The hack of more than a half billion Yahoo email accounts was motivated by espionage, not profit, according to an independent cybersecurity firm report released Wednesday, which contends that an Eastern European state-sponsored actor appears to have ordered the massive hack as part of a coordinated effort to infiltrate the email accounts of U.S. military, diplomatic and political figures.
The findings by the cyber security firm InfoArmor are consistent with Yahoo officials’ claim last week that a state-sponsored actor was behind one of the largest corporate breaches in U.S. history.
Yet InfoArmor’s version of events, if accurate, provides significant new details about how and why the company was hacked. Minor league hackers who were peddling Yahoo users’ personal information for cash in “dark web” marketplaces were also part of a foreign government espionage campaign dating back to 2014. And the findings also suggest that hacks of LinkedIn, Dropbox, MySpace and other firms — breaches affecting billions of customers worldwide — might’ve been part of the same state-sponsored effort.
In an interview with NBC News prior to the release of his firm’s findings, InfoArmor’s chief intelligence officer Andrew Komarov described the Yahoo breach as part of a larger, ongoing campaign to break in to the email accounts of prominent officials from the U.S. and across the globe.
He said that his analysts have uncovered a previously unidentified collective of elite black hat hackers-for-hire from Eastern Europe — a group that InfoArmor analysts now contend was also responsible for hacks of the other social media companies.
Komarov said that a state-sponsored actor from Eastern Europe commissioned and later paid the hacker collective $300,000 for the Yahoo data trove. He said he didn’t know if the hacks of the other social media companies were also commissioned by a state-sponsored actor, but believed it was likely. He also said he didn’t know if the state that directed the hacks was Russia, or if the state-sponsored actor that paid the hackers was a Russian intelligence agency or some other arm of the Russian government, but that Eastern European hackers often have links to the Russian government.
Eastern European operatives tied to Russia’s intelligence agencies have been widely suspected by cybersecurity researchers of multiple efforts to hack U.S. government officials’ email accounts and the accounts of Democratic party operatives.
Komarov said that InfoArmor’s conclusions that the hackers who attacked Linkedin and other companies were also responsible for the Yahoo breach are based on an extensive intelligence analysis, underground contacts and information gleaned from multiple sources surrounding the Yahoo hack. His firm went into dark web chatrooms and made contact with hackers advertising Yahoo addresses for sale who said they were involved in the breach, and accessed and validated what Komarov described as a “large sample” of the stolen Yahoo data.
“If you calculate all the victims for all these hacks, it will be several billion victims.”
Yahoo’s confirmation last week of the massive breach has placed the tech giant at the center of a storm of controversy and unanswered questions, and could jeopardize the company’s imminent $4.8 billion sale of its core business to the telecom giant Verizon.
It remains unclear how long and how much Yahoo officials knew about the breach before publicly acknowledging it. Company officials have said that Yahoo became aware of the breach in August, and began to investigate. Experts have said that it’s not uncommon for a company of Yahoo’s size to withhold disclosure of a suspected breach until an internal forensic investigation has been complete.
Last week, Yahoo’s chief information security officer, Bob Lord, said that an internal probe had determined that usernames, email addresses, telephone numbers, dates of birth, security questions and answers, and in some cases passwords were harvested from more than 500 million compromised Yahoo accounts.
Lord said in a blog post that the company does not believe that banking or payment information was stolen, and has found no evidence to indicate that the hackers remain inside Yahoo’s systems.
Yahoo declined to comment.
“Island-Hopping” To Reach U.S. Officials
Komarov said that the apparently state-sponsored actor involved in the heist was using an indirect but increasingly common strategy known as “island-hopping” or “leap-frogging” to reach its ultimate targets. Rather than going after U.S. and other government officials directly, the aggressors used the data from the hired black-hat hackers to breach the Yahoo accounts of friends, family and associates of their ultimate targets.
Once inside compromised Yahoo accounts, hackers can email or respond to their targets directly with seemingly legitimate Yahoo emails that are virtually indistinguishable from real ones.
“The target will receive the exact same email from the Yahoo user and, for him, it will look legitimate,” Komarov said.
He said that while it’s extremely difficult to directly infiltrate a Google Gmail account, for instance, all you really need to get into it is a compromised account of a Yahoo email user who corresponds with the Gmail user.
“Then you simply hack the Yahoo account’s contacts, and then analyze the [emails] sent from the real object of interest. At some point you replace [a legitimate Yahoo email sent to a target] and fill it with malware,” he said. Once the end target clicks on a link or an attachment in the infected Yahoo email, hackers can get inside the target’s account.
From Foreign Espionage to Dark Web Marketplaces
Komarov said that the state-sponsored actor appears to have been working with the black hat hacker collective — which the InfoArmor team has dubbed “Group E” — for at least several years.
…