Canadian Allegedly Aided Russians Who Perpetrated Massive Yahoo Data Breach
A Canadian man accused of helping Russian intelligence agents who allegedly oversaw the hacking of 500 million Yahoo users’ accounts made his first appearance in a U.S. federal courtroom on Wednesday, where he pleaded not guilty, according to his lawyer.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
Karim Baratov, 22, arrived in the San Francisco area Tuesday after being extradited from Canada to face charges that he used spear-phishing attacks to obtain the webmail passwords for at least 80 individuals (see Alleged Yahoo ‘Hacker for Hire’ Waives Extradition Hearing).
Baratov was one of four men named in a 47-count indictment, dated Feb. 28 and unsealed March 15. The indictment charges the suspects with computer hacking, economic espionage and other criminal offenses tied in part to the massive 2014 mega-breach of Yahoo.
Prosecutors have accused Baratov of being a “hacker for hire” for Dmitry Dokuchaev, 33, an officer at Russia’s Federal Security Service, or FSB, and his superior, Igor Sushchin, 43, who allegedly posed as the head of information security for a Russian investment bank. A fourth man, Alexsey Belan, a 29-year-old Russian citizen who was born in Latvia, has also been charged.
Yahoo accounts allegedly accessed as part of the attacks included ones used by Russian journalists, U.S. and Russian government officials, “employees of a prominent Russian cybersecurity company,” as well as personal accounts used by employees of a Russian investment banking firm, a French transportation company, U.S. financial services firms and a Swiss bitcoin wallet according to the indictment.
Charge: Spear-Phishing Attacks
Baratov, however, has not been accused of directly participating in the Yahoo hack, but rather launching spear-phishing attacks against FSB targets of interest who used non-Yahoo webmail accounts. His alleged targets included users of Gmail “and other webmail provider accounts,” including accounts used by an assistant to the Deputy Chairman of the Russian Federation, an officer of the Russian Ministry of Internal Affairs, and a physical training expert working for Russia’s Ministry of Sports, amongst others, according to the indictment.
Allegedly, Baratov would receive a bounty for every account for which he was able to obtain access credentials, although it’s not clear how much Baratov might have earned in total from his alleged work. “Dokuchaev paid Baratov money and other things of value aggregating at least $1,000 for unauthorized email account access during a one-year period, from April 17, 2015 through April 17, 2016,” according to the indictment.
The U.S. government is seeking all funds from the PayPal account – in the name of Elite Space Corporation – via which Baratov was allegedly paid, as well as his grey Aston Martin DBS – license plate “MR KARIM” – and his black Mercedes Benz C54.
This case marks only the second time that the Justice Department has brought hacking charges against foreign intelligence officers, following the 2014 indictment of five Chinese army officers for hacking American corporate computers to steal intellectual property.
Baratov Waived Extradition
Baratov is a Canadian citizen who was born in Kazakhstan, a Central Asian country and former Soviet republic. He emigrated to Canada with his family in 2007. “Canada can give the best opportunity for the young generation and that’s why we moved to Canada,” his father told CNN in March.
In Ontario court on Friday, Baratov waived his right to an extradition hearing. If he had contested the extradition, then Canada’s justice minister would have had 90 days to approve his extradition to the United States, and U.S. prosecutors would not have been able to bring any additional charges against him. But his attorney, Toronto-based Amedeo DiCarlo, said Baratov, who has remained incarcerated since his arrest in Ontario on March 14, is eager to fight the charges.
DiCarlo tells Information Security Media Group that his client’s extradition proceeded rapidly, and that Baratov’s first hearing in U.S. Federal Court in the Northern District of California, in San Francisco, was on Wednesday morning, where Christopher Ott, a Justice Department prosecutor who specializes in cybersecurity cases, read the list of charges against him.
Baratov’s defense attorneys in the United States are Andrew Mancilla and Robert Fantone. He entered a not-guilty plea on Wednesday and has been remanded until Tuesday, when his case will continue with a bail hearing, DiCarlo says.
Three Suspects Remain in Russia
Baratov is the only suspect in this case to have been detained by U.S. authorities, and it’s unlikely the others will ever appear in a U.S. courtroom.
Prosecutors say the other three suspects remain in Russia. To date, Russia has never extradited a cybercrime suspect.
Belan had been arrested in Greece in 2013 on an Interpol “red notice” issued by the United States in relation to separate charges, and has been on the list of the FBI’s “most wanted hackers” since 2012. But after posting bail in Greece, he fled to Russia, where Dokuchaev and Sushchin put him to work hacking into Yahoo accounts, according to the indictment.
From 2014 until mid-2016, according to the indictment, Belan enjoyed unlimited access to Yahoo user accounts, thanks in part to obtaining a copy of Yahoo’s complete user database. “Belan also obtained unauthorized access on behalf of the FSB conspirators to Yahoo’s Account Management Tool (AMT), which was a proprietary means by which Yahoo made and logged changes to user accounts,” according to the indictment. “Belan, Dokuchaev and Sushchin then used the stolen [Yahoo User Database] copy and AMT access to locate Yahoo email accounts of interest and to mint cookies for those accounts, enabling the co-conspirators to access at least 6,500 such accounts without authorization.”
Dokuchaev’s fate remains unclear. He was detained in Moscow in December, as part of a series of mysterious arrests, which included the detention of Sergei Mikhailov, deputy chief at the FSB’s Information Security Center – known as the CDC, aka Military Unit (Vch) 6482; as well as a lead researcher for Moscow-based Kaspersky Lab (see Report: Russia Arrests Cybersecurity Official).
“Sergei Mikhailov and his deputy, Dmitry Dokuchayev, are accused of betraying their oath and working with the CIA,” private Russian news agency Interfax reported at the time, quoting a source familiar with the investigation.
A Russian online news portal with ties to the security services, called Life, reported in January that FSB agents found $12 million stashed in hiding places throughout Mikhailov’s home and dacha.