Yahoo's claim of 'state-sponsored' hackers meets with skepticism

Yahoo has blamed its massive data breach on a "state-sponsored actor"

Yahoo has blamed its massive data breach on a "state-sponsored actor." But the company isn't saying why it arrived at that conclusion. Nor has it provided any evidence.

The lingering questions are causing some security experts to wonder why Yahoo isn't offering more details on a hack that stole account information from 500 million users.

"I think there's a lot of fishiness going on here," said Michael Lipinski, the chief security strategist at Securonix.

Yahoo didn't respond to a request for comment. The company has protocols in place that can detect state-sponsored hacking into user accounts. In a December 2015 blog post, the company outlined its policy, saying it will warn users when this is suspected. 

"In order to prevent the actors from learning our detection methods, we do not share any details publicly about these attacks," wrote Yahoo chief information security officer Bob Lord at the time. He added that the company only sends out these notifications "when we have a high degree of confidence."

However, blaming a high-profile breach on state-sponsored hackers might also be a convenient excuse to reduce culpability.

"If I want to cover my rear end and make it seem like I have plausible deniability, I would say 'nation-state actor' in a heartbeat," said Chase Cunningham, director of cyber operations at security provider A10 Networks.

The perception is that state-sponsored hackers are unstoppable and among the best in the world, he added. Cunningham suspects that cyber criminals, and not an elite government-back group, may have actually targeted Yahoo.

"This just doesn't reek of nation-state activity," he said. "Nation-states are after intellectual property. They don't give a damn about emails and passwords from a Yahoo account."

The internet company might also be holding back details on the breach because of Verizon, which has agreed to pay US$4.8 billion to buy Yahoo.

"I'm not sure the Verizon acquisition will still go through," said Lipinski of Securonix. Verizon, for example, might have to fork up millions more in cash in dealing with the breach's fallout.

"But blaming it on a state-sponsored actor will kind of help them (Yahoo)," he added. "They can say, 'It's not our fault, our insurance will take care of it.'"

Even though Yahoo hasn't provided much evidence, other security experts also said it's still very possible state-sponsored hackers were responsible for the data breach. A government might have been interested in targeting the email accounts of human rights activists, for instance. Or the breach could have been initiated by a company insider, who was actually a spy.

There are other possible reasons for Yahoo to withhold data, added Vitali Kremez, a cybercrime analyst with security firm Flashpoint.

"Law enforcement could be investigating and they (Yahoo) don't want to jeopardize anything," he said. "They could also be preparing legal proceedings."

Yahoo said it only recently learned of the data breach. But the hack actually occurred back in late 2014 -- meaning the perpetrators had two years to secretly exploit the data.

If state-sponsored hackers did indeed target Yahoo, Kremez fears that other companies might have been victims as well -- they just don't know it. 

"We do need more transparency," Kremez said. "We'd all like to know more to see if this fits into a larger pattern."

Join the CSO newsletter!

Error: Please check your email address.

More about A10 NetworksindeedVerizonYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Kan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts