Acting Assistant Attorney General for National Security Mary McCord accused two Russian security officials and two cyber criminals on Wednesday of carrying out a 2014 hack of Yahoo! (YHOO) that resulted in the theft of info about 500 million subscriber accounts.
Yahoo! suffered an even larger hack of one billion accounts in 2013. McCord did not address the 2013 attack in her presentation. However, Yahoo! Assistant General Counsel and Head of Global Law Enforcement, Security & Safety Chris Madsen said, "we linked some of that activity to the same state-sponsored actor," in a statement on Wednesday.
The announcement comes as Yahoo is closing its $4.48 billion sale of its operating business to Verizon (VZ - Get Report) . Because of the hacks, Yahoo! shaved $350 million off the sale price. The attacks underscore the increased scale of risk that companies and individuals face as governments and cyber criminals ramp up the size of their attacks, and heightens the importance of security reviews in M&A due diligence.
The government has charged FSB officers Dmitry Dokuchaev and Igor Sushchin, as well as Russian hacker Alexsey Belan and Canadian resident Karim Baratov.
The Federal Security Service of the Russian Federation, known as the FSB, the successor to the KGB. The FSB officers protected, "directed, facilitated and paid criminal hackers" to hack accounts of Yahoo! and Google users, among other actions, according to investigators. The Russian officials shared cyber crime techniques, tools, procedures and cookies that would enable accounts to be hacked, the U.S. government alleges.
McCord called the FSB the FBI's "point of contact in Moscow for cyber crime," making the incursion "that much more egregious." The officers were acting in their official capacity, the U.S. government alleges.
"We are seeing more and more use by nation states of criminal hackers to carry out some of their intentions," McCord added, saying that Russia is not unique in this tactic.
The alleged tag team of Russian security officers and cyber criminals highlights the range of forces trying to break into communications networks for geopolitical or economic gain.
"Organizations may have been under the false impression that state sponsored hacking was aimed at other governments - or at worst, political parties," Imperva (IMPV) vice president of marketing Tim Matthews said in an emailed statement. "Now we have learned that elite teams of state sponsored conspirators and hackers are also seeking access to corporate data."
The Imperva executive likened Russia's government hiring cyber crooks to the historical practice of nation states enlisting mercenary soldiers.
"In this case, after collecting the data on their political targets, which includes employees of commercial entities in transportation and financial services, the hackers were given free rein with the spoils - the data from 500 million Yahoo users," Matthews said.
When asked whether U.S. law enforcement could work effectively with Russian officials on future cases, FBI Assistant Director for the Criminal, Cyber, Response and Services Branch Paul Abbate said, "That's a challenge. This case is going to be a great test of that."
The U.S. will request extradition of Belan, Dokuchaev and Suschin, Abette said.
Belan is on the FBI's Cyber Most Wanted list. Arrested in Europe in 2013, he escaped to Russia before extradition. "Instead of acting on the U.S. government's Red Notice and detaining Belan after his return, Dokuchaev and Sushchin subsequently used him to gain unauthorized access to Yahoo's network," a Department of Justice statement asserts. Yahoo! said that the hackers also forged cookies to break into accounts in 2015 and 2016.
Editor's pick: This story was originally published at 5:30 pm on March 15
In a statement on Tumblr, Yahoo! wrote that "this morning's announcement is consistent with our prior disclosures" and noted that "the indictment unequivocally shows the attacks on Yahoo were state-sponsored."
Among the targets of the Yahoo! hack were Russian and U.S. government officials, Russian journalists, employees of financial services providers and others, according to the government.
McCord advised corporate victims of hacking to seek out the U.S. government's assistance. "It is not a fair fight and it is not a fight you are likely to win alone," she said.
McCord would not say whether the hacks were related to breaches of the Democratic National Committee, and declined to comment on wiretaps of President Trump before he took office.
Disclosures of the two massive attacks came in September and December of last year, months after Yahoo! agreed to a roughly $4.8 billion sale of its core business to Verizon. The breaches brought attention to the importance of cyber security in M&A due diligence, and caused Verizon to rethink the purchase.
The buyer initially sought a price cut of up to $925 million, but later agreed to a $350 million discount in February. In addition, Yahoo's chief counsel, Ron Bell, resigned from the company after a company investigation found that executives failed to respond properly to the 2014 security breach. Yahoo! CEO Marissa Mayer was also denied her 2016 cash bonus.
The deal parties also divvied up responsibility for the financial repercussions of the hacks. Post-sale Yahoo!, to be known as Altaba, will pay for half of cash liabilities from government investigations excluding the Securities and Exchange Commission, and for third-party litigation. Altaba is solely responsible for shareholder lawsuits and liabilities from the SEC's investigation.
The Internet group said on Monday that Yahoo! Director Thomas McInerery will replace Marissa Mayer as CEO following the deal close. McInerney chaired the Strategic Review Committee that engineered the sale to Verizon, and is a former CFO of Barry Diller's media and Internet group IAC (IACI) . Separately, Yahoo! financial executive Alexi Wellman will take Ken Goldman's place as CFO.