Yahoo Hackers Charged After Mega-Breach, Solution Providers Hope It Shows Consequences For Attacks

The U.S. Department of Justice charged four Russian-connected hackers with crimes related to the Yahoo mega-breach, a move solution providers said they hope sends a signal to hackers about the consequences of a high-profile attack.

The charges apply to the 2014 data breach that affected 500 million users and exposed account information, which could include names, email addresses, telephone numbers, birthdays, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. The hackers then used that information to gain unauthorized access into Google and other webmail providers.

The Justice Department announced indictments of four people in connection with the attacks, including two Russian intelligence agency FSB employees, Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin, as well as Russian criminal hacker Alexsey Alexseyevich Belan and Canadian criminal hacker Karim Baratov.

[Related: Verizon, Yahoo Slash Original Acquisition Price Tag By $350M]

The charges include computer fraud and abuse, economic espionage, engaging in theft of trade secrets, wire fraud, unauthorized computer access for commercial or private financial gain, and identity theft.

"The Department of Justice is continuing to send a powerful message that we will not allow individuals, groups, nation-states, or a combination of them to compromise the privacy of our citizens, the economic interests of our companies, or the security of our country," said Mary McCord, acting assistant attorney general, National Security Division, at a press conference Wednesday.

The 2014 data breach originally was considered one of the largest data breaches in history when it was disclosed in September, until a second, larger breach was disclosed in December. The second breach, which was discovered after further forensic expert analysis into the 2014 breach, affected 1 billion user accounts in August 2013, with an unauthorized third party stealing data that included names, email addresses, telephone numbers, dates of birth and hashed passwords, as well as, in some cases, encrypted or unencrypted security questions and answers.

The breach had wide-reaching impact on Yahoo, including causing it to slash the price of its acquisition by Verizon by $350 million and CEO Marissa Mayer to see the loss of millions of dollars in her cash and stock bonuses.

Yahoo originally had attributed the attack to a state-sponsored hacker, although that has not been proven. McCord said it appears the hackers used the attack for intelligence gathering as well as financial gain.

Paul Abbate, FBI executive assistant director, criminal, cyber, response and services division, said at the conference that the charges show that the U.S. intends to find and prosecute hackers that target U.S. citizens or companies. McCord said the Justic Department is still evaluating further sanctions allowed under executive order, saying "the tools that are potentially on the table remain on the table."

Tom Patterson, chief trust officer and vice president of security at Blue Bell, Pa.-based Unisys, said the announcement helps show that hackers can still be prosecuted for attacks, even as it becomes "harder and harder" for companies to fight back from and identify attacks from a nation-state attacker.

"It's good to have some consequences applied to people that are doing harm," Patterson said. "We're hoping that this sends a signal that there are consequences to doing bad acts on the internet and there will continue to be consequences."

However, Patterson said companies shouldn't take this as a sign to prioritize attribution of attacks over defense, saying that is a "fool's errand."

"It's next to impossible for a victim company to figure it out. … It takes a cadre of highly trained intelligence assets and a lot of time to be fairly certain and rarely guaranteed. We recommend people and companies put those efforts into better defense," Patterson said, citing examples such as patching, better passwords, analytics and segmentation. "If they put the same energy in attribution into upgrading their defense to make them current they will save themselves a lot of time and trouble."