Yahoo has announced hackers, believed to be state-sponsored, stole data on around 500 million users in 2014. The Cipher Brief’s Kaitlin Lavinder spoke with Vitali Kremez, a Senior Analyst at cyber intelligence company Flashpoint, about the hack.
The Cipher Brief: Is it possible, given the scale of the hacking, that it was not a state-sponsored actor?
Vitali Kremez: It’s definitely possible that it was not a nation state actor. It’s also possible that multiple groups compromised the system independently. We know for a fact that in 2012, a hacker was able to obtain 200 million Yahoo records and was offering them on TheRealDeal marketplace this past August. What is interesting about that is that some of these advanced actors are not nation states, but they are also capable of long-term sophisticated operations. We know, for instance, there are a few really sophisticated Russian groups who target financial infrastructure in various developing countries. They’re not necessarily nation state, but they have the capabilities to orchestrate such an attack.
It’s also possible that Russian intelligence agencies are using various hacktivist group or other actors as a scapegoat – that is, nation state actors can claim events were from hacktivist groups or other Dark Web actors, but not them, even though the nation state is believed to be behind it.
Why Yahoo claims the 2014 breach was a nation state actor, in the absence of specific forensics and intelligence, is likely because of what we know about nation state actors: They usually are on the system for a long period of time, partially because they’re not necessarily financially motivated – they have the capabilities or resources to stay on the system for an extended amount of time, with no monetary benefit.
TCB: Is the information that was acquired in 2014 from these 500 million accounts concerning to personal security?
VK: It’s definitely concerning for all of us, because of the fact that this cipher code could be cracked. This shows hackers can decrypt a plain text – that is, text that is not written in special code – of personal security questions.
The biggest exposure of the data breach is the passwords. We call it zombie password attacks when somebody uses the password of an individual and checks the same combination across other websites and can then obtain access to social media websites, for example, of the same person – or even bank login information that uses the same combination. These zombie attacks are possible with the Yahoo breach.
So yes, it’s alarming.
TCB: How has the data potentially been used over the past two years?
VK: If the data has been in the hands of a nation state actor since 2014 (and the data never surfaced on the Dark Web, for example) the data is likely very valuable and being held for exploitation by the nation state involved.
TCB: Do you think this breach will affect Verizon’s acquisition of Yahoo?
VK: The acquisition talks were happening probably at the same time Yahoo was internally investigating. It would probably negatively affect Yahoo’s standing in the eyes of Verizon. Given that the deal was supposed to be finalized and approved by regulators in the first quarter of 2017, I surmise this breach could potentially make Yahoo less attractive.
