Two Russian spies and two hackers were the miscreants who broke into Yahoo!'s servers and swiped at least 500 million user account records.
That's according to the US Department of Justice, which today indicted [PDF] four men – including two senior officers in the FSB, the Russian Federal Security Service born from the Soviet-era KGB.
In a joint statement, Attorney General Jeff Sessions and FBI Director James Comey claimed Russian agent Dmitry Dokuchaev and his boss Igor Sushchin "protected, directed, facilitated and paid" two hackers to ransack Yahoo!'s systems. The team then used information purloined from the US biz's servers to spy on American and Russian government officials, journalists, and computer security professionals, we're told.
(Slightly bafflingly, Dokuchaev was arrested in December last year, and charged with high treason. He allegedly leaked files to the CIA. The plot thickens.)
"Today we have identified four individuals, including two Russian FSB officers, responsible for unauthorized access to millions of users' accounts," Sessions said today. "The United States will vigorously investigate and prosecute the people behind such attacks to the fullest extent of the law."
The indictment states that in 2014, Dokuchaev and Sushchin hired Latvian hacker Alexsey Belan, aka "Magg," 29, who was already on the FBI's Most Wanted list with a $100,000 bounty on his head, and Karim Baratov, aka "Kay," 22, a Kazakh national and resident of Canada, for the Yahoo! incursion.
According to the charges, in November and December 2014, Belan penetrated Yahoo!'s corporate security and stole at least a chunk of its user account database that included enough information to mint account authentication cookies for Yahoo! email inboxes – meaning the miscreants could use these cookies to log into Yahoo! accounts, rifle through their documents and messages, and masquerade as strangers, without having to crack or type in a login password.
Belan is also accused of gaining unauthorized access to Yahoo!'s internal account management tool, which is used to create, manage, and log changes in accounts.
The FSB officers are accused of monitoring and advising on the operation using information from their own government hacking teams and telling Belan what accounts they wanted access to. The indictment says 6,500 targeted accounts of Russian and US government officials, foreign intelligence and law enforcement service staff, journalists, and "employees of a prominent Russian cybersecurity company" were accessed by the FSB.
These accounts were mined for information and passwords that could be of use to the FSB, according to US claims. But Belan is also accused of running a little side business of his own while romping through Yahoo!'s poorly protected servers.
"The indictment unequivocally shows the attacks on Yahoo! were state-sponsored," said Chris Madsen, assistant general counsel and head of global law enforcement at Yahoo!. "We're committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cybercrime."
The indictment states that Belan dug into accounts on his own, looking for credit card and gift card details. As many as 30 million accounts were scanned in this way and he was also able to "earn commissions from fraudulently redirecting a subset of Yahoo!'s search engine traffic," the US claims. The contacts were then sold to a spammer service for an additional profit for Belan.
That would certainly fit with FBI information on Belan. In 2013 Belan made it to the FBI's Most Wanted list after accusations that he hacked three major US e-commerce companies in California and Nevada and used the information for fraud and identity theft. The FBI put a $100,000 bounty on his head but found no takers.
Today's statement claims that Belan was arrested in Europe in June 2013 but "was able to escape to Russia before he could be extradited." Since then he has been operating in Russia under the protection of the FSB, Sessions said.
"Today we continue to pierce the veil of anonymity surrounding cyber crimes," said Director Comey. "We are shrinking the world to ensure that cyber criminals think twice before targeting US persons and interests."