U.S. Government Files Charges in Yahoo Hacking (Audio)

Moscow that cyber attacks would not be tolerated. Here's Acting Assistant Attorney General Mary McCord. The involvement and direction of FSB officers with law enforcement responsibilities makes this conduct that much more egregious. There are no four free passes for foreign state sponsored criminal behavior. The Russians targeted a diverse crew from the White House and military officials, two executives

at banks and global companies. Our guests are and mckennack, professor at Penn State Law School, and John reid Stark, founder of John reid Stark Consulting and founder of the SEC's Office of Internet Enforcement. John. In the announcement, the government made its case to the public that Moscow is orchestrating criminal hacks with cyber criminals tell us more about the Russian cyber spying regime. Sure, Jean, how are you

this afternoon? And thanks for inviting me to talk to you. Uh. You know, when I read this, I thought, like Captain Renault and Casablanca. Remember, I'm shocked, shocked to find the gambling is going on. It's this kind of hacking in this kind of scheme has been going on for quite

some time, dating back to when I was at the SEC. Remember, there have been cyber attacks on the federal government dating back that are documented, dating back to two thousand nine, two twelves, all over the place and by various different state sponsored terrorist regimes. So I don't know that this is anything new. But what's amazing is that these people were finally caught, and I think the FBI has really got to be commended here. I'm sure this investigation took

quite some time. It's the first time, as far as I can tell, that actual Russian intelligence officials were indicted right along with the hackers that they had engaged to carry on these arts. On that last point, what what is the significance of that The fact that for the first time Russian FSB agents were included in an indictment. It's thanks for having me, folks. It's really it's significant

just because we've heard so much in the news. Our election cycle was filled with these you know, allegations of Russian hacking, um and interference with the election, and so to see the FBI and the Department of Justice come out so clearly with you know, very strong charges both based on economic espionage for foreign as well as our federal laws for computer fraud and abuse, UM, it's really it's significant, and it shows that, you know, they were

very careful I'm sure before making these charging documents public. It shows that they are really ready to back up and and to to prosecute this. You know. What's going to be the trick here though, is one of the one of the hackers involved has already you know, been on the list to be extradited from Russia, and Russia of course has not extra extradited that hacker. So what remains to be seen now is what's the fallout going to be for US Russian relations when US demands extradition

of these two FSB officers. As I think where we're really going to see things get sticky, particularly with you know, current presidential politics John that that is one of the questions here. What if you've got the Russian government involved, and you've got hackers who you can extradite, How effective can it be to bring indictments and situations like this. It's always effective. I don't think it's obviously not as

effective as getting someone locking them up. But when I was at the SEC for eleven years, we chased after people and we Jeff only froze their money, but we could never, only on very rare occasions, could we orchestrate an actual arrest in a foreign country, because there are so many issues of just not just judicial committy, but also being able to extradite, being able to execute a subpoena on someone in a foreign country is a very difficult thing. So I think that these these types of

actions have a tremendous deterrent effect. I realize it's not going to stop a lot of actors from doing what they're doing, but I think and is exactly right because what's so unique here is this prosecution crosses over to the political arena. All the matters that I did when I was at the SEC many involved foreign nationals, but they were never tied explicitly to the government like this. So it was essentially a one dimensional prosecutor prosecutorial exercise.

But now you're also going to going to be engaging in the State Department, the Defense Department, the Pentagon, and everyone else in helping to track these people down and bring a justice. And they targeted a wide range of people and companies both here and in Russia. Do we know what information they got, what damage they actually did. Yeah, we do from the helpful information provided by the Apartment

of Justice. UM, It's it's fascinating here because Yahoo, when this story initially came out back in the fall of that there had been a breach, insisted that there was a limited amount of personally identifiable information that had been hacked. What's clear from these documents released by the Department of Justice is that Yahoo's user database was taken as well as Yahoo's account management tool. And if you think about that, that's like the keys to the you know, candy jar.

