The Department of Justice announced charges Wednesday against two Russian intelligence officers and two hackers in connection to the cyberattacks against Yahoo that compromised information related to a half billion user accounts.
Dmitry Dokuchaev and Igor Sushchin, both officers in Russia’s FSB, “protected, directed, facilitated and paid criminal hackers” to collect information through breaches in the United States and elsewhere.
Additionally, the department charged that co-conspirators Alexsey Belan and Karim Baratov were instructed to hack into computers of American companies providing email and internet-related services, to maintain unauthorized access to those computers and to steal information, including information about individual users and the private contents of their accounts.
All four men were charged with computer hacking, economic espionage and other criminal offenses in connection with a conspiracy, beginning in January 2014, to access Yahoo’s network and the contents of webmail accounts.
Belan has been indicted twice before in the United States for three intrusions into e-commerce companies that victimized millions of customers, and he has been one of the FBI’s most wanted cyber criminals for more than three years.
“With these charges, the Department of Justice is continuing to send the powerful message that we will not allow individuals, groups, nation states or a combination of them to compromise the privacy of our citizens, the economic interests of our companies, or the security of our country,” said Acting Assistant Attorney General for National Security Mary McCord during a press conference in Washington, D.C.
Earlier in the day, McCord described the case as a “major intrusion that was done with the backing of a nation state.”
“When nation states support this kind of activity it’s not a fair fight. It’s not a fair fight for U.S. companies. We want companies to know that we the U.S. government will stand with them to try to combat it,” McCord said.
It was revealed in October that user details from more than 500 million Yahoo accounts — including names, birth dates and encrypted passwords — were stolen nearly two years ago by state-sponsored hackers.
Email addresses “and, in some cases, encrypted or unencrypted security questions and answers” were also included in the stolen data, but not payment card data or bank account information, which was stored in a separate system.
Yahoo then disclosed in December another security incident that was twice as large as the October revelation, affecting more than a billion users.
The breaches ended up affecting to Yahoo’s sale to telecom giant Verizon, knocking the price back to $4.48 billion from the initial $4.8 billion price announced last July.
Additionally, a Yahoo shareholder launched a class action lawsuit in January, accusing the company of lying about and “recklessly” failing to disclose the massive data breaches, thereby violating federal securities laws and costing shareholders “significant losses and damages.”
The SEC is also investigating whether Yahoo should have publicly disclosed its two mega-hacks earlier than it did — a process that could end up setting important benchmarks for how quickly publicly traded companies have to disclose cybersecurity breaches.
The full indictment can be found below.