Yahoo breach: experts discuss culprits, ramifications

Uri Rivner of BioCatch offers an explanation as to why the 2014 hack was only discovered now.

---

Yahoo admitted on Thursday that a data breach from late 2014 has seen sensitive information of about 500 million users being stolen.

A previously unknown indicator of compromise may have been discovered through investigating some current state-sponsored campaigns, cyber security experts believe.

The hack, described as the largest cyber security breach ever, includes names, e-mail addresses, telephone numbers, dates of birth and hashed passwords, and also "encrypted or unencrypted security questions and answers", said Yahoo in a statement.

It also said it believed that no payment card or bank account data was taken.

Uri Rivner, head of cyber strategy at BioCatch, says, as this was believed to be a state-sponsored attack, the likely vector is spear phishing of Yahoo operations people - followed by taking control over their computer by using remote access, then performing privilege escalation, lateral movement within the network, data exfiltration and then removal of penetration evidence.

"Pretty standard stuff for nation states," says Rivner.

In terms of who the prime suspects are, Rivner says his guess would be either the Chinese military, who hacked Google in 2010 for purposes of industrial espionage and tracking political activists' Gmail accounts; or possibly hackers affiliated with Russian intelligence agencies that may be interested in tracking American e-mails.

"This might be the same group that hacked into the Democratic Party Web site. Russian hackers are also closely related with the cyber crime underground and may have decided to hack Yahoo so they can sell the accounts - it's extremely useful data, as many people use their Yahoo password for online banking or mobile payments too."

Rivner says an interesting question is why the 2014 hack was only discovered now.

"This suggests that a previously unknown indicator of compromise was discovered through investigating some current state-sponsored campaigns - for example, the previously mentioned wave of attacks against the Democratic Party Web sites, attributed to Russian hackers."

He says if a new indicator of compromise is known, it can now be matched against historic logs and a prior breach can be discovered. "Yahoo may have learned about such indicators from their threat intelligence company, or via the cyber intelligence network that the NSA has established with the defence sector. The network was extended to leading US enterprises following the Chinese APT campaigns in 2009-2011, and in particular, the March 2011 attack on RSA, which convinced the US intelligence community of the need to declassify state-sponsored indicators and share them with the private sector."

According to Rivner, banks, payment companies and e-commerce sites should worry about account enumeration attacks where the Yahoo passwords will be played by robotic scripts to try to penetrate online and mobile accounts. "In fact, banks have recently reported a surge in such attacks."

Another impact, he says, will be on the biometrics market.

"Bulk password theft has grown dramatically in the last few years, and no one trusts passwords anymore, or likes using them.

"Biometrics can replace passwords, and technologies like behavioural biometrics and cognitive analytics can provide continuous authentication, so even if the initial entry is authenticated, activities done inside the account by someone else or something else can be detected," Rivner says.

This is also not the first time Yahoo has fallen victim to a breach. Vitali Kremez, cyber crime intelligence senior analyst at dark Web intelligence expert, Flashpoint, says on 2 August this year, Flashpoint became aware of an advertisement posted on TheRealDeal Marketplace by actor "peace_of_mind", aka "peace", for the sale of around 200 million Yahoo account credentials.

Kremez has been following Peace, the same actor that Flashpoint previously reported as selling leaked MySpace and LinkedIn account credentials earlier this year. "This actor, who is also a co-founder of TheRealDeal Marketplace, is considered highly credible based on past activity and feedback from customers."

At the time, peace_of_mind claimed he had sold credentials for LinkedIn and Tumblr too, and said in a message the Yahoo database came from a cyber crime group based in Russia, which had breached LinkedIn, Tumblr and MySpace. He added the Yahoo database 'most likely' came from as early as 2012, and that copies of the purloined databases had already been sold.

At the time, Yahoo said it was aware the database was on sale, but did not confirm or deny if the records were real, saying its security team was in the process of determining the facts.

This time, Yahoo said in an announcement it is notifying all users that might have been compromised, and has taken measures to secure users' accounts. It has invalidated unencrypted security questions and answers, and has asked users to change their passwords.

It has also suggested to users they review all online accounts for any dubious activities, and recommends they change passwords and security questions on any other accounts for which they use the same login information as their Yahoo accounts.

Speaking of the culprits, Yahoo said state-sponsored attacks of all types are becoming commonplace in the IT industry. "Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account."

Offering some advice to potentially affected users, Rivner says in many cases people use their Yahoo password, or one very similar, for other Web services such as Gmail, LinkedIn or Facebook, and also sometimes for online banking and payment services too.

"It's a good time to change some of these passwords, and turn them into pass phrases from a book, song or film - an example would be Ar3YouTalking2Me? - instead of the regular password. If two-step authentication is offered, consider using it."

In terms of how this type of hack can be prevented, Rivner says companies can use layers of traditional IT security controls and advanced cyber security defences such as user behavioural analytics, cyber intelligence services, decoy networks and virtualised networks - as well as employ continuous authentication of employees in sensitive applications.