U.S. Charges Russian FSB Officers & Their Criminal Conspirators for Hacking Yahoo…

U.S. Charges Russian FSB Officers & Their Criminal Conspirators for Hacking Yahoo…


MS. MCCORD: Good morning, and thank you for being
here today. I’m Mary McCord. I’m the Acting Assistant Attorney General
for the National Security Division at the Department of Justice. And with here — me today is FBI Executive
Assistant Director Paul Abbate, U.S. Attorney for the Northern District of California Brian
Stretch, and Office of International Affairs Director Vaughn Ary. We’re here to announce a major law enforcement
action related to one of the largest data breaches in U.S. history. Today we are announcing the indictment of
four individuals responsible for the 2014 hack into the network of email provider Yahoo,
the theft of information about at least 500 million Yahoo accounts, and the use of that
information to obtain the contents of accounts of — at Yahoo and other email providers. The defendants include two officers of the
Russian Federal Security Service, an intelligence and law enforcement agency of the Russian
Federation, and two criminal hackers with whom they conspired
to accomplish these intrusions. Dmitry Dokuchaev and Igor Sushchin, both FSB
officers, protected, directed, facilitated, and paid criminal hackers to collect information
through computer intrusions in the United States and elsewhere. They worked with co-conspirators Alexsey Belan
and Karim Baratov to hack into the computers of American companies who provide email and
internet-related services to maintain unauthorized access to those computers and to steal information,
including information about individual users and the private contents of their accounts. The defendants targeted Yahoo accounts of
Russian and U.S. Government officials, including cybersecurity,
diplomatic, and military personnel. They also targeted Russian journalists, numerous
employees of other providers whose networks the conspirators sought to exploit, and employees
of financial services and other commercial entities. Belan has been indicted twice before in the
United States for three intrusions into e-commerce companies that victimized millions of customers,
and he has been one of the FBI’s most wanted cyber criminals for more than three years. Belan’s notorious criminal conduct and a pending
Interpol Red Notice did not stop the FSB officers who, instead of detaining him, used him to
break into Yahoo’s networks. Meanwhile, Belan used his relationship with
the two FSB officers and his access to Yahoo to commit additional crimes to line his own
pockets with money. Specifically, Belan used his access to Yahoo
to search for and steal financial information, such as gift card and credit card numbers,
from users’ email accounts. He also gave access to more than 30 million
Yahoo accounts, whose contacts he then stole to facilitate an email scam. With these charges, the Department of Justice
is continuing to send the powerful message that we will not allow individuals, groups,
nation states, or a combination of them to compromise the privacy of our citizens, the
economic interests of our companies, or the security of our country. For those who may not be familiar with the
FSB, it is an intelligence and law enforcement agency and a successor to the Soviet Union’s
KGB. The FSB unit that the defendants worked for,
the Center for Information Security, also known as Center 18, is also the FBI’s point
of contact in Moscow for cybercrime matters. The involvement and direction of FSB officers
with law enforcement responsibilities makes this conduct that much more egregious. There are no free passes for foreign state-sponsored
criminal behavior. Through the work of the National Security
Division, the FBI, the United States Attorney’s offices around the country, we continue to
pursue national security cyber threats using all available tools to investigate malicious
activity and attribute it to the country, agency, and even the individuals involved. When possible and supported by the evidence,
we intend to charge those individuals and bring them to justice. As I wrap up, I am also pleased to announce
that a fourth co-conspirator charged in the indictment, Karim Baratov, was arrested just
yesterday in Canada on a U.S. Government provisional arrest warrant. I’d like to thank all of those who worked
diligently to bring the investigation to this point, including the men and women of the
National Security Division, the FBI, and the U.S. Attorney’s offices for the Northern District
of California and the Criminal Division’s Office of International Affairs for their
tireless work. I’d also like to extend a special thanks to
Yahoo and Google, whose customers were targeted and who cooperated with law enforcement. It is very important for corporations around
the country to know that when you are going against the resources and backing of a nation
state, it is not a fair fight, and it is not a fight you are likely to win alone. But you do not have to go it alone. We can put the full capabilities of the United
States behind you to make cases like this, but we cannot do it without your help. At this time, I’d like to introduce FBI Executive
Assistant Director Paul Abbate, who will provide additional details on today’s announcement. MR. ABBATE: Thank you, Mary. Good morning,
everyone, and welcome. Today’s announcement is a testament to the
tremendous work and extraordinary efforts that have been done to identify and hold accountable
those individuals believed to be responsible for this significant breach of Yahoo’s networks
and information technology systems. This indictment details how Russian Federal
Security Service officers, working together with criminal hackers, conspired a plan to
carry out one of the largest cyber intrusions in U.S. history. These perpetrators compromised the company’s
