US charges Russian FSB officials in connection with massive Yahoo security breach

The United State Department of Justice (DOJ) has charged four men, including two officials of Russia’s FSB intelligence agency, in connection with a hacking attack against Yahoo that saw the details of 500 million users stolen and the use of forged cookies to break into accounts.

In September last year, Yahoo revealed that in late 2014 an unnamed “state-sponsored actor” had accessed the account information of some approximately 500 million users including names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.

Yahoo believes that hackers managed to break into its internal systems, accessing proprietary code that allowed the attackers to forge cookies granting access to accounts without needing a password.

At the time it was dubbed by some as ‘the biggest data breach in history’ (although this was later overshadowed by the news that a separate data breach at Yahoo had occurred in 2014, impacting a staggering one billion users).

The DOJ’s indictment claims that 33-year-old Dmitry Aleksandrovich Dokuchaev and 43-year-old Igor Anatolyevich Sushchin, both officers in Russia’s FSB, directed and paid criminal hackers to collect information by hacking into the email accounts of thousands of individuals.

In the indictment, US authorities name two hackers as Alexsey Alexseyevich Belan, aka “Magg,” 29, a Russian national and resident; and Karim Baratov, aka “Kay,” “Karim Taloverov” and “Karim Akehmet Tokbergenov,” a 22-year-old Canadian and Kazakh national, resident in Canada.

Belan is not an unknown name to computer crime-fighting authorities, having previously been listed in the FBO’s Cyber Crime Most Wanted list, and having been previously detained in a European country in 2013 before escaping back to Russia before extradition.

The DOJ claims that Belan gained access to at least some of the Yahoo User Database (UDB) and details of how to create account authentication web browser cookie for over 500 million accounts.

Additionally it is alleged that Belan gained unauthorized access to Yahoo’s Account Management Tool (AMT), which allowed the gang to locate and access least 6,500 email accounts of interest.

Targeted accounts are said to have included those belonging to “Russian journalists, Russian and U.S. government officials, employees of a prominent Russian cybersecurity company, and numerous employees of other providers whose networks the conspirators sought to exploit.”

In addition, personal accounts belonging to employees of Russian banks, a French transportation firm, US financial services and private equity firms, and others are thought to have been accessed.

If the US authority’s claims are to be believed, one of the accused hackers also exploited his access to Yahoo accounts for personal gain – searching communications for credit card details, redirecting search engine traffic to earn commission, and stealing address books from at least 30 million accounts to facilitate a spam campaign.

Baratov was arrested in Canada this week. It remains to be seen if his alleged co-conspirators are similarly apprehended by the authorities, and whether the Russian authorities will co-operate with the United States on the investigation.

Meanwhile, it’s important to state that the Kremlin has denied that the FSB had any involvement with the Yahoo hack.

Yahoo has welcomed the US Department of Justice’s announcement of an indictment:

We appreciate the FBI’s diligent investigative work and the DOJ’s decisive action to bring to justice to those responsible for the crimes against Yahoo and its users. We’re committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cybercrime.

It should go without saying – following a series of serious security breaches – that all Yahoo users should check their accounts for suspicious activity, be on guard against unsolicited emails that contain suspicious attachments, request their personal information or contain phishy links.

The company has provided a knowledgebase article containing security recommendations on how users can better protect their accounts.

Author Graham Cluley, We Live Security

Follow us

Copyright © 2017 ESET, All Rights Reserved.