That it enabled, um, these hackers to not just get folks you know, names, email addresses, and that kind of information, but actually because of the information that was taken using this proprietary information that Yahoo had and Yahoo's database UM and account management tools these hackers were actually able to get into the content of the communications, which is very unusual for a hack in the sense of they were actually able to read contents of emails from thousands of

individuals who's you know, communications were hacked. Not only that in this case, um, which is in stark contrast to what y'ah who said initially for a very long time and continued to repeat, we also know that credit card and financial information was actually taken and used by one of the hackers. He used Yahoo's own account tools to

gain individuals financial information and credit card informations. And so the flip side of this is that we're seeing a flew of lawsuits across the country being filed against Yahoo by individuals who are claiming their credit card information was compromised. We're talking about the federal indictment charging two Russian intelligence officers and two hackers with conspiring to carry out we're

the largest cyber intrusions in US history. Our guests are and mchannic, professor at Penn State Law School, and John read Stark, founder of John Reid Stark Consulting, and Assistant Attorney General. Mary McCord said the charges are unrelated to the hacking of the Democratic National Committee and the FBI's investigation of Russian interference in the presidential campaign. But could what they learned here through their investigation helped them with

those other investigations. Well, part of this is speculation, but there's you know, when we see the strength of this indictment against two known Russian intelligence officers, uh, that that is probably going to be a very helpful treasure trow

of information. You know, we this this Russia has long been known to work directly with hackers, um and so I think that there's probably a lot more to this than well, it may not be directly connected, you know, just the activities of state spot INSERTD cyber hacking are

going to reveal lots of useful data. And I'm sure John can add to this, and with what he's seen at the sec UM just in terms of you know, we're seeing a government that's involved in economic espionage against the United States citizens and the information really, you know, was personal information about the US government officials as well as private citizens. John, can you add to that, sure? You know, I I totally agree. I think to what it what it does is kind of answers the mysteries

of data breach response. I do a lot of data breach response work where you sort of walked into the situation and everyone wants to know, well, what were the hacker looking for? What were their goals? But here, based on the digital forensics and and other inculpatory evidence, you can see that the hackers who were enlisted here had a broad range of goals. By the one thing they wanted to do was to search Yahoo user mail accounts

for credit art and gift card account numbers. Another thing they did was they set up an online marketing scheme by manipulating Yahoo search results for erectile dysfunction drugs. And I think that demonstrates the range of the use of exceltrated data and in the broad range of the the hackers attack factor. In other words, it's just like a burglar who comes into a home. They rumage through, grab anything they can. It might be targeted, it might be not,

it might not be. They just grab everything they kind, they take it away, and then they see what they can do with it to monetize it. So whether that sheds light on an actual motive of what these hackers were doing, certainly the indictment indicates that they had specific targets in mind. But the indictment also indicates that these guys just grabbed anything they could and then they went wound up doing any kind of scheme they could to

enrich themselves. And what are some of the things we don't know yet based on We learned a lot from this indictment, but there are a lot of things we don't know. Tell us about some of those. So what we don't is and I haven't heard the news today, but I know the Canadian hacker. One of the hackers was a Canadian citizen, and we are waiting to hear if he is going to be extradited by the Canadian courts.

Um appears the US government has requested that One of those things I think we can learn from this is going forward, how information can be used by state actors in terms of, you know, what who are they targeting, and what are they targeting? As John pointed out, they

went in and tried to grab everything. But we know, because of the details provided in the indictment that these two Russian intelligence officers had specific targets, and not only that this conspiracy was an ongoing, evolving process based upon information that was discovered. So going forward, we may learn more details about individuals in the United States government as well as individuals in private industry who were targeted, specifically targeted.

And when we see that that was directed by I Russian intelligence officers, I think we're going to learn a lot more. But we don't know those details. We just have this, you know, sort of santalizing figure off oh over. Individuals contents of their communications were specifically targeted by these Russian intelligence officers. So it's going to be interesting to see. We don't know where that's going to lead. It's certainly, it certainly will be and we'll be talking about it more.

Thank you both for being on Bloomberg Law. That's and mccannic, professor at Penn State Law School, and John reid Stark, founder of John Reid Stark Consulting, coming up on Bloomberg Law, first in Hawaii then Maryland. A pair of judges halt President Donald Trump's revised travel band before it can be enforced.