Four people, including two Russian intelligence officers, have been charged in two Yahoo hacking attacks that compromised the personal information of hundreds of millions of consumers, the Justice Department said Wednesday.
Federal prosecutors alleged the suspects hacked into Yahoo systems to "steal information from about 500 million accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers."
This marks the first time the U.S. government has issued criminal charges against Russian officials for cyber attacks.
"The indictment unequivocally shows the attacks on Yahoo were state-sponsored," Chris Madsen, Yahoo's assistant general counsel and head of global law enforcement, said in a statement. "We are deeply grateful to the FBI for investigating these crimes and the DOJ for bringing charges against those responsible."
Yahoo said when it revealed the security breach in September that it believed the attack was state-sponsored. It disclosed a second security breach in December that was even larger than the first, affecting approximately one billion Yahoo accounts. That breach has not been connected to the first.
The two officers of the FSB, Russia's Federal Security Service, who were charged were Dmitry Dokuchaev and Igor Sushchin, for allegedly paying hackers to break into Yahoo's systems as part of an intelligence collection operation and for-profit schme to "line the pockets" of all involved, federal prosecurtors alleged.
“The defendants targeted Yahoo accounts of Russian and U.S. government officials, including cyber security, diplomatic and military personnel,’’ Assistant Attorney General Mary McCord said at a Justice Department briefing in Washington. “They also targeted Russian journalists…employees of financial services and other commercial entitites.’’
McCord, who heads Justice’s National Security Division, said the FSB officers worked with hackers Alexsey Belan and Karim Baratov to breach the computers of American companies that provide email and Internet-related services and to “steal information, including information about individual users and the private contents of their accounts.’’
Belan, indicted twice before in the U.S., for hacking into e-commerce sites as part of intrusions that victimized millions, has been listed as one of the FBI’s most-wanted cyber criminals for three years.
“Belan’s notorious criminal conduct and a pending Interpol Red Notice (a global arrest warrant) did not stop the FSB officers who, instead of detaining him, used him to break into Yahoo networks,’’ McCord said.
Baratov, who was born in Kazakhstan and is a Canadian citizen,was also named in the indictment. Baratov was arrested in Canada on Tuesday and his case is now pending with Canadian authorities, the Justice Department said.
Yahoo, which is selling its core Internet business to Verizon, has paid a heavy price for the security breaches. Verizon negotiated a price reduction, trimming $350 million from the acquisition of Yahoo for a total of $4.48 billion. And the two companies will share some legal and regulatory liabilities arising from the breaches.
Yahoo CEO Marissa Mayer agreed to forgo any annual equity award she might get for 2017 because of the massive breach her company suffered in 2014.
The Yahoo board also voted to withhold her 2016 annual bonus — usually around $2 million— for the same reason. Under her contract, her equity award is not to be less than $12 million per year. Yahoo's general counsel Ronald S. Bell resigned from the company and received no payout.