This week, a grand jury in the Northern District of California indicted four suspects, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal charges about a criminal conspiracy that began in January 2014. The defendants allegedly accessed Internet giant Yahoo’s network webmail accounts.
The four suspects are identified as two Russian Federal Security Service (FSB) officers and two civilians who are said to be experienced criminal hackers. Special agents with the Federal Bureau of Investigation (FBI) claim this case is one of the largest cyber intrusions in U.S. history, compromising the personal information of at about 500 million Yahoo cyber-accounts.
One of the criminal hackers was arrested by Canadian law enforcement officials, while the two Russian FSB officers and the second criminal hacker, believed to have fled to Russia, are now fugitives wanted by the FBI.
The indictments were announced by the U.S. Justice Department Acting Assistant Attorney General Mary McCord, FBI Executive Assistant Director Paul Abbate, and Northern District of California U.S. Attorney Brian Stretch during a Washington, D.C. news briefing.
The FSB is both an intelligence bureau and a law enforcement agency of the Russian Federation. Ironically, the two FSB officers work in a unit that liaisons with the FBI’s on cybercrime cases.
According to Ms. McCord, “The involvement and direction of FSB officers with law enforcement responsibilities make this conduct that much more egregious — there are no free passes for foreign state-sponsored criminal behavior.”
According to the indictment, from about April 2014 up to at least December 2016, FSB officers Dmitry Dokuchaev and Igor Sushchin (See Fig. 1) directed this cyber intrusion conspiracy. It reportedly involved malicious files and software tools being downloaded onto Yahoo’s network that resulted in the compromise of that network and the theft of subscriber information from at least 500 million accounts.
But it gets worse: the original stolen information was then utilized to gain unauthorized access to the contents of accounts at Google and other webmail providers.
The indictment states that FSB’s Dokuchaev and Sushchin paid, directed, and protected two known criminal hackers who took part in the scheme: Alexsey Belan, a Russian national and resident, and Karim Baratov, born in Kazakhstan and a naturalized Canadian citizen and resident (See Fig. 1).
Belan, who has been indicted twice before in the U.S. for cyber-related crimes, and is currently on the FBI’s Cyber’s Most Wanted list and is the subject of an Interpol Red Notice sent out to member nations including Russia.
“The information stolen from the 500 million user accounts came from Yahoo’s proprietary user data base, which contained information such as users’ names, recovery e-mail addresses, phone numbers, and certain information needed to manually create account authentication web browser cookies,” Justice Department officials said in their press statement.
Fig. 1 – Defendants: At all times relevant to the charges, the Indictment alleges as follows:
Dmitry Aleksandrovich Dokuchaev, 33, was an officer in the FSB Center for Information Security, aka “Center 18.” Dokuchaev was a Russian national and resident.
Igor Anatolyevich Sushchin, 43, was an FSB officer, a superior to Dokuchaev within the FSB, and a Russian national and resident. Sushchin was embedded as a purported employee and Head of Information Security at a Russian investment bank.
Alexsey Alexseyevich Belan, aka “Magg,” 29, was born in Latvia and is a Russian national and resident. U.S. Federal grand juries have indicted Belan twice before, in 2012 and 2013, for computer fraud and abuse, access device fraud and aggravated identity theft involving three U.S.-based e-commerce companies and the FBI placed Belan on its “Cyber Most Wanted” list. Belan is currently the subject of a pending “Red Notice” requesting that Interpol member nations (including Russia) arrest him pending extradition. Belan was also one of two criminal hackers named by President Barack Obama on Dec. 29, 2016, pursuant to Executive Order 13694, as a Specially Designated National subject to sanctions.
Karim Baratov, aka “Kay,” “Karim Taloverov” and “Karim Akehmet Tokbergenov,” 22. He is a Canadian and Kazakh national and a resident of Canada.
Victims: Yahoo; more than 500 million Yahoo accounts for which account information about was stolen by the defendants; more than 30 million Yahoo accounts for which account contents were accessed without authorization to facilitate a spam campaign; and at least 18 additional users at other webmail providers whose accounts were accessed without authorization.
Time Period: As alleged in the Indictment, the conspiracy began at least as early as 2014 and, even though the conspirators lost their access to Yahoo’s networks in September 2016, they continued to utilize information stolen from the intrusion up to and including at least December 2016.
Law enforcement believes the suspects used their access to Yahoo’s networks in order to access the accounts that were of interest to the FSB. The Justice Department claims the illegally accessed accounts belonged to members of the Russian news media and journalists from other nations assigned to cover the Russian government. Other victims are U.S. and Russian government officials and other providers whose networks the conspirators sought to exploit.
Besides the espionage benefits of the operation, the co-conspirators weren’t shy about using the information they stole for their own monetary enrichment. “For example, Belan allegedly searched Yahoo user communications for credit card and gift card account numbers. He also used the lists obtained from about 30 million email accounts to perpetrate his own Internet spamming scheme,” according to cybercrime expert and former police counterintelligence officer Mike Snopes.
Computer intrusions, by their very nature, are international in scope, so they require an international effort to unmask the worldwide hacking networks responsible for them. And this case was no different. Abbate expressed the Bureau’s gratitude to our international partners for their assistance and support leading up to these criminal charges today—specifically mentioning the Royal Canadian Mounted Police, the Toronto Police Service, and the United Kingdom’s MI5.
Another important aspect of this case involved the victim companies—including Yahoo and Google—coming forward and working with law enforcement. This collaboration ultimately resulted in countering the malicious activities of state actors and bringing criminals to justice. It also illustrates that the FBI can successfully work these kinds of investigations with victim companies while respecting the various concerns and considerations businesses might have about the impact of going public.
“This is a highly-complicated investigation of a very complex threat,” said the FBI’s Paul Abbate. “It underscores the value of early, proactive engagement and cooperation between the private sector and the government.”
“Among the FBI’s major investigative priorities are to protect the U.S. against foreign intelligence operations and espionage and to protect the U.S. against cyber-based attacks and high-technology crimes. This case involved both. And it doesn’t matter to us whether the perpetrators of such crimes are run-of-the-mill criminals or sophisticated foreign states and their agents. With the help of our partners here and/or abroad, we will identify those responsible and hold them accountable for their actions,” he said.