President Donald Trump doesn’t put a lot of stock in security researchers’ ability to track down cyberattackers. When the Democratic National Committee’s systems were breached during the presidential campaign, he shrugged and said just about anyone could have been behind the hacks—even though the intelligence community pointed fingers straight at Russian President Vladimir Putin. “Unless you catch ‘hackers’ in the act, it is very hard to determine who was doing the hacking,” he tweeted in December.
Just before Trump was inaugurated, I wondered if his unwillingness to endorse the practice of cyber-attribution would derail the Justice Department’s pattern of bringing indictments and charges against foreign hackers—and even embolden hackers to launch more cyberattacks, without fear of repercussions.
But while the president cast doubt on the worth of attribution, the Justice Department appears to have pressed on with its campaign to slap foreign hackers with public criminal charges. On Wednesday, the department announced charges against four Russians—two intelligence agents and two hired hackers—for the 2014 data breach at Yahoo that compromised 500 million user accounts.
The two agents worked for a branch of the Russian Federal Security Service, or FSB, called the Center for Information Security. That agency is the FBI’s point of contact within the Russian government for fighting cybercrime—but instead of investigating cyberattacks, the FBI alleges that the two officers participated in one.
The indictment accuses the officers, 33-year-old Dmitry Aleksandrovich Dokuchaev and 43-year-old Igor Anatolyevich Sushchin, of hiring a pair of hackers to help them break into Yahoo’s systems. Mary McCord, the acting assistant attorney general in the Justice Department’s national-security division, said the agents are suspected of orchestrating the cyberattack in their official capacity as members of the FSB.
One of the hackers was already notorious. Alexsey Alexseyevich Belan has already been indicted in the U.S. twice—once in 2012 and once in 2013—and was added to the FBI’s list of most-wanted cybercriminals in 2013. The other hacker, Karim Baratov, was brought on to help hack into 80 non-Yahoo accounts, using information gleaned from the accounts that were already compromised. Baratov, who lives in Canada, was arrested on Tuesday. The other three defendants remain at large in Russia, which doesn’t have an extradition agreement with the United States.
According to the indictment, the hackers had access to Yahoo’s networks all the way until September 2016, two years after they first got in.
When the data breach was announced that month, that hack was one of the largest single breaches that had ever been made public. But it was eclipsed in December, when the company announced that another breach, this one from 2013, had compromised one billion user accounts. Yahoo said in December that the two hacks were separate—but that it suspected the “same state-sponsored actor” was behind both hacks.
One of the tricks the Russian hackers used to steal information was to forge cookies—small packages of data that track users and tell browsers which accounts a user is signed into, among other things—in order to access at least 6,500 user accounts, the Justice Department alleges. (The 2013 hack also used forged cookies, according to Yahoo.)
The hackers targeted a wide range of people: government officials, intelligence and law enforcement agents, and employees of an unnamed “prominent Russian cybersecurity company.” They also accessed accounts that belonged to private companies in the U.S. and elsewhere, the indictment claims.
Some of the information was probably useful for the intelligence officers, but Belan, the hired hacker, appears to have used the opportunity presented by the enormous trove of stolen Yahoo accounts to make a little money. He searched emails for credit-card and gift-card numbers, and scraped the contact lists from at least 30 million accounts for use in a large-scale spam campaign.
The FBI is also investigating Russian cyberattacks on the Democratic National Committee, but Wednesday’s indictment doesn’t draw a connection between that event and the Yahoo hack.
As she announced the charges, McCord, the acting assistant attorney general, said additional options for punishing Russia for the hack are still on the table. An executive order that former president Barack Obama signed in March, for example, gave the Treasury Department the power to set up economic sanctions in response to cyberattacks or espionage.
FBI and Justice Department officials have said in the past that bringing public charges against foreign hackers for state-sponsored cyberattacks can deter others from hacking American people and organizations. Belan clearly wasn’t deterred by the charges brought against him in 2012 and 2013, but it’s possible that the prospect of joining the cyber most-wanted list has convinced other, lower-profile hackers not to participate.
Paul Abbate, the executive assistant director in the FBI’s cybercrime branch, said the government has formally requested that Russia send the defendants to be tried in the U.S. But without an extradition treaty, and given that Russia’s own intelligence service is implicated in the indictment, working together will be, as Abbate delicately put it, a challenge. “We can now gauge the level of cooperation we’ll see from them,” he said.