Russian! spies! 'brains! behind!' Yahoo! mega-hack! – four! charged!

Two FSB agents and two stooges fingered for 2014's 500m webmail account raid


Two Russian spies and two hackers were the miscreants who broke into Yahoo!'s servers and swiped at least 500 million user account records.

That's according to the US Department of Justice, which today indicted [PDF] four men – including two senior officers in the FSB, the Russian Federal Security Service born from the Soviet-era KGB.

In a joint statement, Attorney General Jeff Sessions and FBI Director James Comey claimed Russian agent Dmitry Dokuchaev and his boss Igor Sushchin "protected, directed, facilitated and paid" two hackers to ransack Yahoo!'s systems. The team then used information purloined from the US biz's servers to spy on American and Russian government officials, journalists, and computer security professionals, we're told.

(Slightly bafflingly, Dokuchaev was arrested in December last year, and charged with high treason. He allegedly leaked files to the CIA. The plot thickens.)

"Today we have identified four individuals, including two Russian FSB officers, responsible for unauthorized access to millions of users' accounts," Sessions said today. "The United States will vigorously investigate and prosecute the people behind such attacks to the fullest extent of the law."

The indictment states that in 2014, Dokuchaev and Sushchin hired Latvian hacker Alexsey Belan, aka "Magg," 29, who was already on the FBI's Most Wanted list with a $100,000 bounty on his head, and Karim Baratov, aka "Kay," 22, a Kazakh national and resident of Canada, for the Yahoo! incursion.

According to the charges, in November and December 2014, Belan penetrated Yahoo!'s corporate security and stole at least a chunk of its user account database that included enough information to mint account authentication cookies for Yahoo! email inboxes – meaning the miscreants could use these cookies to log into Yahoo! accounts, rifle through their documents and messages, and masquerade as strangers, without having to crack or type in a login password.

Belan is also accused of gaining unauthorized access to Yahoo!'s internal account management tool, which is used to create, manage, and log changes in accounts.

The FSB officers are accused of monitoring and advising on the operation using information from their own government hacking teams and telling Belan what accounts they wanted access to. The indictment says 6,500 targeted accounts of Russian and US government officials, foreign intelligence and law enforcement service staff, journalists, and "employees of a prominent Russian cybersecurity company" were accessed by the FSB.

These accounts were mined for information and passwords that could be of use to the FSB, according to US claims. But Belan is also accused of running a little side business of his own while romping through Yahoo!'s poorly protected servers.

"The indictment unequivocally shows the attacks on Yahoo! were state-sponsored," said Chris Madsen, assistant general counsel and head of global law enforcement at Yahoo!. "We're committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cybercrime."

The indictment states that Belan dug into accounts on his own, looking for credit card and gift card details. As many as 30 million accounts were scanned in this way and he was also able to "earn commissions from fraudulently redirecting a subset of Yahoo!'s search engine traffic," the US claims. The contacts were then sold to a spammer service for an additional profit for Belan.

That would certainly fit with FBI information on Belan. In 2013 Belan made it to the FBI's Most Wanted list after accusations that he hacked three major US e-commerce companies in California and Nevada and used the information for fraud and identity theft. The FBI put a $100,000 bounty on his head but found no takers.

Today's statement claims that Belan was arrested in Europe in June 2013 but "was able to escape to Russia before he could be extradited." Since then he has been operating in Russia under the protection of the FSB, Sessions said.

"Today we continue to pierce the veil of anonymity surrounding cyber crimes," said Director Comey. "We are shrinking the world to ensure that cyber criminals think twice before targeting US persons and interests."

Next page: The net widens

Other stories you might like

  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – DownThem.org and AmpNode.com – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • Former chip research professor jailed for not disclosing Chinese patents
    This is how Beijing illegally accesses US tech, say Feds

    The former director of the University of Arkansas’ High Density Electronics Center, a research facility that specialises in electronic packaging and multichip technology, has been jailed for a year for failing to disclose Chinese patents for his inventions.

    Professor Simon Saw-Teong Ang was in 2020 indicted for wire fraud and passport fraud, with the charges arising from what the US Department of Justice described as a failure to disclose “ties to companies and institutions in China” to the University of Arkansas or to the US government agencies for which the High Density Electronics Center conducted research under contract.

    At the time of the indictment, then assistant attorney general for national security John C. Demers described Ang’s actions as “a hallmark of the China’s targeting of research and academic collaborations within the United States in order to obtain U.S. technology illegally.” The DoJ statement about the indictment said Ang’s actions had negatively impacted NASA and the US Air Force.

    Continue reading

Biting the hand that feeds IT © 1998–2022