November 30, 2017
A Canadian man has pled guilty in U.S. federal court in connection with the massive data breach at Yahoo in 2014 that compromised the personal information of more than half a billion accounts at the Internet search company. Karim Baratov, 22, pled guilty to one count of conspiracy to commit computer fraud and eight counts of aggravated identity theft. He will be sentenced in February.
Interestingly, Baratov was working on behalf of Russian intelligence agents, who, according to prosecutors, used the information to spy on Russian journalists, U.S. and Russian government officials and employees of financial services and other private businesses.
So, when large hacks are perpetrated in the interest of state-sponsored surveillance, can online businesses breathe easy knowing the information won’t be used to defraud them? The short answer, according to security expert and former hacker Brett Johnson, is no.
Johnson says the Russian government routinely hires freelance cybercriminals to gather information. Despite the non-commercial use intelligence services obtained it for, however, the information was almost certainly monetized by the wider criminal community. He cites two reasons: cover and gain.
“Say the attack only needed a couple hundred thousand specific email addresses out of the 500 million stolen,” Johnson told CardNotPresent.com. “First, you need to hide that you only needed those few. You do that by hiding them among the larger number, so it all needs to be released. Second, there is money to be made from those emails. Could have been [Baratov] opted on his own to sell it or he may have been told [by the Russians] to do with it as he pleased. He could sell it to spammers, phishers, ATO people, lead generators, etc. No one, for any reason, is going to sit on the opportunity to make money.”