The Russian spies wanted secrets; the hacker was motivated by money.
Together, they orchestrated one of the largest thefts of consumer data in history: pilfering detailed user information from more than 500 million Yahoo accounts, including those of diplomats, journalists, Russian officials and politicians critical of the Kremlin.
Meanwhile, the hacker searched through Yahoo emails for gift card codes and credit card numbers, while launching a massive spam campaign. He even manipulated Yahoo’s search engine to steer those seeking information on erectile dysfunction to an Internet pharmacy that paid him a commission.
On Wednesday, Justice Department officials unveiled a 47-count indictment against two Russian operatives for the Kremlin’s infamous Federal Security Service (FSB) and a notorious Russian hacker in what authorities have described as one of the biggest data breaches in U.S. corporate history. Another suspect, accused of playing a more limited role in the conspiracy, was arrested Tuesday in Canada.
“The FSB officers used criminal hackers to gain information that clearly some of which has intelligence value,” said Mary McCord, the acting assistant attorney general for the Justice Department’s National Security Division. “The criminal hackers used the opportunity to line their own pockets.”
Justice Department officials said it was the first time that they had charged Russian security officials in such a case. Yahoo Inc., the beleaguered Sunnyvale, Calif.-based Internet firm, disclosed the hack in September, saying that thieves in 2014 had pilfered names, email addresses, telephone numbers, dates of birth, passwords and some encrypted and unencrypted security questions and answers.
The number of user accounts affected was massive, even compared with other major data breaches. Yahoo has said it believed it was the victim of a “state-sponsored” attack.
Putting the Russian suspects in handcuffs will not be easy: There is no extradition treaty with Moscow, and there is no reason to believe the Kremlin will want to hand over its spies and citizens to face charges in the United States.
However, the officials said, they believe that such charges are useful for sending a message that adversaries face consequences for targeting U.S. companies for traditional spying or financial gain. In that way, the case bears some similarities to the one levied against five Chinese military officers in 2014 who were accused of engaging in economic espionage against U.S. companies and a labor union.
“We are shrinking the world to ensure that cybercriminals think twice before targeting U.S. persons and interests,” FBI Director James Comey said in a statement.
The charges are not related to Russian interference in the U.S. election or its alleged hacking of the Democratic National Committee and a top campaign aide to Democrat Hillary Clinton. Justice Department officials refused to address questions about that high-profile investigation, though the FSB appears to also have played a role in those cyberattacks.
The indictment lays out a complicated operation that penetrated Yahoo’s sensitive user database and turned its very systems against its own users. The scheme was launched in 2014, not long after the FBI lodged an Interpol “red notice” — essentially a request to other countries to arrest a suspect — against Belan on charges he stole user data from three e-commerce firms and sold the information.
Instead of turning Belan over to U.S. authorities, the FSB put him to work.
Belan also obtained an account management tool that allowed him to search for users’ back-up email addresses, which sometimes identified their employers. Using both tools, he then hacked into at least 6,500 accounts that permitted him and the FSB to read emails and other personal information.
Some of the victims were of “predictable interest” to the FSB, the indictment alleged. They included Russian journalists and foreign diplomats. Other targets had intelligence and commercial value, such as the personal accounts belonging to employees of a Russian investment banking firm, another of a bank. They also targeted a U.S. airline executive, a sales manager at a U.S. financial company and a Nevada gaming official.
Belan began seeking to profit on his own by searching accounts for credit card numbers and for gift cards. Justice Department officials would not speculate on how much money Belan stole.
On a broader scale, Belan forged cookies en masse to access information on more than 30 million users, stealing address book information that permitted him to launch a “spam marketing campaign.” And he manipulated Yahoo’s search engine to direct people looking for information on erectile dysfunction medication to an online pharmacy that paid him for referring customers.
The FSB officers helped Belan avoid detection by providing him with sensitive information and intelligence, including tips about their fellow officers’ investigations into computer hacking. Belan concealed his activities by using a “log cleaner” to remove traces of his activities from the Yahoo network.
The officers did not limit their attacks to Yahoo. They enlisted the aid of Baratov, the Canadian, to hack the accounts of specific victims on other email providers, including Google. Baratov broke into more than 80 such accounts, including those belonging to an officer who worked at an agency that investigated cybercrimes, the indictment alleges.
Cybersecurity experts raised alarms Wednesday at the deep access the Russians allegedly had in Yahoo’s computer network, and the ease with which they executed malicious actions ranging from run-of-the-mill hacking to sophisticated espionage and fraud.
“Certainly we’ve seen all sorts of similar breaches, but the scale of this and some of the unusual activities they undertook are unmatched,” said Von Welch, who directs a cybersecurity research program at Indiana University.
After disclosing this hack last year, Yahoo revealed an even larger data breach affecting up to 1 billion accounts that it said was separate. Disclosure of the two incidents led Verizon Communications Inc., which agreed last year to buy Yahoo’s core Internet business, to cut $350 million off the purchase price; it is now set to pay $4.5 billion.
Acknowledging that the breaches happened under her watch, Yahoo Chief Executive Marissa Mayer offered to forgo her annual bonus and stock grant. She is still set to collect a severance package worth about $23 million as part of the Verizon deal.
Former employees have said Mayer and other senior Yahoo executives resisted suggestions to bolster defenses and cybersecurity investigations. A Yahoo board investigation recently blamed the breach on “failures in communication, management, inquiry and internal reporting.” The public summary of the report this month didn’t name officials responsible, but Yahoo’s top lawyer Ronald Bell immediately resigned.
The Verizon deal keeps Yahoo on the hook for most expenses from lawsuits and government investigations tied to the hacks. The acquisition is expected to close in the second quarter of this year.
2:45 p.m.: This article was updated with comments from an information security expert.
12:55 p.m.: This article was updated throughout with staff reporting.
11:45 a.m.: This article was updated with additional details from the indictment.
9:15 a.m.: This article was updated with information from the indictment and background information about Yahoo and its deal with Verizon.
This article was originally published at 8:30 a.m.