Two Russian intelligence agents and two hackers have been charged in a devastating breach at Yahoo that affected at least a half billion user accounts, the Justice Department said Wednesday in bringing the first case of its kind against Russian government officials.
The hack targeted the email accounts of Russian and U.S. officials, Russian journalists, and employees of financial services and other businesses, officials said.
"We will not allow individuals, groups, nation states or a combination of them to compromise the privacy of our citizens, the economic interests of our companies, or the security of our country," said Acting Assistant Attorney General Mary McCord.
One of the defendants, Karim Baratov, has been taken into custody in Canada. Another, Alexey Belan, is on the list of the FBI's most wanted cyber criminals and has been indicted multiple times in the U.S. It's not clear whether he or the other two defendants who remain at large, Dmitry Dokuchaev and Igor Sushchin, will ever step foot in an American courtroom since there's no extradition treaty with Russia. The indictment identifies Dokuchaev and Sushchin as officers of the Russian Federal Security Service, or FSB.
But, McCord said, "I hope they will respect our criminal justice system."
The charges arise from a compromise of Yahoo user accounts that began at least as early as 2014. Though the Justice Department has previously charged Russian hackers with cybercrime - as well as hackers sponsored by the Chinese and Iranian governments - this is the first criminal case to so directly implicate the Russian government in cybercrime.
The announcement comes as federal authorities investigate Russian interference through hacking in the 2016 presidential election. One of the defendants, Belan, was among the Russians sanctioned last year following those hacking efforts, though U.S. officials said the investigations were separate,
Yahoo didn't disclose the 2014 breach until last September when it began notifying at least 500 million users that their email addresses, birth dates, answers to security questions and other personal information may have been stolen. Three months later, Yahoo revealed it had uncovered a separate hack in 2013 affecting about 1 billion accounts, including some that were also hit in 2014.
In a statement, Chris Madsen, Yahoo's assistant general counsel and head of global security, thanked law enforcement agencies for their work.
"We're committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cybercrime," he said.
Rich Mogull, CEO of security firm Securosis, said the indictment "shows the ties between the Russian security service and basically the criminal underground," something that had been "discussed in security circles for years."
Cyber criminals gave Russian officials access to specific accounts they were targeting; and in return, Russian officials helped the criminals to evade authorities and let them keep the type of information that hackers that hack for money tend to exploit such as email addresses and logins and credit card information.
Mogull said he was surprised the Department of Justice was able to name specific individuals and issue the indictment.
"We've come to expect that you don't really figure out who performs these attacks," he said. The fact that the indictment ties together the FSB and criminals is a new development, he said. "It will be very interesting to see what comes up in court, and how they tie those two together."
Some details on the men, according to an indictment and documents made public by the Department of Justice:
- Karim Baratov, also known as "Kay," ''Karim Taloverov" and "Karim Akehmet Tokbergenov," is a 22-year-old hacker. He is a Canadian and Kazakh national and a resident of Canada.
- Alexsey Alexseyevich Belan, also known as "Magg," is a 29-year-old Russian who was born in Latvia when it was still part of the Soviet Union and has been on the FBI's list of most wanted hackers for more than three years. He was indicted in Nevada in 2012 and in California in 2013, accused of computer fraud and abuse, aggravated identity theft and other crimes related to hacking into three different e-commence companies in the U.S. Arrested in Europe in 2013, he made it back to Russia before he could be extradited. Interpol has issued a request to member nations for his arrest and extradition, and in December he was one of two hackers designated for sanctions by President Barack Obama for "significant malicious cyber-enabled misappropriation of personal identifiers for private financial gain."
- Dmitry Aleksandrovich Dokuchaev, also known as "Patrick Nagel," is a 33-year-old FSB officer assigned to Center 18, which is the Russian intelligence agency's Center for Information Security.
- Igor Anatolyevich Sushchin is Dokuchaev's superior at the Russian intelligence agency. He also was "embedded as a purported employee and head of information security" at a Russian investment bank. There, the 43-year-old Russian monitored communications of bank employees, but it's not clear if the bank knew he was an intelligence officer.
Michael Liedtke in San Francisco and Mae Anderson in New York contributed to this report.
Follow Eric Tucker at http://www.twitter.com/etuckerAP