networks, along with the accounts and personal information of approximately 500 million Yahoo
users and, further, stole millions of user contacts in order to carry out fraud schemes
for their own personal financial gain and enrichment, among other things. I want to note this was a highly complex,
long-term investigation that has only reached this stage as a result of the relentless and
persistent and dedicated efforts of the team. It also further underscores the immense and
essential value of early, proactive engagement and cooperation between
the private sector and the government. Our ability to identify, detect, and ultimately
hold cybercriminals accountable under the law while preventing and mitigating harm is
contingent upon our ability to work closely and cooperatively with companies and individuals
who are targeted and victimized, as in this case. As Mary noted, yesterday’s arrest of co- conspirator
Karim Baratov in Canada, which was executed by the Toronto Police Service’s Fugitive Squad,
demonstrates our total and unyielding commitment to finding and bringing to justice cybercriminals
no matter where they operate or reside. The criminal hackers in this case used a variety
of techniques to access the information they sought, including email spear phishing, downloading
malicious files and code onto Yahoo’s networks, leasing servers in the U.S. and around the
world to carry out their scheme and avoid detection, and registering email accounts
using false subscriber information. As this indictment demonstrates, regardless
of what methods are employed or where the criminal
actors live, if you illegally target U.S. citizens or American companies, you will be
identified, pursued, and held to account wherever you are. I want to highlight and commend the exceptional
work of the FBI San Francisco Field Office, the FBI Cyber Division, the U.S. Attorney’s
Office for the Northern District of California, and our partners here at the Department of
Justice in the National Security Division. Thank you to all of those involved for your
outstanding and ongoing contributions to resolving this case. We are extremely grateful as well to our international
partners for their assistance and support leading up to these criminal charges today. Those partners include Canada’s Royal Canadian
Mounted Police and, as mentioned, the Toronto Police Service and their Fugitive Squad. As well, the United Kingdom’s MI5 made substantial
contributions to the advancement of this investigation, also. I want to thank, additionally, our FBI legal
attache personnel in Ottowa and in London for their
great work in supporting and moving forward the operations and investigations that underlie
the charges today. And I want to close by saying that we at the
FBI, together with our partners in the DOJ, will continue to work hard day in and day
out together with our interagency, international, and private sector partners to, one, identify
those who conduct cyberattacks against the United States and our allies; two, to identify
and expose them to the world; and three, most importantly, to hunt them down and hold them
responsible no matter where they live or where they attempt to hide. Thank you all for being here today. And with that, I’d like to turn it over to
Brian Stretch, the U.S. Attorney for the Northern District of California. MR. STRETCH: Paul, thank you. My name is Brian Stretch. I’m the U.S. Attorney in San Francisco. I’m pleased to join the Head of National Security
Division and the Executive Assistant of the FBI to advise you of the criminal charges
returned (ph) in connection with the widely reported Yahoo breach that occurred in 2014. As an important reminder to everybody, the
criminal charges in the indictment announced today are allegations only, and all four defendants
are presumed innocent unless and until proven guilty. We are joined today by the investigating AUSA,
National Security Division lawyers, and experienced FBI agents, who worked tirelessly with Yahoo
and Google to identify the responsible parties and their methods and means for perpetrating
one of the largest data breaches ever. Silicon Valley is home to the world’s leading
technology companies. The Valley’s computer infrastructure provides
the means by which people around the world communicate with each other in business and
in their personal lives. Every day, criminal hackers endeavor to gain
unauthorized access to personal and proprietary information for nefarious purposes. The Department of Justice and the technology
companies together share a common goal and responsibility to protect private communications
from cybercriminals. The privacy and security of our inner base
— internet-based communications must be governed by the rule of law. People rightly expect that the government
and technology companies both will make every effort to ensure that communications through
internet providers will remain private. Exceptions to this principle should be few
and governed by law. To this end, in recent years, the DOJ has
made cybersecurity a top priority and has taken a number of steps to protect the public
from cybercrime. Part of this effort has involved conducting
extensive outreach throughout Silicon Valley and elsewhere to encourage service providers
to report unauthorized intrusions and the theft of trade secrets. Both the DOJ and the technology companies
throughout the country are beginning to see fruits of this outreach. The benefits of reporting intrusions to the
U.S. Government include the following. The companies are able to obtain assistance
from the government to determine the scope and extent of the intrusion and to determine
the identity of the hackers. The companies are also able to obtain information
