Tag Archives: Cyber Attack

Cyber attack hits 1,200 InterContinental hotels in United States

The Logo of a Holiday Inn Hotel is pictured in Paris, France, August 8, 2016. REUTERS/Jacky Naegelen

By Alastair Sharp

TORONTO (Reuters) – Global hotel chain InterContinental Hotels Group Plc <IHG.L> said 1,200 of its franchised hotels in the United States, including Holiday Inn and Crowne Plaza, were victims of a three-month cyber attack that sought to steal customer payment card data.

The company declined to say how many payment cards were stolen in the attack, the latest in a hacking spree on prominent hospitality companies including Hyatt Hotels Corp <H.N>, Hilton, and Starwood Hotels, now owned by Marriott International Inc <MAR.O>.

The breach lasted from September 29 to December 29, InterContinental spokesman Neil Hirsch said on Wednesday. He declined to say if losses were covered by insurance or what financial impact the hacking might have on the hotels that were compromised, which also included Hotel Indigo, Candlewood Suites and Staybridge Suites properties.

The malware searched for track data stored on magnetic stripes, which includes name, card number, expiration date and internal verification code, the company said.

Hotel operators have become popular targets because they are easier to breach than other businesses that store credit card numbers as they have limited knowledge in defending themselves against hackers, said Itay Glick, chief executive of Israeli cyber-security company Votiro. “They don’t have massive data centers like banks which have very secure systems to protect themselves,” said Glick.

InterContinental declined to say how many franchised properties it has in the United States, which is part of its business unit in the Americas with 3,633 such properties.

In February, InterContinental said it had been victim of a cyber attack, but at that time said that only 12 of its 286 managed properties in the Americas were infected with malware.

China draft cyber law mandates security assessment for outbound data

BEIJING (Reuters) – China’s top cyber authority on Tuesday released a draft law that would require firms exporting data to undergo an annual security assessment, in the latest of several recent safeguards against threats such as hacking and terrorism.

Any business transferring data of over 1000 gigabytes or affecting over 500,000 users will be assessed on its security measures and on the potential of the data to harm national interests, showed the draft from the Cyberspace Administration of China (CAC).

The law would ban the export of any economic, technological or scientific data whose transfer would pose a threat to security or public interests. It would also require firms to obtain the consent of users before transmitting data abroad.

The proposed law, which focuses on personal information security, comes just a day after state media reported government rewards of $1,500 to $73,000 for citizens who report suspected spies.

It is also an extension of legislation passed in November formalizing a range of controls over firms that handle data in industries the government deems critical to national interests.

Business groups have criticized the November law, which is effective from June, calling rules “vague” and claiming they unfairly target foreign companies with stringent requirements.

Chinese officials denied that the November law targets foreign firms.

Under the rules released on Tuesday, sensitive geographic data such as information on marine environments would also be subject to scrutiny. Destination countries and the likelihood of oversees tampering would also be factored in to any assessments.

The draft is open for public comment until May 11.

(Reporting by Cate Cadell; Editing by Christopher Cushing)

U.S. trade group hacked with Chinese software ahead of Xi summit

FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017.REUTERS/Kacper Pempel/Illustration/File Photo

By Joseph Menn

SAN FRANCISCO (Reuters) – A sophisticated hacking group that pursues Chinese government interests broke into the website of a private U.S. trade group ahead of Thursday’s summit between U.S. President Donald Trump and Chinese President Xi Jinping, according to researchers.

The hackers left a malicious link on web pages where members of the National Foreign Trade Council (NFTC) register for upcoming meetings, according to researchers at Fidelis Cybersecurity and a person familiar with the trade group.

The nonprofit NFTC is a prominent advocate on international trade policy, with corporate members including Wal-Mart Stores Inc <WMT.N>, Johnson & Johnson <JNJ.N>, Amazon.com Inc <AMZN.O>, Ford Motor Co <F.N> and Microsoft Corp <MSFT.O>.

The malicious link deployed a spying tool called Scanbox, which would have recorded the type and versions of software running on the computers of those exposed to it, said Fidelis researcher John Bambenek. Such reconnaissance is typically followed by new attacks using known flaws in the detected software, especially older versions.

Scanbox has only been used by groups associated with the Chinese government, Fidelis said, and was recently seen on a political site aimed at Uyghurs, an ethnic minority under close government scrutiny in China.

