News by VICE

It looks like criminals hacked Yahoo, not a country

Yahoo has been insisting a state-sponsored group was behind the biggest known data breach in history, but that assertion is facing serious challenges.

by David Gilbert
Sep 29 2016, 2:20pm

REUTERS/Denis Balibouse/File photo

Yahoo's claim that a state actor is to blame for its massive data breach is being seriously challenged.

U.S.-based cybersecurity firm InfoArmor asserts that the recent hack of Yahoo accounts — 500 million customer records, the biggest known data breach in history — was carried out by a criminal gang known as Group E, which has been responsible for similar attacks on Dropbox, LinkedIn and MySpace.

Andrew Komarov, chief intelligence office of InfoArmor and a Russian native, has been tracking the Eastern Europe-based group for three years and says it has sold the compromised data to at least one state-sponsored party, telling NBC News that the fee was about $300,000.

While NBC has claimed the state-sponsored group "commissioned" Group E to hack Yahoo, Komarov told Reuters: "They have never been hired by anyone to hack Yahoo. They were simply looking for well-known sites that had many users."

Yahoo has been saying a state actor was to blame, implying that only hackers with the resources and skills available to a government-funded group could breach its security, and making it look like Yahoo was the victim, and not part of the problem. The internet giant reported the huge breach last week, having begun its investigation into a possible breach in July. Yahoo, which is finalizing a sale of its core business to Verizon, claims to have been unaware of the security breach until very recently, stating in a Sept. 9 filing with the SEC that it wasn't aware of any "security breaches" or "loss, theft, unauthorized access or acquisition" of user data.

Earlier this week Reuters reported that Democratic Sen. Mark Warner asked the SEC to investigate whether Yahoo fulfilled its obligations to inform investors and the public about the hack.

Though there is no evidence of a state-sponsored actor, NBC News reports have repeatedly mentioned Russia as a potential buyer of the database. Komarov says there is no evidence to tie them to the transaction.

Russia is regularly linked to high-profile attacks against U.S. targets, most recently being accused of hacking into the servers of the Democratic National Committee — though again, there's no hard proof of such a link.

The hackers who stole the Yahoo database, some time in 2014, have been seeking to monetize it by selling specific sections of it, according to InfoArmor, using a third party with links to another group of hackers, one of who — known as ROR[RG] — is thought to be responsible for the attack on the Ashley Madison dating site last year.

The Wall Street Journal reported that Komarov and InfoArmor has access to at least part of the stolen database, and when provided with 10 Yahoo email addresses, he was able to crack the passwords to eight of them and provide information like date of birth, phone number and ZIP code information associated with the accounts.

The attack is being investigated by the FBI as well as cybersecurity firm Stroz Friedberg, which was hired by Yahoo. The company has yet to make public any proof of its claim that the attack was a state-sponsored actor, though this information is unlikely to be made public before any law enforcement agency investigations are finished.

Yahoo has not responded to a request for comment on the latest report, but a source familiar with the matter said it was 100 percent sticking with its original claim that state-sponsored hackers were to blame.