The indictment, unveiled by the justice department on Wednesday, said that the hack targeted the email accounts of Russian journalists and opposition politicians; former government officials in neighboring countries; and several US government figures, including “cyber security, diplomatic, military and White House personnel”.
At a press conference in Washington, the acting assistant attorney general for national security, Mary McCord, said: “The department of justice is continuing to send a powerful message that we will not allow individuals, groups, nation-states, or a combination of them to compromise the privacy of our citizens, the economic interests of our companies or the security of our country.
The justice department has previously charged Russian hackers and hackers sponsored by the Chinese and Iranian governments, but Wednesday’s indictment marked the first criminal case for cybercrimes brought against Russian government officials.
It comes amid intense political controversy over Russian interference in the US election, including a data breach of the Democratic National Committee.
McCord declined to comment on whether there was a link between the Yahoo hack and Russia’s alleged attempts to sway the election in Donald Trump’s favour.
But the indictment provides the latest indication that the US is willing to retaliate against data thefts with foreign ties in a criminal forum.
The two Russian intelligence agents were identified as Dmitry Dokuchaev and Igor Sushchin, both of whom work for the FSB, the Russian spy agency successor to the KGB.
Dokuchaev was described as an officer in the FSB Center for Information Security, known as “Center 18”, which is supposed to investigate hacking.
According to the Washington Post, which first reported news of the charges, he began working for the agency to avoid prosecution for credit card fraud.
Dokuchaev was one of two FSB agents arrested in December, according to Russian news agencies, and charged with treason over alleged cooperation with the CIA.
It was unclear at the time whether the arrests were linked to US election hacking, and details of what exactly the men were accused of have been scarce, with a series of contradictory insider leaks provided to various Russian outlets.
A top expert at Russian cybersecurity firm Kaspersky was also arrested, as well as people with links to a group of Russian hackers called Shaltai-Boltai, who posted hacked emails from government officials online and sold them in anonymous online auctions.
The two freelance hackers were named as Alexsey Belan and Karim Baratov, a Canadian citizen, who was arrested in Toronto earlier this week. Russian authorities are protecting Belan from extradition, it was reported.
Other law enforcement agencies, including M15, the Royal Canadian Mounted Police, and the Toronto police department participated in the investigation.
McCord declined to comment on any connection between the group’s activities within Yahoo and very similar activities on the servers of the Democratic National Committee during the election. “Our indictment does not have any connection between this intrusion and the intrusions into the DNC,” she said. “That is a separate investigation.”
McCord said the attack was aimed at gathering information “clearly some of which has intelligence value”. But she added that “the criminal hackers used this to line their own pockets for private financial gain.”
The attack on Yahoo was exposed partially in September, but in December the company discovered the extent of the intrusion which was described as one of the largest hacking attacks in history.
The justice department indictment shed significant light on the hackers’ tradecraft.
The team financed its efforts in part by forcing Yahoo’s search engine results to point to a specific erectile dysfunction pill manufacturer for targeted users. The impotence pill manufacturer paid Belan for this fraudulent traffic by the click. McCord said that, unorthodox funding methods aside, the two intelligence officers “were acting in their capacity as FSB officials”.
When news of the Yahoo breach broke last year, the company itself was widely condemned for what technologists called improper security – the breach was possible because the hackers were able to forge “cookies” that told Yahoo’s servers to allow them full access to vast numbers of private email accounts.
That Yahoo’s authentication cookies could be forged at all struck many experts as proof of the company’s negligence. According to the indictment, the hackers were also very careful, uploading a program that cleaned evidence of the intrusion to Yahoo’s servers.
According to the indictment, not only did the hackers write authentication cookies for use on their own computers, they were also able to forge cookies, upload them to Yahoo’s system and push them to individual users they wished to target, according to the indictment.
The FSB-led team monitored more than 6,500 accounts with the technique, which was markedly similar to the activities of the “Cozy Bear” hacking team found lurking in the servers of the Democratic National Committee last year. Cozy Bear’s activities have been widely attributed to the FSB.
According to the justice department, the hackers forced surreptitious entry to Yahoo networks in early 2014 to begin reconnaissance but did not begin stealing user data until October or November of that year.
Theft continued into 2016, a persistence unusual for money-motivated thieves and reminiscent of the patience demonstrated in the DNC intrusion.
Initial news of the breach in September caused friction between Yahoo and Verizon, which cut a $4.83bn deal for the company earlier in 2016. When, in December, Yahoo admitted that the breach was far wider than even the historic 500m accounts it had originally reported, Verizon’s general counsel began to suggest to reporters that the effects of the breach might materially diminish the agreed-upon value of the company.
Yesterday, Yahoo discounted the price of its core assets to Verizon by $350m.
In 2014, the justice department indicted five Chinese military officers, believed to be serving in China’s military hacking efforts, for the theft of hundreds of terabytes of data from several US companies and unions.
The then attorney general Eric Holder said the indictment, the first ever that targeted a foreign military engaged in hacking, signaled an “aggressive [US] response” to large-scale hacks.
Author: Sam Thielman and Spencer Ackerman