On Wednesday, the Department of Justice indicted two Russian hackers, as well as two Russian spies, in the 2014 Yahoo data breach that compromised 500 million user accounts. (Not to be confused with the breach of 1 billion Yahoo accounts in 2013.) The charges are hacking, economic espionage, trade secret theft, wire fraud, and identity theft. It’s also the first time the US has brought criminal cyber-charges against active Russian officials.
The two spies, Igor Sushchin and Dmitry Dokuchaev, are members of the Russian intelligence agency FSB, and work for its cyber investigation division. They allegedly worked with two non-government hackers, Alexsey Belan and Karim Baratov, who has Canadian citizenship and was arrested there on Tuesday. Belan, who has been indicted before for hacking US tech firms and is on the FBI’s most-wanted cybercriminal list, is currently under Russian protection.
FSB allegedly hired the hackers to target US and Russian government officials, diplomats, military, Russian journalists, financial sector employees and activists; Yahoo’s a particularly valuable target not just for its email records but because it also owns large platforms like Flickr and Tumblr. As added incentive, FSB allowed the two hackers to do what they wanted with the half a billion Yahoo accounts they stole, which led to pursuits like selling credit card numbers and rampant spamming.
“Any large database like that is gold for an intelligence organization,” says Dave Aitel, a former NSA analyst who now runs the security firm Immunity.
The indictment caps off a lengthy investigation, one that led directly back to Russia at a time when that country’s relationship with the US already sits on tenterhooks.
A Deterrent At Best
The charges likely won’t amount to much more than a symbolic act—Russia and the US don’t have an extradition treaty, and the Department of Justice says that Russia has not been cooperative—but officials hope that they could serve as a deterrent against future hacks.
“With these charges, the Department of Justice is continuing to send the powerful message that we will not allow individuals, groups, nation states or a combination of them to compromise the privacy of our citizens, the economic interests of our companies, or the security of our country,” acting Assistant Attorney General Mary McCord said in a statement.
In some ways, that’s not as farfetched a hope as it may sound. The DOJ took a similar approach against China in 2014. Those indictments didn’t lead to any arrests, but coupled with the threat of sanctions led to a 2015 Chinese pledge to reduce hacking against US companies.
Russia today, though, presents distinctly different challenges than China did then. The US already hit the country with sanctions for digital meddling in the 2016 US presidential election, including the Democratic National Committee hack. And with tensions between the countries already high, it seems exceedingly unlikely that Russian president Vladimir Putin would give up his own agents over US demands. Or make much effort to change course.
“I think the Russians will be blasé about any criminal sanctions against active-duty FSB officers doing their job,” says Aitel. Besides, the system in which FSB agents commission Russian hackers to execute attacks like this is woven into Russia’s intelligence fabric.
“It’s precisely in line with what we expect,” says Brandon Valeriano an international conflict researcher at the Marine Corps University. “Russia has complete control over their cyberspace … and they’re perfectly happy to let [hackers] continue their criminal exercises as long as they’re able to work for the state even part time. That’s why they lock down their internet so much.”
What Happens Now
As US-Russian cyber relations play out on the international stage, what’s most clear at this point is that there are no established rules of engagement or norms to lean on. These indictments aren’t likely to help provide that framework.
“I don’t think indicting people or doing criminal investigation is a bad thing, I just don’t think it’s sufficient to change outcomes,” says Oren Falkowitz the CEO of Area 1 Security and a former NSA and US Cyber Command analyst. “We can’t recycle the same strategies that we’ve used for other issues and expect a different outcome.”
While Russia has not yet formally responded, it’s a safe bet that they’ll either remain silent or outright deny the allegations.
“That’s what always happens with espionage operations,” Valeriano says. “You catch a few spies, you out them, kick them out of the country and the other country does the same thing, and then it dies down for a year or two and then it comes back.”
But unlike the DNC hack, which prompted controversy over the intelligence community’s attribution of the attack to Russia, the Yahoo attribution may be harder to undermine or deny. That’s partly because the indictment implies the DOJ has enough evidence to to go before a jury. “The case is pretty solid,” says Vitali Kremez, a senior intelligence analyst at Flashpoint who has been researching these activities for months. “These were very specific attacks targeting Yahoo, which probably didn’t include any malware, but rather specific access logs and email accounts used to stage this attack. So instead of malware this is an actor-centric investigation.”
What will be important to look for is whether Russia decides to reciprocate these types of indictments. “I’m not sure this is a norm we want to set,” says Aitel. “For example, do we want CIA officers arrested for doing their job?”
Think of this indictment, then, as less of a resolution and more of a possible escalation. Yahoo may have closure, but Russian-US relations are pulling ever-further apart.