about what use the hackers put to the stolen information that has been obtained. And by working with investigators, the companies
can target and limit investigatory methods so as to prevent unnecessary access to the
private records of innocent victims and account holders. Regardless — regarding the hacks we are talking
about today, Yahoo and Google informed DOJ of the data breaches, cooperated extensively
with the FBI and DOJ attorneys to investigate the intrusions. And by leveraging the combined efforts of
the government and the service providers, they assisted in effectuating a targeted,
streamlined, and effective investigation. The update to this type of approach — the
responsible parties have been identified, charges have been returned, one defendant
has been arrested, and arrest warrants have been issued for the remaining defendants. Importantly, the cooperative efforts of the
government and the private sector in this instance
allowed the U.S. Attorney’s Office, along with the National Security Division and the
FBI, to accomplish these initial results while maintaining the fundamental privacy interests
of the account holders who had their information stolen. We commend both Yahoo and Google for working
with our office, the FBI, and the National Security Division lawyers to identify and
seek justice for the perpetrators of these intrusions. I’ll turn it back to Mary. MS. MCCORD: We’ll take a few questions now. REPORTER: What do you see as the purpose of
this conspiracy? Was it financial gain? Or was it intelligence gathering? MS. MCCORD: So what the indictment alleges is
that these FSB officers used criminal hackers to gain information that, clearly, some of
which has intelligence value. But in doing so and in using criminal hackers
to do so, the criminal hackers used this opportunity, also, to line their own pockets and – – for
private financial gain. REPORTER: Ms. McCord, you said this morning
at the Financial Times seminar that the government has a number of tools at its disposal, including
prosecution. Will the U.S. seek other means other than
these indictments to go after the Russians — sanctions, trade limitations? MS. MCCORD: I think those are things that have
yet to be determined. We — as you noted, we are committed to using
all tools. And we certainly — in this case, we were
able to develop the evidence to the point where we were able to bring criminal charges
consistent with the standard required for that. But that doesn’t mean we won’t look to see
if there are other tools that might be available. REPORTER: Well, will you look to see if there
are other tools? MS. MCCORD: I think we will definitely engage
in those discussions and considerations. REPORTER: Is expulsion of a diplomat one of
those? MS. MCCORD: For this type of matter, that’s certainly
nothing that we’ve been — you know, that I’m prepared to address today. REPORTER: Also, (inaudible – off mic), you
have referenced two of the indicted members of the Center , which was the FBI point of
contact in Moscow on cybercrime matters, and you described the (inaudible – off mic) beyond
obtainable (ph). Would it be just natural (ph) for people to
use that to exploit this? MS. MCCORD: I think what is —
REPORTER: Does this speak of a certain degree of (inaudible – off mic) on the part of the
U.S. Government? MS. MCCORD: So I don’t think it does. The point there is these are the very people
that we are supposed to work with cooperatively in law enforcement channels. And rather than do that type of work, they
actually turned, you know, sort of against that type of work. And I can certainly pass to Paul if he has
any additional comments. MR. ABBATE: I would just add we’ve had limited
cooperation with that element of the Russian Government in the past. In this case, with respect to Belan, we have
asked — he has been charged previously, also, in one case out of the Northern District
of California and also in Nevada back in 2012. We have asked for his return in 2014 through
official channels to the Russian Government, and we’ve had no response. And I think that is reflective of the relationship
and the approach we needed to take in this case in terms of the lack of cooperation we’ve
gotten. REPORTER: Does the relationship need to change
or end? MR. ABBATE: We want — we need and have to have
cooperation from all international partners in order to resolve cases like this, among
many other threats that we face. But when we look at this case — and I’m speaking
to this case now — we expect and hope for the cooperation here. And in fact, post this announcement, we’re
going to go out with another official request not just for Mr. Belan, again, but also for
the other two individuals that are charged here and are residing in Russia now. We’ll see what happens. REPORTER: Somebody else asked the question. How — this model that you’re alleging of
FSB officers working with criminal hackers, is this sort
of the (inaudible – off mic) that we’re seeing in Russia (inaudible – off mic) carry out? And how were you able to make the (inaudible
– off mic) all four (inaudible – off mic)? MS. MCCORD: So to take your first question, I
don’t — I’m not going to be specific as to Russia on that. We are certainly seeing more and more use
by nation states of criminal hackers to, you know, carry out some of the — their intentions. That, I don’t think, is necessarily unique
to Russia in this particular case to the FSB. And the indictment, I think, alleges in pretty
great detail the conspiracy among these four men, the sharing of infrastructure and hacking
techniques and tools and procedures, the sharing of the cookies that were minted to be able
to gain access into accounts, and the, really, contracting (ph) with Baratov to do additional
intrusions into account holders of other email providers, such as Google. REPORTER: Ms. McCord, do you know if there
