Cyber Security

U.S. Says Two Russian Spies Were Behind Yahoo Hack

Only one criminal associate, however, is likely to see a U.S. jail

Cyber Security
Illustration: R. A. Di Ieso
Mar 15, 2017 at 12:48 PM ET

In what’s believed to be the largest hacking indictment to date, the U.S. government has charged four suspects, two of whom work for Russia’s top spy agency, of masterminding a damaging 2014 hack against Yahoo. 

Only one of those four, however, appears destined for prison time.

The hack in question was the 2014 breach of Yahoo, which leaked the email addresses, phone numbers, and birthdays of 500,000 users to the culprit. That came on the heels of the only known larger commercial breach in history: the 2013 hack, also of Yahoo, but of a billion of its users, which remains unsolved and was not part of Wednesday’s charges.

Yahoo claimed in both instances the hacks were the handiwork state-sponsored actors, but some cybersecurity experts, citing the immense difficulties in attributing the culprits behind any sophisticated hack, were skeptical. U.S. intelligence agencies have only clearly named government hackers a handful of times, including the 2015 hack of Sony Entertainment, which it blamed on North Korea

The announcement appears spurred by the arrest, in Canada, of Karim Baratov, one of the two suspects not believed to work directly for Russia’s Federal Security Service, or FSB.

The other named criminal hacker is Alexsey Belan, one of the FBI’s ten most wanted cybercriminals, who was arrested in 2013 but escaped to Russia. When former president Barack Obama sanctioned Russia in December for its role in hacking Democratic party systems during the 2016 U.S. elections, those sanctions specifically named Belan. The Yahoo hack, the DOJ said, is entirely distinct from the U.S.’s investigation into the FSB’s role in hacking the Democratic Party.

The plot began, the DOJ said in a press conference, when two FSB agents, Dmitry Dokuchaev and Igor Sushchin, enlisted Belan and Baratov to break into Yahoo. While the FSB was able to use information in those Yahoo emails for intelligence purposes, the two criminal hackers were given reign to use the hack for their own purposes, which included breaking into those Yahoo email accounts, using login credentials to also break into Google accounts, and stealing credit and gift card numbers.

Though Russia has not formally admitted any role in the hacks, a DOJ spokesperson said Dokuchaev and Sushchin “were acting in their capacity as FSB officials” when they recruited Belan and Baratov.

Making things particularly awkward for the FBI’s frosty relations with FSB is the fact that Dokuchaev and Sushchin work for the FSB hacking division known as “Center 18,” which is the FBI’s main point of contact for joint cybersecurity work.

Combined, the various hacking charges against those four would mean a maximum of centuries in prison, though Russia has no extradition policy with the U.S. and no history of cooperating with the U.S. on such crimes. Baratov, however, does face extradition from Canada.