DOJ indicts suspected Yahoo hackers from Russia; extradition unclear

The U.S. Department of Justice indicted four men -- including two Russian Federal Security Service officers -- accused of being the Yahoo hackers, but only one person was arrested.

The U.S. Department of Justice indicted four defendants accused of being the Yahoo hackers behind the breach of 500 million user accounts in 2014.

Three of the four defendants are Russian nationals -- Dmitry Aleksandrovich Dokuchaev, Igor Anatolyevich Sushchin and Alexsey Alexseyevich Belan. Dokuchaev and Sushchin are officers of the Russian Federal Security Service (FSB), which is an intelligence agency similar to the CIA, while Belan is on the list of most-wanted cybercriminals and has been charged by the DOJ twice before. The final man indicted, Karim Baratov, is a Kazakh national and was the only one to be arrested. He was arrested in Canada where he is a resident; the three others are in Russia, and extradition is unclear.

The DOJ announced the four alleged Yahoo hackers have been charged with "computer hacking, economic espionage and other criminal offenses" in connection with the 2014 Yahoo breach affecting more than 500 million user accounts. But, in a written press release, the DOJ said the effects of the breach may extend much further:

The defendants used unauthorized access to Yahoo's systems to steal information from about at least 500 million Yahoo accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies. One of the defendants also exploited his access to Yahoo's network for his personal financial gain, by searching Yahoo user communications for credit card and gift card account numbers, redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign.

While the damage caused by the accused Yahoo hackers could be extensive, Ray Rothrock, chairman and CEO of RedSeal Inc., in Sunnyvale, Calif., said the vulnerabilities exploited to access Yahoo could be widespread.

"According to the indictment, the Yahoo hackers used phishing, minting [cookies] and unauthorized email access -- exploiting basic security flaws -- to penetrate Yahoo's network and gain access to user data. This was a stunningly simple hack, one to which many organizations are vulnerable," Rothrock told SearchSecurity. "To protect high-value assets, like user data, business plans, employee information and more, IT teams have to be resilient, able to model and then thwart the bad guys' movements once inside the network."

Jeremiah Grossman, chief of security strategy at SentinelOne, based in Palo Alto, Calif., and founder of WhiteHat Security, told SearchSecurity it was unclear how "minting cookies" would be different from the cookie forgery Yahoo previously disclosed, but the level of access provided would be staggering.

State-sponsored Yahoo hackers

Experts had previously been suspicious of Yahoo's claims that the 2014 data breach was a state-sponsored attack because of a lack of evidence. Yahoo said in a statement that "the indictment unequivocally shows the attacks on Yahoo were state-sponsored."

"We appreciate the FBI's diligent investigative work and the DOJ's decisive action to bring to justice to those responsible for the crimes against Yahoo and its users," Chris Madsen, assistant general counsel for Yahoo, wrote in a public statement. "We're committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cybercrime."

Eric O'Neill, national security strategist for Carbon Black, based in Waltham, Mass., and a former FBI counterterrorism operative, said he wasn't surprised that Russia would target Yahoo, because "theft of email communications has become a primary espionage goal."

"Any indictment of Russia by the U.S. DOJ will likely be met with recrimination and denial," O'Neill told SearchSecurity. "One can imagine that since Russia has followed China's playbook thus far, they will walk to the next logical conclusion -- that they never attacked Yahoo and that the U.S. is using 'fabricated facts.'"

Beyond how Russia will react to the indictment of the alleged Yahoo hackers, it is unclear how the U.S. might proceed in bringing Dokuchaev, Sushchin and Belan to the U.S. for trial. The U.S. does not have an extradition treaty with Russia and has failed to get Russian cooperation in the previous cases with Belan that span back to 2013.

Grossman also noted it would be even less likely to get extradition on Dokuchaev, who was charged with high treason by the Russian government after allegedly supplying the CIA with information.

In the press release, acting Assistant Attorney General Mary McCord said the indictment of the accused Yahoo hackers should be a warning to all cybercriminals:

The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI's point of contact in Moscow on cybercrime matters, is beyond the pale. Once again, the Department and the FBI have demonstrated that hackers around the world can and will be exposed and held accountable. State actors may be using common criminals to access the data they want, but the indictment shows that our companies do not have to stand alone against this threat. We commend Yahoo and Google for their sustained and invaluable cooperation in the investigation aimed at obtaining justice for, and protecting the privacy of their users.

Tim Matthews, vice president of marketing for Imperva in Redwood Shores, Calif., said enterprises should be on notice that state-sponsored cyberattacks are a possibility.

"Organizations may have been under the false impression that state-sponsored hacking was aimed at other governments -- or at worst, political parties. Now, we have learned that elite teams of state-sponsored conspirators and hackers are also seeking access to corporate data," Matthews told SearchSecurity. "It's more important than ever for organizations not to become complacent. If a nation state hacked Yahoo, who is to know what other companies may have been or will be hacked. Those who don't carefully monitor their networks today may well regret it down the road."

Next Steps

Learn more about the 2013 Yahoo breach affecting 1 billion users.

Find out about the SEC investigating Yahoo's breach disclosures.

Get info on how the Yahoo breaches underline the role of executives in cybersecurity.

Dig Deeper on Security operations and management