(The Washington Post)

The Justice Department announced Wednesday the indictments of two Russian spies and two criminal hackers in connection with the heist of 500 million Yahoo user accounts in 2014, marking the first U.S. criminal cyber charges ever against Russian government officials.

The indictments target two members of the Russian intelligence agency FSB, and two hackers hired by the Russians.

The charges include hacking, wire fraud, trade secret theft and economic espionage, according to officials. The indictments are part of the largest hacking case brought by the United States.

The charges are unrelated to the hacking of the Democratic National Committee and the FBI’s investigation of Russian interference in the 2016 presidential campaign. But the move reflects the U.S. government’s increasing desire to hold foreign governments accountable for malicious acts in cyberspace.

How data breaches grew to massive proportions in 11 years

The United States does not have an extradition treaty with Russia, but officials have said that taking steps such as charges and imposing sanctions can be a deterrent. People also sometimes slip up and travel to a country that is able and willing to transfer them to the United States for prosecution.

Yahoo reported the 2014 hack last fall — in what was then considered the largest data breach in history. The company later disclosed another intrusion affecting more than 1 billion user accounts in 2013, far surpassing the 2014 event. Officials have not determined whether there is a link between the two.

The twin hacks clouded the prospects for the sale of Yahoo’s core business to telecommunications giant Verizon. The deal is proceeding after Verizon negotiated the price down in the wake of the breaches.

The compromised accounts may have affected more than just email. Breaking into a Yahoo account would give the hackers access to users’ activity on Flickr, Tumblr, fantasy sports and other Yahoo applications.

In the 2014 hack, the FSB — Russia’s Federal Security Service, and a successor to the KGB — allegedly sought the information for intelligence purposes, targeting journalists, dissidents and U.S. government officials, but allowed the criminal hackers to use the email cache for the officials’ and the hackers’ financial gain, through spamming and other operations.

The charges “illustrate the murky world of Russian intel services using criminal hackers in a wide variety of ways,” said Milan Patel, a former FBI Cyber Division supervisory special agent who is now a managing director at K2 Intelligence, a cyber firm.

Although FBI agents have long suspected that the Russians have used cyber mercenaries to do their work, this case is among the first in which evidence is offered to show that.

(Jhaan Elker/The Washington Post)

The indicted FSB officers are Dmitry Dokuchaev and Igor Sushchin, his superior. Particularly galling to U.S. officials is that the men worked for the cyber investigative arm of the FSB — a rough equivalent of the FBI’s Cyber Division. That the agency that is supposed to investigate computer intrusions in Russia is itself engaged in hacking is “pretty sad,” one official said.

Dokuchaev, whose hacker alias was “Forb,” was arrested in December in Moscow, according to the news agency Interfax, on charges of state treason for passing information to the CIA. He had reportedly agreed to work for the FSB to avoid prosecution for bank card fraud.

Another man indicted in the case is Alexsey Belan, who is on the list of most-wanted cyber criminals and has been charged twice before, in connection with intrusions into three major tech firms in Nevada and California in 2012 and 2013. He was in custody in Greece for a time but made his way back to Russia, where he is being protected by authorities, officials said.

The other hacker-for-hire is Karim Baratov, who was born in Kazakhstan but has Canadian citizenship. He was arrested in Canada on Tuesday.

The indictments grew out of a nearly two-year investigation by the FBI’s San Francisco office with the aid of international law enforcement, officials said. Sanctions and criminal charges are two tools that the Obama administration began using to punish and deter nation state hackers.

“They have the effect of galvanizing other countries that are watching what’s happening,” said Luke Dembosky, a former deputy assistant attorney general for national security. “They show that we have the resources and capabilities to identify the people at the keyboard, even in the most sophisticated cases.”

Three years ago, the United States charged five Chinese military hackers with economic espionage, marking the first time cyber-related charges were levied against foreign government officials.

After the Chinese military hackers were indicted, officials said their activity seemed to dwindle. And the indictments, Dembosky said, helped wrest a pledge in 2015 from the Chinese to stop economic cyberespionage against U.S. firms.

In early 2015, the Obama administration imposed economic sanctions on North Korea for its cyberattack on Sony Pictures’ systems.

And in late December, the Obama administration levied economic sanctions on Moscow for its election-year meddling. At the same time, the government sanctioned two Russian criminal hackers with no apparent connection to the Kremlin’s interference campaign. They included Belan, who is one of the four indicted in the Yahoo case.

ellen.nakashima@washpost.com

Brian Fung contributed to this report.