The breach was detected about five weeks ago by a NFTC director who is a customer of Fidelis, the security company said. Both the Federal Bureau of Investigation and the NFTC were notified and the malicious link removed, and Fidelis said it had no evidence of NFTC members being infected.

The FBI and the NFTC declined to comment. A spokesman for the Chinese foreign ministry did not respond to a request for comment.

Bambenek said he believed the attack was classic espionage related to international trade talks, rather than a violation of a 2015 agreement between former U.S. President Barack Obama and Xi to end spying for commercial motives.

The summit starting on Thursday is the first meeting between Xi and Trump, who blamed China on the campaign trail for the loss of many U.S. jobs and vowed to confront the country’s leaders on the matters of trade and currency manipulation.

“I think it’s traditional espionage that happens ahead of any summit,” said Bambenek. “They would like to know what we, the Americans, really care about and use that for leverage.”

Other security firms agreed that wholesale theft of U.S. intellectual property has not returned.

Instead, FireEye Inc <FEYE.O> and BAE Systems Plc <BAES.L> said that the hacking group identified by Fidelis, called APT10, has recently attacked government and commercial targets in Europe.

FireEye researcher John Hultquist said heavy industries in Nordic countries have been hacked more often as Beijing switches priorities.

“They are certainly taking those resources and pushing them to other places where they can still get away with this behavior,” Hultquist said.

(Reporting by Joseph Menn in San Francisco; Addtional reporting by Dustin Volz in Washington; Editing by Bill Rigby)

UK and Swedish watchdogs warn of international cyber attack

A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin May 21, 2013. REUTERS/Pawel Kopczynski

STOCKHOLM (Reuters) – A large-scale cyber attack from a group targeting organizations in Japan, the United States, Sweden and many other European countries through IT services providers has been uncovered, the Swedish computer security watchdog said on Wednesday.

The cyber attack, uncovered through a collaboration by Britain’s National Cyber Security Centre, PwC and cyber security firm BAE Systems, targeted managed service providers to gain access to their customers’ internal networks since at least May 2016 and potentially as early as 2014.

The exact scale of the attack, named Cloud Hopper from an organization called APT10, is not known but is believed to involve huge amounts of data, Sweden’s Civil Contingencies Agency said in a statement. The agency did not say whether the cyber attacks were still happening.

“The high level of digitalization in Sweden, along with the amount of services outsourced to managed service providers, means that there is great risk that several Swedish organizations are affected by the attacks,” the watchdog said.

The agency said those behind the attacks had used significant resources to identify their targets and sent sophisticated phishing e-mails to infect computers.

It also said Swedish IP addresses had been used to coordinate the incursions and retrieve stolen data and that APT10 specifically targeted IT, communications, healthcare, energy and research sectors.

(Reporting by Johan Ahlander; Editing by Niklas Pollard and Stephen Powell)

McDonald’s Canada says 95,000 affected in careers website hack

A Canadian flag waves beside McDonalds fast food restaurant in Toronto, May 1, 2014. REUTERS/Mark Blinch

(Reuters) – McDonald’s Corp’s <MCD.N> Canadian unit said on Friday personal information of about 95,000 restaurant job applicants was compromised in a cyber attack on its careers website.

The information included names, addresses, email addresses, phone numbers and employment backgrounds of candidates who applied online for jobs at McDonald’s Canada restaurants between March 2014 and March 2017.

The careers website was shut down after McDonald’s learned of the attack, and will remain closed until an ongoing investigation is complete, the unit said.

The company said it currently had no evidence that the information taken had been misused.

McDonald’s Canada said its job application forms do not ask for sensitive personal information such as social insurance numbers, banking or health information.

McDonald’s said earlier this month its official Twitter handle was compromised after a tweet sent from the account slammed U.S. President Donald Trump.

(Reporting by Vishaka George and Anya George Tharakan in Bengaluru; Editing by Sai Sachin Ravikumar)

German military to unveil new cyber command as threats grow

BERLIN (Reuters) – Germany’s military will launch a cyber command next week as part of an effort to beef up online defenses at a time when German spy agencies are warning of increasing cyber attacks by Russia.

The German military remains a high-value target for hackers, with some 284,000 complex and professional would-be attacks registered in the first nine weeks of 2017, a ministry spokesman said. No damage had been reported thus far, he added.

Cyber attacks on militaries are rising worldwide, with many now creating separate commands to tackle the issue.

NATO, which says it has seen a five-fold increase in suspicious events on its networks in the past three years, agreed last June to designate cyber as an official operational domain of warfare, along with air, land and sea.

