Grand jury indicts 4 hackers for 2014 Yahoo breach
- A grand jury has indicted four defendants in connection with the 2014 Yahoo breach, alleging computer hacking, economic espionage and criminal offense, the Department of Justice announced Wednesday. The defendants include two Russian Federal Security Service (FSB) officers.
- The indictment alleges the FSB officers Dmitry Dokuchaev and Igor Sushchin "protected, directed, facilitated and paid" hackers Alexsey Belan, a Russian national and U.S. resident, and Karim Baratov, a resident of Canada, to access Yahoo's systems to steal the user account information of more than 500 million users.
- From there the defendants allegedly used the stolen information to access accounts on other email providers, such as Google. Belan also allegedly used the stolen information to search Yahoo user communications for credit card and gift card account numbers and used stolen user information to "facilitate a spam campaign" for more than 30 million Yahoo accounts.
In it's announcement, the Justice Department highlighted how the investigation was successful because of cooperation between the private and the public sector. The FBI and the DOJ worked with Yahoo and Google on the investigation to discover who was allegedly responsible for hacking into Yahoo and accessing millions of email accounts.
Since Yahoo first disclosed the breach, it alleged a "state-sponsored actor" was responsible for the attack. Some research firms, however, were quick to knock its claims, believing the firm was hacked by a group of professional black hats known as "Group E."
Even if it is proven the defendants were the ones responsible for the large-scale breach, it will not make up for the full impact of Yahoo's breach. Following revelations of the breach, Yahoo's general counsel resigned, Verizon received a discount on its purchase price, and Yahoo CEO Marissa Mayer is unlikely to remain with the company.
No matter who was responsible, the cybersecurity shortcomings at Yahoo were systemic. Investigations into its practices revealed the company did not take threats and reports of intrusion seriously, leading to one of the largest data breaches on record.
Should the defendants prove guilty, it also highlights an increasing entanglement between nation-state actors and private companies, something that was first seen during the Sony Pictures hack in 2014. Rather than hackers breaking into systems for financial gain, nation states look to gain access to steal proprietary information they can leverage.
Follow Naomi Eide on Twitter