The United State Department of Justice (DOJ) has charged four men, including two officials
of Russia’s FSB intelligence agency, in connection with a hacking attack
against Yahoo that saw the details of 500 million users stolen and the use of
forged cookies to break into accounts.
In September last year, Yahoo revealed that in late
2014 an unnamed “state-sponsored actor” had accessed the
account information of some approximately 500 million users
including names, email addresses, telephone numbers, dates of birth, hashed
passwords and, in some cases, encrypted or unencrypted security questions and
answers.
Yahoo believes that hackers managed to break into
its internal systems, accessing proprietary code that allowed the attackers to
forge cookies granting access to accounts without needing a password.
At the time it was dubbed by some as ‘the biggest
data breach in history’ (although this was later overshadowed by the news that
a separate data breach at Yahoo had occurred in 2014, impacting a
staggering one billion users).
The DOJ’s indictment claims that 33-year-old Dmitry
Aleksandrovich Dokuchaev and 43-year-old Igor Anatolyevich Sushchin, both
officers in Russia’s FSB, directed and paid criminal hackers to collect
information by hacking into the email accounts of thousands of individuals.
In the indictment, US authorities name two hackers
as Alexsey Alexseyevich Belan, aka “Magg,” 29, a Russian national and resident;
and Karim Baratov, aka “Kay,” “Karim Taloverov” and “Karim Akehmet
Tokbergenov,” a 22-year-old Canadian and Kazakh national, resident in Canada.
Belan is not an unknown name to computer
crime-fighting authorities, having previously been listed in the FBO’s Cyber
Crime Most Wanted list, and having been previously detained in a European
country in 2013 before escaping back to Russia before extradition.
The DOJ claims that Belan gained access to at least
some of the Yahoo User Database (UDB) and details of how to create account
authentication web browser cookie for over 500 million accounts.
Additionally it is alleged that Belan gained
unauthorized access to Yahoo’s Account Management Tool (AMT), which allowed the
gang to locate and access least 6,500 email accounts of interest.
Targeted accounts are said to have included those
belonging to “Russian journalists, Russian and U.S. government officials,
employees of a prominent Russian cybersecurity company, and numerous employees
of other providers whose networks the conspirators sought to exploit.”
In addition, personal accounts belonging to
employees of Russian banks, a French transportation firm, US financial services
and private equity firms, and others are thought to have been accessed.
If the US authority’s claims are to be believed,
one of the accused hackers also exploited his access to Yahoo accounts for
personal gain – searching communications for credit card details, redirecting
search engine traffic to earn commission, and stealing address books from at
least 30 million accounts to facilitate a spam campaign.
Baratov was arrested in Canada this week. It
remains to be seen if his alleged co-conspirators are similarly apprehended by
the authorities, and whether the Russian authorities will co-operate with the
United States on the investigation.
Meanwhile, it’s important to state that the Kremlin
has denied that the FSB had any involvement with
the Yahoo hack.
Yahoo has welcomed the US Department of Justice’s
announcement of an indictment:
We appreciate the FBI’s diligent investigative work
and the DOJ’s decisive action to bring to justice to those responsible for the
crimes against Yahoo and its users. We’re committed to keeping our users and
our platforms secure and will continue to engage with law enforcement to combat
cybercrime.
It should go without saying – following a series of
serious security breaches – that all Yahoo users should check their accounts
for suspicious activity, be on guard against unsolicited emails that contain
suspicious attachments, request their personal information or contain phishy
links.
The company has provided a knowledgebase article
containing security recommendations on how users can better protect their
accounts.