The new German command will based in Bonn with an initial staff of 260, growing to around 13,500 in July when the military’s current strategic reconnaissance command and centers for operational communication and geo-information are folded in.

By 2021, the command is due to have a total of 14,500 positions, including 1,500 civilian jobs.

“The expansion of cyber capabilities is an essential contribution to the government’s overall security posture, and offers additional opportunities for preventing conflicts and dealing with crises to include hybrid threats,” the ministry spokesman said.

Defence Minister Ursula von der Leyen will name Lieutenant General Ludwig Leinhos to head the new Cyber and Information Space Command – the sixth major wing of the military in addition to the navy, army, air force, medical service and joint forces.

Chancellor Angela Merkel this month said protecting German infrastructure from potential cyber attacks was a top priority.

In December, Germany’s domestic and foreign intelligence agencies cited increasing Russian cyber attacks against political parties, as well as propaganda and disinformation campaigns aimed at destabilizing German society.

Russia denies engaging in such attacks.

(Reporting by Andrea Shalal; editing by Mark Heinrich)

A scramble at Cisco exposes uncomfortable truths about U.S. cyber defense

The logo of Cisco is seen at Mobile World Congress in Barcelona, Spain, February 27, 2017. REUTERS/Eric Gaillard

By Joseph Menn

SAN FRANCISCO (Reuters) – When WikiLeaks founder Julian Assange disclosed earlier this month that his anti-secrecy group had obtained CIA tools for hacking into technology products made by U.S. companies, security engineers at Cisco Systems <CSCO.O> swung into action.

The Wikileaks documents described how the Central Intelligence Agency had learned more than a year ago how to exploit flaws in Cisco’s widely used Internet switches, which direct electronic traffic, to enable eavesdropping.

Senior Cisco managers immediately reassigned staff from other projects to figure out how the CIA hacking tricks worked, so they could help customers patch their systems and prevent criminal hackers or spies from using the same methods, three employees told Reuters on condition of anonymity.

The Cisco engineers worked around the clock for days to analyze the means of attack, create fixes, and craft a stopgap warning about a security risk affecting more than 300 different products, said the employees, who had direct knowledge of the effort.

That a major U.S. company had to rely on WikiLeaks to learn about security problems well-known to U.S. intelligence agencies underscores concerns expressed by dozens of current and former U.S. intelligence and security officials about the government’s approach to cybersecurity.

That policy overwhelmingly emphasizes offensive cyber-security capabilities over defensive measures, these people told Reuters, even as an increasing number of U.S. organizations have been hit by hacks attributed to foreign governments.

Larry Pfeiffer, a former senior director of the White House Situation Room in the Obama administration, said now that others were catching up to the United States in their cyber capabilities, “maybe it is time to take a pause and fully consider the ramifications of what we’re doing.”

U.S. intelligence agencies blamed Russia for the hack of the Democratic National Committee during the 2016 election. Nation-states are also believed to be behind the 2014 hack of Sony Pictures Entertainment and the 2015 breach of the U.S. Government’s Office of Personnel Management.

CIA spokeswoman Heather Fritz Horniak declined to comment on the Cisco case, but said it was the agency’s “job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad.”

The Office of the Director of National Intelligence, which oversees the CIA and NSA, referred questions to the White House, which declined to comment.

Across the federal government, about 90 percent of all spending on cyber programs is dedicated to offensive efforts, including penetrating the computer systems of adversaries, listening to communications and developing the means to disable or degrade infrastructure, senior intelligence officials told Reuters.

President Donald Trump’s budget proposal would put about $1.5 billion into cyber-security defense at the Department of Homeland Security (DHS). Private industry and the military also spend money to protect themselves.

But the secret part of the U.S. intelligence budget alone totaled about $50 billion annually as of 2013, documents leaked by NSA contractor Edward Snowden show. Just 8 percent of that figure went toward “enhanced cyber security,” while 72 percent was dedicated to collecting strategic intelligence and fighting violent extremism.

Departing NSA Deputy Director Rick Ledgett confirmed in an interview that 90 percent of government cyber spending was on offensive efforts and agreed it was lopsided.

“It’s actually something we’re trying to address” with more appropriations in the military budget, Ledgett said. “As the cyber threat rises, the need for more and better cyber defense and information assurance is increasing as well.”

The long-standing emphasis on offense stems in part from the mission of the NSA, which has the most advanced cyber capabilities of any U.S. agency.

