Technologist - The FindLaw Legal Technology Blog

U.S. Indicts Russian Spies for Yahoo Hack

In the aftermath of the Yahoo cybersecurity breach, there is some good news and some bad news.

The good news is that the U.S. Justice Department has indicted two Russian spies and two mercenary hackers who orchestrated the theft of 500 million Yahoo accounts in 2014. It accounts for a substantial portion of the 1.5 billion hacks that Yahoo discovered last year.

The bad news is that the indictments reveal a scheme so murky that it will take a long time for criminal authorities, lawyers, and technology experts to figure out how to deal with such attacks. The investigation alone took two years.

For the time being, it is a highwater mark in the ongoing cyberwar between U.S. and Russian interests. It is the first time the U.S. has indicted a Russian official.

Damage Done

For Yahoo, the indictments do not solve anything. The corporation's damage -- which translated to about a $350 million loss in its discounted sale to Verizon -- has already been done.

However, the cost of defending against lawsuits and finding remedies for such attacks is not over. According to reports, the hackers could have accessed Yahoo user accounts on Flickr, Tumblr, fantasy sports and other applications. Class-action lawyers, who have already sued the company, now have more to glean from the allegations in the criminal case.

Federal and international investigators put together the case, working out of the FBI's San Francisco office and near Yahoo's offices. The indictment says Russia's Federal Security Service, known as the FSB, wanted to obtain information about journalists, dissidents and U.S. government officials.

The FSB turned to known hackers, Alexsey Alexeyevich Belan and Karim Baratov for help in the technologically complicated scheme. It involved "spear fishing" to install malware, "minting" cookies to gain information, and stealing a back-up copy of Yahoo's User Data Base. With their hacking tools, Belan and Baratov obtained 500 million user names, email addresses, phone numbers, dates of birth and passwords.

Most Wanted List

Belan was on the FBI's most wanted list of cyber criminals, and he had been charged twice before in connection with hacks at tech firms in Nevada and California in 2013. He was in custody in Greece, but made his way back to Russia.

"Rather than arrest him, however, the FSB officers used him," the indictment says. Belan is free in Russia, and the U.S. has no extradition treaty there.

Baratov, the other hacker-for-hire, was born in Kazakhstan but was residing in Canada. He was arrested there and will face charges here.

Related Resources: