Canadian Hacker Jailed for 5 Years Following Yahoo Breach

Breach Response , Cyberwarfare / Nation-state attacks , Data Breach

Hacker-for-Hire Karim Baratov Fed Stolen Passwords to Alleged Russian Officer(euroinfosec) • May 30, 2018    Canadian Hacker Jailed for 5 Years Following Yahoo BreachKarim Baratov, a 23-year-old Canadian citizen born in Kazakhstan. (Photo: Instagram)

A Canadian citizen has received a U.S. federal prison sentence after he admitted to working for alleged Russian intelligence officers who have been tied to a massive breach of search giant Yahoo.

See Also: How to Keep Your Endpoints Safe from Cybercrime

On Tuesday, U.S. District Judge Vince Chhabria sentenced Karim Baratov, 23, to serve five years in prison and to pay a fine that encompasses all of his remaining assets.

imageA 47-count federal indictment, unsealed in March 2017, names Dmitry Dokuchaev, Igor Sushchin, Alexsey Belan and Karim Baratov.

The sentencing follows Baratov last November pleading guilty to multiple charges, including violating the U.S. Computer Fraud and Abuse Act, as well as aggravated identity theft (see Canadian Hacker-for-Hire for Russia Pleads Guilty).

"The sentence imposed reflects the seriousness of hacking for hire," says Acting U.S. Attorney Alex G. Tse. "Hackers such as Baratov ply their trade without regard for the criminal objectives of the people who hire and pay them. These hackers are not minor players; they are a critical tool used by criminals to obtain and exploit personal information illegally. In sentencing Baratov to five years in prison, the court sent a clear message to hackers that participating in cyber attacks sponsored by nation states will result in significant consequences."

It's not clear, however, how Baratov would have known the true identity of the man for whom he worked.

Regardless, Baratov's attorney, Toronto-based Amedeo DiCarlo, says his client is "very happy" with the sentence. "The judge used all criteria possible to assist Karim, and given the time he had already served and the time expected to serve, Karim will be out in approximately three years," DiCarlo tells Information Security Media Group. The sentence is "far less then we requested and expected and far better then the 20 to 30 years-plus he could've faced," he says. "The justice system worked for a man who took responsibility and I'm sure he learned many lessons."

Baratov Helped Hackers Tied to Yahoo Breach

imageKarim Baratov at his home in Ancaster, Ontario, in an undated photo (Photo: Facebook)

Baratov, a Canadian citizen and resident who was born in Kazakhstan - he also still holds Kazakh nationality - was one of four men named in a 47-count federal indictment filed in February 2017 and unsealed in March 2017. The indictment charges the suspects with computer hacking, economic espionage and other criminal offenses tied in part to a 2014 hack attack against Yahoo that exposed at least 500 million accounts.

Authorities say Dokuchaev received the webmail passwords obtained by Boratov and also paid the Canadian.

Baratov was not accused of having anything to do with the Yahoo hack itself. He was arrested in March 2017 in Canada.

Last August, he waived his right to an extradition hearing and was quickly extradited to the U.S. At the time, his attorney, Amedeo DiCarlo, told ISMG that his client had been eager to fight the charges filed against him.

Three Russian Suspects

imageRussian citizen Alexsey Belan has been charged with helping the FSB hack into Yahoo accounts from 2014 to 2016.

The other three men named in the indictment are Dmitry Aleksandrovich Dokuchaev, 34, and Igor Anatolyevich Sushchin, 44, who are both alleged FSB agents, as well as Alexsey Alexseyevich Belan, aka "Magg," 30. All three have been charged with compromising Yahoo's network and gaining the ability to access Yahoo accounts.

Belan was also designated as being subject to sanctions per a presidential executive order dated Dec. 29, 2016.

Belan and Baratov "were charged in a computer hacking conspiracy in which the two Russian FSB officers hired criminal hackers to collect information through computer intrusions in the United States and abroad, which resulted in the unauthorized access of Yahoo's network and the spear-phishing of webmail accounts at other service providers between January 2014 and December 2016," the Justice Department says.

"It's difficult to overstate the unprecedented nature of this conspiracy, in which members of a foreign intelligence service directed and empowered criminal hackers to conduct a massive cyber-attack against 500 million [victims'] user accounts," says John F. Bennett, the special agent in charge of the FBI's San Francisco field office, which led the investigation that resulted in the charges brought against Baratov.

Russian authorities, however, have denied that the FSB was involved in the Yahoo hack (see Parents, Teach Kids to Not Share State Secrets via Yahoo).

Baratov Admitted to Hacking, Identity Theft

Baratov initially pleaded not guilty to all of the charges against him.

imageDmitry Dokuchaev is on the FBI's "Cyber Most Wanted" list.

But in November 2017, as part of a plea deal, he pleaded guilty to nine counts in the 41-count indictment, including acting as a for-hire webmail account hacker.

"As part of his plea agreement, Baratov not only admitted to his hacking activities on behalf of his co-conspirators in the FSB, but also to hacking more than 11,000 webmail accounts on behalf of the FSB conspirators and other customers from in or around 2010 until his March 2017 arrest by Canadian authorities," the Justice Department says.

Baratov also agreed to pay restitution to his victims, as well as a fine of up to $2.25 million - $250,000 per count - up to a maximum of all assets that he has remaining.

Alleged Yahoo Hackers Remain at Large

The three suspects that authorities have tied to the Yahoo breach remain at large. The FBI says the two alleged FSB officers were last known to be in Moscow, while Belan, who's been known to travel "within Russia, Greece, Latvia, the Maldives and Thailand," was last known to be in Russia.

The Yahoo breach tied to the suspects led to the search giant being fined $35 million last month by the U.S. Securities and Exchange Commission for taking too long to notify investors about the December 2014 incident, which it disclosed in September 2016. Three months later, however, Yahoo said that in fact 1 billion accounts had likely been exposed. It said the attackers had forged cookies, allowing them to directly access some accounts.

Prosecutors allege that the suspects used forged cookies to access at least 6,500 Yahoo accounts.

In October 2017, meanwhile, Yahoo disclosed that a separate 2013 breach had compromised 3 billion accounts, or virtually its entire user base (see Former Yahoo CEO: Stronger Defense Couldn't Stop Breaches).