The indictment accuses the officers, 33-year-old Dmitry Aleksandrovich Dokuchaev and 43-year-old Igor Anatolyevich Sushchin, of hiring a pair of hackers to help them break into Yahoo’s systems. Mary McCord, the acting assistant attorney general in the Justice Department’s national-security division, said the agents are suspected of orchestrating the cyberattack in their official capacity as members of the FSB.
One of the hackers was already notorious. Alexsey Alexseyevich Belan has already been indicted in the U.S. twice—once in 2012 and once in 2013—and was added to the FBI’s list of most-wanted cybercriminals in 2013. The other hacker, Karim Baratov, was brought on to help hack into 80 non-Yahoo accounts, using information gleaned from the accounts that were already compromised. Baratov, who lives in Canada, was arrested on Tuesday. The other three defendants remain at large in Russia, which doesn’t have an extradition agreement with the United States.
According to the indictment, the hackers had access to Yahoo’s networks all the way until September 2016, two years after they first got in.
When the data breach was announced that month, that hack was one of the largest single breaches that had ever been made public. But it was eclipsed in December, when the company announced that another breach, this one from 2013, had compromised one billion user accounts. Yahoo said in December that the two hacks were separate—but that it suspected the “same state-sponsored actor” was behind both hacks.
One of the tricks the Russian hackers used to steal information was to forge cookies—small packages of data that track users and tell browsers which accounts a user is signed into, among other things—in order to access at least 6,500 user accounts, the Justice Department alleges. (The 2013 hack also used forged cookies, according to Yahoo.)
The hackers targeted a wide range of people: government officials, intelligence and law enforcement agents, and employees of an unnamed “prominent Russian cybersecurity company.” They also accessed accounts that belonged to private companies in the U.S. and elsewhere, the indictment claims.
Some of the information was probably useful for the intelligence officers, but Belan, the hired hacker, appears to have used the opportunity presented by the enormous trove of stolen Yahoo accounts to make a little money. He searched emails for credit-card and gift-card numbers, and scraped the contact lists from at least 30 million accounts for use in a large-scale spam campaign.
The FBI is also investigating Russian cyberattacks on the Democratic National Committee, but Wednesday’s indictment doesn’t draw a connection between that event and the Yahoo hack.
As she announced the charges, McCord, the acting assistant attorney general, said additional options for punishing Russia for the hack are still on the table. An executive order that former president Barack Obama signed in March, for example, gave the Treasury Department the power to set up economic sanctions in response to cyberattacks or espionage.