It is responsible for the collection of intelligence overseas and also for helping defend government systems. It mainly aids U.S. companies indirectly, by assisting other agencies.

“I absolutely think we should be placing significantly more effort on the defense, particularly in light of where we are with exponential growth in threats and capabilities and intentions,” said Debora Plunkett, who headed the NSA’s defensive mission from 2010 to 2014.

GOVERNMENT ROLE

How big a role the government should play in defending the private sector remains a matter of debate.

Former military and intelligence leaders such as ex-NSA Director Keith Alexander and former Secretary of Defense Ashton Carter say that U.S. companies and other institutions cannot be solely responsible for defending themselves against the likes of Russia, China, North Korea and Iran.

For tech companies, the government’s approach is frustrating, executives and engineers say.

Sophisticated hacking campaigns typically rely on flaws in computer products. When the NSA or CIA find such flaws, under current policies they often choose to keep them for offensive attacks, rather than tell the companies.

In the case of Cisco, the company said the CIA did not inform the company after the agency learned late last year that information about the hacking tools had been leaked.

“Cisco remains steadfast in the position that we should be notified of all vulnerabilities if they are found, so we can fix them and notify customers,” said company spokeswoman Yvonne Malmgren.

SIDE BY SIDE

A recent reorganization at the NSA, known as NSA21, eliminated the branch that was explicitly responsible for defense, the Information Assurance Directorate (IAD), the largest cyber-defense workforce in the government. Its mission has now been combined with the dominant force in the agency, signals intelligence, in a broad operations division.

Top NSA officials, including director Mike Rogers, argue that it is better to have offensive and defensive specialists working side by side. Other NSA and White House veterans contend that perfect defense is impossible and therefore more resources should be poured into penetrating enemy networks – both to head off attacks and to determine their origin.

Curtis Dukes, the last head of IAD, said in an interview after retiring last month that he feared defense would get even less attention in a structure where it does not have a leader with a direct line to the NSA director.

“It’s incumbent on the NSA to say, ‘This is an important mission’,” Dukes said. “That has not occurred.”

(Reporting by Joseph Menn in San Francisco. Additional reporting by Warren Strobel in Washington.; Editing by Jonathan Weber and Ross Colvin)

German parliament foiled cyber attack by hackers via Israeli website

A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture. REUTERS/Kacper Pempel/Files

BERLIN (Reuters) – The German parliament was the target of fresh cyber attacks in January that attempted to piggy-back on an Israeli newspaper site to target politicians in Germany, Berlin’s cyber security watchdog said on Wednesday.

Cyber defenses installed after a 2015 hack of the parliament helped avert the attempted breaches, the Federal Office for Information Security (BSI) said in a statement.

The hackers appeared to use advertising running on the Jerusalem Post website to redirect users to a malicious site, it said.

The BSI looked into unusual activity on the parliament’s network early this year and has just completed a detailed analysis of the incident, which was first reported by the Sueddeutsche Zeitung newspaper on Wednesday.

At least 10 German lawmakers from all parliamentary groups were affected by the attempted hack, the Munich daily reported.

“The technical analysis is complete. The website of the Jerusalem Post was manipulated and had been linked to a malicious third party site,” the agency said in a statement.

“BSI found no malware or infections as part of its analysis of the Bundestag networks.”

The Jerusalem Post confirmed details of the attack with Reuters, but said no malware came from its own site and that it was fully protected against such attacks in the future.

“The Jerusalem Post website was attacked in January by foreign hackers,” the publisher said in a statement. “We immediately took action and together with Israeli cyber authorities successfully neutralized the threat.

Hackers can use infected banner advertisements to attack otherwise safe or secure sites. So-called “malvertising” appeared to be served up to the site via an unidentified third-party advertising network.

There was no suggestion from the German agency of any wrongdoing by the Jerusalem Post.

“SPEAR-PHISHING”

Security expert Graham Cluley said such “spear-phishing” attacks via malicious ads is highly unusual, but possible.

In this instance, the Jerusalem Post site could have served up German language ads to visitors with German internet addresses. However, he said it was unlikely this could be used to target specific politicians in Berlin.

This latest attack comes amid growing concern in Germany about cyber security and reports that Russia is working to destabilize the German government and could seek to interfere in the upcoming Sept. 24 national elections.

The Bundestag lost 16 gigabytes of data to Russian hackers in 2015, after which it revamped its software system with the help of the BSI and private contractors.

