Yahoo breach was not state-sponsored, researchers claim

The massive 2014 Yahoo breach isn’t the work of state-sponsored hackers as the company has claimed to believe, say researchers from identity protection and threat intelligence firm InfoArmor.

Instead, the breach was effected by a group of professional blackhats believed to be from Eastern Europe.

Group E: Masterminds of the attack

InfoArmor researchers have dubbed them “Group E”, and according to the firm’s knowledge, they have been hacking databases for years now, and were the ones behind the MySpace, Tumblr and LinkedIn hacks.

“The actual Yahoo data dump is still not available on any underground forums or marketplaces, and has been distributed from so called Group E to one of their proxies for further monetization based on the sale of particular records from the dump, which can be delivered based on the specific criteria of the buyer (login, recovery e-mail, geography, etc.),” the researchers note.

This proxy has sold parts of the database to at least three threat actors. Two of them were cybercriminals (a spammers and an underground affiliate network owner), and the third one looks like it could be a state-sponsored party interested in exclusive database acquisition (the sale was made in 2015).

The researchers believe that “the data theft of the Yahoo customer database may be the key in several targeted attacks against US Government personnel, which resulted after the disclosed contacts of the affected high-level officials of intelligence community happened in October 2015.”

They also believe that the batch of some 200 million Yahoo users offered for sale in early August on the TheRealDeal dark web market by a seller named “peace_of_mind” wasn’t actually stolen from Yahoo, but was based on multiple third party data leaks that have no relation to Yahoo.

Yes, some of the records matched those of Yahoo users, but they chalk it up to the fact that many users reuse passwords across multiple online services. All in all, this batch seemed to have been intentionally misrepresented, in order for “Peace” to earn a few bucks.

InfoArmor says that Group E used “tessa88”, another seller on underground markets, as another proxy.

“This approach was ‘carefully’ orchestrated in order to mask the actual sources of the hacks and to commercialize the data in an anonymous manner, due to the fact that this data had been used by the threat actors for their own purposes, namely, targeted account takeover (ATO) and spam.”

“Peace” was just another seller that collaborated with “tessa” to exchange data batches each had, and to sell them on, they concluded.

Of course, we should also take this conjecture with a grain of salt, as there is no definitive proof. Definitive attribution of cyber attacks is still a major problem.

Yahoo and its poor security practices

This week, a group of US senators sent a letter to Yahoo CEO Marissa Mayer, asking her to provide information about the hack, how widespread it is, when it was discovered, when law enforcement was notified, and what the company is doing to prevent such a hack in the future.

The premise is still that Yahoo did their best to prevent such breaches from happening in the first place but, when it comes to security, the company has been lagging behind Google, Facebook and other Internet giants for years.

And even when Marissa Mayer took over as CEO in 2012, things didn’t get better.

She concentrated on keeping and building the company’s user base through different services, and repeatedly opted to forego the implementation of additional security measures to avoid more users jumping ship, internal sources told the New York Times.

Security expert Alex Stamos was brought on as CISO in 2014, and his pushing and his team’s enthusiasm managed to accomplish some good things (such as end-to-end encryption for email). But other proposed improvements, such as intrusion-detection mechanisms for the company’s production systems, were shot down.

“Stamos, who departed Yahoo for Facebook last year, declined to comment. But during his tenure, Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Mayer’s team for fear that even something as simple as a password change would drive Yahoo’s shrinking email users to other services,” NYT reports.

It’s unclear whether this means that they knew about the 2014 breach, or simply wanted to reset passwords after another hack that didn’t result in the exfiltration of user information.