Cybercriminals with Nation-State Support Responsible for Yahoo Attack

InfoArmor has claimed that data from the Yahoo breach of over one billion user accounts has already been purchased on the black market by multiple third parties on numerous occasions.

Although Yahoo argues that a nation-state sponsored group was responsible for the hack, research carried out by InfoArmor’s indicates otherwise and a number security experts concur. Rather a nation-state sponsored group of hackers, InfoArmor suggest that a gang of cybercriminals, based in Russia and/or Ukraine, carried out the attack.

Andrew Komarov, who is InfoArmor’s chief intelligence officer, believes that the cyberattack was carried out by a hacking gang known as “Group E.” Group E consists of 4 hackers who are thought to be of Russian and Eastern European origin. The group hacks various organizations in order to obtain data which it can then sell on to spammers and the like. It is also thought that Group E was responsible for some of the most notorious hacks of the last few years, such as the attacks on Myspace, LinkedIn and Dropbox.

Komarov thinks that the hack of Yahoo probably happened at some point between March and June of 2013. He believes that the data obtained on the the attack has already been sold to at 3 parties, with approximately $300k being paid on each occasion. Although the attack is not thought to have been carried out by a hacking gang that is nation-state backed, Group E is known to be connected to at least one nation state.

It is alleged by Komarov that Group E has been trading with a particular nation state for a certain period of time. Following the attack on Yahoo, it is suggested that a proposal to buy the entirety of the data and have unique access was made. Nonetheless, Group E rejected the proposal because it believed that it would ultimately be better business to sell the data to a variety of parties. Apparently $1,000,000 was bid for exclusive access but sources suggest Group E would only agree to sell the data on a non-exclusive basis. It remains unknown whether or not the data was purchased.

Should the data involved be sold to the nation-state, its interest would extend far beyond spamming users. A large number of people whose details were obtained in the hack are government workers or members of the military. Their accounts would undoubtedly have been of great interest. Although it cannot be confirmed, it certainly a possibility that a significant number of the said accounts have already have been compromised. The email addresses might well have been used in multiple spear phishing campaigns.

Group E makes its money by selling the data it obtains illegally to a variety of big-time spammers and criminals. The buyers can ordinarily then use the data quickly to recover their initial expenditure by carrying out huge, yet targeted campaigns of spamming. The stolen account details may be used in order to attack other online services in efforts to obtain yet more data. Given that passwords are also compromised, accounts can be accessed and used for a range of dishonest activities.

The passwords were MD5-encrypted, however that is unlikely to have been problematic for skilled hackers. Passwords encrypted by MD5 are known to be relatively simple to crack.

Wherever it is and whoever now has the data, all of the users affected by the breach remain at risk. Even though the hack was only revealed in 2016, it is clear that all of those concerned have in fact been at risk for over three years. A number of them may even have already been victims of online attack and fraud.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Emma Taylor

Emma Taylor is the contributing editor of Defensorum. Emma started on Defensorum as a news writer in 2017 and was promoted to editor in 2022. Emma has written and edited several hundred articles related to IT security and has developed a deep understanding of the sector. You can follow Emma on https://twitter.com/defensorum and contact Emma at emmataylor@defensorum.com.
Twitter