“The BSI believes that the defenses of the German Bundestag detected and prevented links to the website. The attack was therefore averted,” BSI President Arne Schoenbohm said in a statement.

A source familiar with the incident said it did not appear to be linked to APT28, a Russian hacking group also known as “Fancy Bear” that was blamed for the 2015 Bundestag hack and the 2016 hack of the U.S. Democratic National Committee.

(Reporting by Andrea Shalal in Berlin, Eric Auchard in London and Luke Baker in Jerusalem; Editing by Tom Heneghan)

U.S. may accuse North Korea in Bangladesh cyber heist: WSJ

Federal Reserve and New York City Police officers stand guard in front of the New York Federal Reserve Building in New York, October 17, 2012. REUTERS/Keith Bedford/File Photo

NEW YORK (Reuters) – U.S. prosecutors are building potential cases that would accuse North Korea of directing the theft of $81 million from Bangladesh Bank’s account at the Federal Reserve Bank of New York last year, and that would charge alleged Chinese middlemen, the Wall Street Journal reported on Wednesday.

The U.S. Federal Bureau of Investigation believes that North Korea is responsible for the heist, an official briefed on the probe told Reuters. Richard Ledgett, deputy director of the U.S. National Security Agency, publicly suggested on Tuesday that North Korea may be linked to the incident, while private firms have long pointed the finger at the reclusive state.

The Journal, citing people familiar with the matter, reported that prosecutors believe Chinese middlemen helped North Korea orchestrate the theft from Bangladesh’s central bank, which was among the biggest bank robberies in modern times.

The current cases being pursued may not include charges against North Korean officials, but would likely implicate the country, the newspaper reported, with the United States accusing a foreign government of orchestrating the heist.

A U.S. Department of Justice spokesman declined to comment.

FBI offices in Los Angeles and New York have been leading an international investigation into the February 2016 incident, in which hackers breached Bangladesh Bank’s systems and used the SWIFT messaging network to request nearly $1 billion from its account at the New York Fed.

The branch of the U.S. central bank rejected most of the requests but filled some of them, resulting in $81 million disappearing into casinos and other entities in the Philippines. A top police investigator in Dhaka told Reuters in December that some Bangladesh Bank officials deliberately exposed its computer systems, enabling the hackers to get in.

The incident exposed bungling and miscommunication between central banks, and left the Fed, Bangladesh, SWIFT, and the Philippine lender that initially received the funds trading blame for months.

SWIFT – or the Society for Worldwide Interbank Financial Telecommunication that serves as the backbone of global finance – has since revealed that its messaging system has been targeted in a “meaningful” number of other attacks last year using a similar approach as in the Bangladesh incident.

Last week, SWIFT said it planned to cut off the remaining North Korean banks still connected to its system as concerns about the country’s nuclear program and missile tests grow.

The Journal reported that federal investigators are focusing on Chinese individuals or businesses who allegedly helped North Korea orchestrate the heist, and that the U.S. Treasury is considering sanctions against these alleged middlemen.

The New York Fed and SWIFT declined to comment.

(Reporting by Jonathan Spicer and Joseph Menn; Editing by Jonathan Oatis and James Dalgleish)

U.S. authorities charge Russian spies, hackers in huge Yahoo hack

The John Sopinka Courthouse, where Karim Baratov appeared in front of a judge, in connection with a U.S. Justice Department investigation into the 2014 hacking of Yahoo, is pictured in Hamilton, Ontario, Canada March 15, 2017 . REUTERS/Peter Power

By Dustin Volz

WASHINGTON (Reuters) – The United States on Wednesday charged two Russian intelligence agents and two hackers with masterminding the 2014 theft of 500 million Yahoo accounts, the first time the U.S. government has criminally charged Russian spies for cyber offences.

The charges came amid a swirl of controversies relating to alleged Kremlin-backed hacking of the 2016 U.S. presidential election and possible links between Russian figures and associates of U.S. President Donald Trump. This has given rise to uncertainty about whether Trump is willing to respond forcefully to any action by Moscow in cyberspace and elsewhere.

The 47-count Justice Department indictment included charges of conspiracy, computer fraud and abuse, economic espionage, theft of trade secrets, wire fraud, access device fraud and aggravated identify theft. It painted a picture of the Russian security services working hand-in-hand with cyber criminals, who helped spies further their intelligence goals in exchange for using the same exploits to make money.

