin Mark Bergen and Stepan Kravchenko

To contact the reporters on this story: Michael Riley in Washington at michaelriley@bloomberg.net, Greg Farrell in New York at gregfarrell@bloomberg.net, Tom Schoenberg in Washington at tschoenberg@bloomberg.net.

To contact the editors responsible for this story: Jillian Ward at jward56@bloomberg.net, Jeffrey D Grocott, David S. Joachim