is a connection between this case and Russia with the
(inaudible – off mic) in the election (inaudible – off mic). Can you speak to the president (inaudible
– off mic) he himself (inaudible – off mic) surveillance (inaudible – off mic)? MS. MCCORD: So our indictment doesn’t allege any
connection between this intrusion and the intrusions into the DNC. That’s a separate investigation, and I have
no comment on the — REPORTER: But the — was — the FSB was involved
in both (inaudible – off mic) coincidently because these were separate operations for
(inaudible – off mic) Yahoo and Google and other parts of the Agency (inaudible – off
mic) happening at DNC in the election process? MS. MCCORD: We just — we don’t have anything
that suggests in our indictment that there’s any relationship between those. REPORTER: And you — MS. MCCORD: And that’s an ongoing investigation. (Crosstalk.) REPORTER: To follow up on that remark, is
there any evidence that you’ve uncovered? I understand the indictment does not address
it. But did the investigators uncover any evidence? Or is it the same model that you saw with
respect to (inaudible – off mic)? MS. MCCORD: I’m not sure I’m fully understanding
your question about is this the same model that we saw. And so if you’re talking about use of criminal
hackers, I don’t know if that’s what you’re talking about. But that’s an ongoing and separate investigation,
and I really don’t have any further — (Crosstalk.) REPORTER: In your remarks, you did not specify
whether these two FSB officers — MS. MCCORD: I’m sorry. I — REPORTER: In your remarks, you did not specify whether these FSB officers were acting individually
or on behalf of the FSB. MS. MCCORD: Well, the —
REPORTER: That’s the first question. The second question is Mr. Belan, based on
the FBI, once (ph) you had said he’s a Latvian national
(ph). In your — the Department of Justice statement,
it says he is a Russian. So (inaudible – off mic)? MS. MCCORD: So we will have to get back to you
with any correction there — REPORTER: Because it’s —
(Crosstalk.) REPORTER: You have two official documents
with this contradiction (ph). Yeah, can you answer the first question, though? MS. MCCORD: I no longer recall your first question. (Laughter.) REPORTER: I’m sorry. The first question is whether these two FSB
officers were acting individually or on behalf MS. MCCORD: Oh, right. REPORTER: — agency. MS. MCCORD: So when they’re — as our indictment
alleges and as we have reason to believe, based on our evidence, they were acting in
their capacity as FSB officials. (Crosstalk.) REPORTER: The Attorney General is quoted in
the presser (ph). I just want to clarify. He is not recused from the investigation? MS. MCCORD: He is not recused from this investigation. REPORTER: Thank you. REPORTER: (inaudible – off mic) use the authority
(inaudible – off mic) and then President Obama worrying about malicious cyber hacking to
freeze the assets (inaudible – off mic). Is that (inaudible – off mic)? MS. MCCORD: Well, I mean, there is. As you are aware from this morning’s presentation,
there is an executive order that allows for sanctioning in certain circumstances, including
circumstances involving economic espionage. So again, to go back to sort of my response
to Pete’s (ph) question, I think the tools that are potentially on the table remain on
the table. REPORTER: And then for Paul, can you just
talk a little bit more about how you’re going to
maintain, or if it’s possible to maintain, a trusting, working relationship between the
FBI and the FSB within these indictments? Just how does that work? MR. ABBATE: I think that’s a challenge. It’s something that I continue to work at. And I think this case is going to be a great
test of that so we can engage to a level of cooperation we get from them. Now having charged these individuals, we would
like to see the full cooperation and assistance in bringing these individuals in justice — to
justice and further aiding us in — by expanding the scope of the investigation. Absolutely. REPORTER: May I ask about Dokuchaev? He had a history before going to the FSB of
operating in the dark web and using his alias of Forb. Do you have any details about whether he continued
using that alias and continued to conduct the criminal activity once he was formally
a part of the FSB? And which dark web forum did he operate on? And what kind of criminal activity did he
engage in? MS. MCCORD: So I’m not prepared to address those
questions. I’m prepared to talk about what we
addressed (ph) in this indictment. REPORTER: So to go back to clarify the earlier
question, did you see a similar strategy for modeling that was used in DNC hack (inaudible
– off mic)? MS. MCCORD: So that’s an ongoing investigation,
and so it’s not one that I’m prepared to discuss what we’ve seen and how — what the status
of that is. REPORTER: Has the DOJ or FBI heard anything
from the Russian Government as far as possibility of extradition? MS. MCCORD: We do not have an extradition treaty
with Russia. We would hope that they would respect our
criminal justice system and respect the — these charges and what they need to do. MR. RAIMONODI: All right. Last question. REPORTER: When can we expect the Canadian
to come to the United States (inaudible – off mic)? MS. MCCORD: So that’s an ongoing pending matter,
which extradition will be requested. But I can’t estimate what kind of timeline
that would be on. REPORTER: I just want to — I have one further
on a previous question. Do you or the justice department have any
evidence that the president was wiretapped (inaudible – off mic)? MS. MCCORD: That’s not part of this indictment
or what we’re here to discuss today. So … MR. RAIMONODI: All right. Thanks very much, folks. Thank you.

Author:

Leave a Reply

Your email address will not be published. Required fields are marked *