“The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cyber crime matters, is beyond the pale,” Acting Assistant Attorney General Mary McCord said at a press conference announcing the charges.

Russia’s Federal Security Service (FSB) is the successor to the KGB.

The Kremlin, which denies Russia tried to influence the U.S. election in any way, said on Thursday Moscow had received no official notification of the indictment, but hoped it would.

However, Dmitry Peskov, President Vladimir Putin’s spokesman, dismissed out of hand the idea that FSB employees could have been involved in the Yahoo hack.

“We have said repeatedly that there can be no discussion of any official involvement of any Russian agency, including the FSB…in any unlawful cyber activities,” said Peskov, who has cast U.S. allegations against Russia as part of a political campaign to kill off a U.S.-Russia rapprochement.

Yahoo said when it announced the then-unprecedented breach last September that it believed the attack was state-sponsored, and on Wednesday the company said the indictment “unequivocally shows” that to be the case.

The charges announced Wednesday are not related to the hacking of Democratic Party emails during the 2016 U.S. presidential election. U.S. intelligence agencies have said they were carried out by Russian spy services, including the FSB, to help the campaign of Republican candidate Donald Trump.

The indictment named the FSB officers involved as Dmitry Dokuchaev and his superior, Igor Sushchin, who are both in Russia.

Dokuchaev was arrested for treason in December, according to the Russian news agency Interfax.

Reuters sent a request for comment to the FSB in Moscow on Wednesday evening but there was no response.

The alleged criminals involved in the scheme include Alexsey Belan, who is among the FBI’s most-wanted cyber criminals and was arrested in Europe in June 2013 but escaped to Russia before he could be extradited to the United States, according to the Justice Department.

Karim Baratov, who was born in Kazakhstan but has Canadian citizenship, was also named in the indictment.

The Justice Department said Baratov was arrested in Canada on Tuesday. Mark Pugash of Toronto police later confirmed the Tuesday arrest.

McCord said the hacking campaign was waged by the FSB to collect intelligence but that the two hackers used the collected information as an opportunity to “line their pockets.”

The United States does not have an extradition treaty with Russia, but McCord said she was hopeful Russian authorities would cooperate in bringing criminals to justice. The United States often charges cyber criminals with the intent of deterring future state-sponsored activity.

The administration of former President Barack Obama brought similar charges against Chinese and Iranian hackers who have not been extradited.

In a statement, White House spokesman Michael Anton said the charges “are part of a broad effort across the government to defend the United States against cyber attacks and cyber-related crimes.”

‘RED NOTICE’

Yahoo in December announced another breach that occurred in 2013 affecting one billion accounts. Special Agent Jack Bennett of the FBI’s San Francisco Division said the 2013 breach is unrelated and that an investigation of that incident is ongoing.

The hacks forced Yahoo to accept a discount of $350 million in what had been a $4.83 billion deal to sell its main assets to Verizon Communications Inc <VZ.N>.

At least 30 million of the Yahoo accounts in the 2014 breach were the most seriously affected, with Belan able to burrow deep into their accounts and take user contact lists that were later used for a financially motivated spam campaign, according to the indictment. Belan also stole financial information such as credit card numbers and gift cards, it said.

Yahoo had previously said about 32 million accounts had fallen victim to the deeper attack, which it said leveraged forged browser cookies to access accounts without the need for a password.

According to the indictment, FSB officers Sushchin and Dokuchaev also directed Baratov to use the information gained in the Yahoo breach to hack specific targets who possessed email accounts with other service providers, including Google.

When Baratov was successful, Dokuchaev would reward him with a bounty, the indictment charged.

Examples where Google accounts were targeted include an assistant to the deputy chairman of the Russian Federation, an officer of the Russian Ministry of Internal Affairs, and a physical training expert employed by the Russian government.

Details in the indictment reflect the often murky relationship in Russia between criminal hackers and government intelligence officers.

Interpol issued a “red notice” on Belan in relation to an earlier hacking campaign, according to the indictment. Instead of arresting Belan, however, the FSB recruited him to help with cyber espionage and provided tools to evade detection from other authorities.

Belan later gained unauthorized access to Yahoo’s network that he shared with FSB, the indictment said.

(Reporting by Dustin Volz in Washington and Joseph Menn in San Francisco; Additional reporting by Julia Edwards in Washington and Alexander Winning and Dasha Afanasieva in Moscow; Editing by Jeffrey Benkoe and James Dalgleish)