If you have found the latest round of allegations accusing Russians of hacking Yahoo confusing, you would be forgiven. The US Justice Department has charged two Russian FSB intelligence officers, Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin and two Russian hackers Karim Baratov and Alexsey Belan, of stealing more than 500 million Yahoo user accounts.
According to the indictment, the entire hack was a carefully orchestrated effort on the part of the FSB, an organisation normally associated with investigating cybercrimes rather than instigating them. The hacked Yahoo accounts were used to get access to emails associated with Russian journalists, Russian and US government officials, and Russian and US employees of a variety of organisations.
Whatever Dokuchaev and Sushchin’s motives, they were obviously not paying the hackers Belan and Baratov enough because Belan was running a scam on the side taking a cut on sales of “erectile dysfunction drugs” and searching accounts for gift cards and credit card information.
Another notable wrinkle in the entire case was the fact that Dokuchaev, himself a hacker who had been forced to work for the FSB after being arrested in 2005 for credit card fraud, has been arrested in December 2016 for high treason, and charged with supplying secrets to foreign governments, including the US.
Whilst a link has not been drawn between the Yahoo breach and the hack of the Democratic National Committee’s email, the accusation of “Russian” involvement in both cases is certainly strongly implied.
Another interesting tidbit from the indictment was the number of Russian officials using Yahoo and Gmail accounts, including a “senior officer” of a Russian webmail and internet-related services provider.
Baratov, who has Canadian citizenship, has been arrested in Canada but the likelihood of the US being able to get its hands on the others is remote.
The US Justice Department has essentially accused the FSB of being behind the Yahoo hack which essentially implies that the Russian Government, and Vladimir Putin would have been involved in some capacity. Mary B. McCord, acting assistant attorney general stated:
“The involvement and direction of F.S.B. officers with law enforcement responsibilities makes this conduct that much more egregious,”
But this is supposition. The Justice Department in its press conference stressed that its indictment was based on allegations. It is not at all clear that the Dokuchaev and Sushchin, if actually involved, were operating in an official capacity or whether they were just simply opportunists trying to exploit their links to the other hackers. Clearly the motive of issuing an indictment in the first place is politically motivated rather than having any chance of bringing criminals to justice. Given Dokuchaev’s past and his association with the Russian hacker group Shotai-Boltai (Humpty Dumpty), the simplest explanation would be that he was simply being entrepreneurial at best and a “double agent” at worst.
Given the revelations of the CIA’s hacking arsenal, the idea of a security service hacking Yahoo to obtain access to a vast number of people’s accounts is not surprising. In fact, Yahoo has already provided the US intelligence services with full access to all of its customers incoming emails.
Accusing nations of cyberespionage is now becoming a particular tactic of US law enforcement. There is the belief that charging Chinese officials with attacks in 2014 has resulted in a reduction in cyberattacks from China, although it is hard to see how this would have acted as a real deterrent.
What these actions of the US and Russian intelligence services confirms is that it is the nationals of every country that are the targets of cyberintrusions of a systemic kind. Whether it is for information or plain-old-cybercrime, any communication conducted on the internet is up for grabs. Yahoo knew of the breach and failed to investigate or notify users. The company’s lawyer Ronald Bell has resigned over the affair and Marissa Meyer, who lost her bonus is now leaving the company but with a US $23 million severance package. The other factor in this whole case is that charges over the hack of 500 million user accounts in 2014 have nothing to do with the breach of 1 billion accounts that occurred in 2013 and is still unexplained.