"state sponsored actor". I wonder how they decided that. did the hackers plant a flag inside yahoo's data center? or is any attack originating from outside US now considered state sponsored? of course, we will never see any proof of this.
also, did it take them 2 years to discover this breach? that's bad. or, do they just announce it now? that's worse.
Yahoo shouldn't be doing the attribution, it's a conflict of interest[0].
At the moment the standard for incident disclosure is "eventually disclose the leak to users", which some companies, like Yahoo in this case, really stretch.
I'd like to see the standard become engaging an outside firm and have them release as much information as possible so that the techniques used, information stolen, potential attribution etc. can be reviewed and benefit everybody.
The statement so far from Yahoo benefit only Yahoo (specifically Yahoo management)
The stolen Yahoo accounts were listed on a DNM market a few months ago. That is how we found out about it (I suspect that is also how Yahoo found out about it). That is one of the only data points we have on the outside and it points away from the attack being state-sponsored.
[0] Some would argue that the research / attribution firms are only a little less conflicted since they sell products that aim to prevent the same state-sponsored attack.
Their interest is in making the attack look more sophisticated than it may have been, making them look less incompetent because they'd be one of many victims state-backed hacking (they even say that in their statement)
I think it has to do with the sophistication of the attack. If they used multiple zero-days, multiple pieces of custom coded software, and a team of operators working full time for long periods of time then it can be assumed it's a multi-million dollar effort involving a large team of engineers. In such a case the list of potential adversaries can be reduced to corporate or state actors.
I agree, but the typical PR spin tends to be "a sophisticated adversary". It'd look bad to say an attack was state sponsored if you didn't have good reason to believe it, since that's a pretty specific accusation.
My guess is they hired a firm that actually knows security - probably FireEye or Crowdstrike - and their analysts came to that conclusion.
No it's not. It's an entirely vague specification.
Was it the Russians, the Chinese, the NSA?
It's also something they'll never have to prove or verify so from a PR perspective it makes you look far less incompetent if you say 'state sponsored actor' instead of '17 year old high-schooler from Estonia'.
>It's also something they'll never have to prove or verify so from a PR perspective
I disagree. In breaches like these, attribution discussion begins pretty quickly after the announcement. If researchers find evidence it was some script kiddie or a black hat group or whatever, that would embarrass Yahoo even more.
If you don't know who the attacker is, you have nothing to lose by saying you were compromised by a sophisticated adversary in a targeted attack. You have more to lose by saying a nation-state attacked you if they actually didn't.
It seems like the Hillary/Russia thing has everyone thinking, without any evidence, that it's always fake when a state actor is accused. I don't see any reason to doubt them, do people think that countries are not trying to hack into these systems?
Exactly. I see no reason why a "state sponsored actor" would spend "millions" on hacking Yahoo, to turn around and sell the stolen data for $1200 on the black market.
> I think it has to do with the sophistication of the attack.
The security team probably sees thousands of attacks every day, mostly automated but probably a dozen a day targeted/custom. If one gets through the security, that is of course more sophisticated than all the other ones, plus it outsmarted the security team and developers, so you'd hardly tell your boss "we were too stupid". Instead, it came from China* so state-sponsored is a good text to write.
*Or something like that. Enough infected computers there to go around (or government cares little enough if you rent a server).
Yeah, unfortunately I think this has become a trend. If a big company gets hacked, they can just say "Well, this sucks, but what could innocent helpless little us have done against a whole country like [Russia, NK, Iran, other stereotypical boogeyman to American audiences]?" It's quite transparent BS in every case I've seen thus far (prominently, Sony and the DNC), but it definitely earns the hacked company some sympathy, and it allows them to feel more important and make others think they're important enough for a nation-state to try to steal from them.
Since it's worked a couple of times, now everyone is going to pile on. I expect every major data breach over the next few years is going to be perpetrated by an ethereal "state-sponsored actor".
> (Bonus points to readers who understand why /var/tmp instead of /tmp :D)
Because many newer Linux distributions mount /tmp as a tmpfs that gets zapped when the system shuts down. Do I get a no-prize?
> echo "Russians wuz here!" > /var/tmp/hacker.sig
Oh, that brings back memories of an incident involving Serbian/Romanian malware at a former employer of mine... when I got into the box to figure out why it was attempting to DoS Caltech, I found a complete set of DoSing tools in /root with comprehensive documentation in Romanian, plus a quick 'who' showed that the attacker was still logged in over SSH, so I looked up his IP and it came up as being somewhere in Serbia. After that, "Serbian Malware" became a meme at that company (and I quickly made sure to patch the hole -- the result of a stupid, stupid mistake that I take responsibility for -- to make sure it couldn't happen again).
didn't a cache of supposedly state-sponsored tools just get auctioned off by a group who (supposedly) compromised a machine which was under the ownership of one of the three-letter groups?[0]
Seems to give more credence to the viewpoint that the tool doesn't indicate the perpetrator too easily.
If I hand you an F-16 and you use it to do damage that would indicate possible US air force involvement. If the F-16 that attacked me was preceded by advanced ECM, suppression of air defenses using stand-off munitions, and was performed in a particular precision attack pattern then US air force involvement would be much more likely. These signatures are not just about the tools, but the opsec and procedures that the hackers used to deploy the tools, how they moved laterally to the target, and how they exfiltrated the information. It is the whole package that identifies a real state-sponsored actor vs a freelancer with access to a bag of zero days.
Well, the F-16 is used by over two dozen nations. So it's use wouldn't indicate anything.
Some of the nations that use the F-16 are also capable of the things you say prove US air force involvement. Even then, that's a bit of an extreme analogy.
How about we pull down the analogies to be more in line with what more likely happened? Like, someone used a truck to rob a bank and people think a manufacturer of trucks is somehow responsible?
So, what would be the "signature" of a state-sponsored actor, what in this sort of hack costs money and resources on the scale of "[physical?] suppression of air defenses"?
It's not so much about scale as about characteristic types. If you find that the air defenses were suppressed with anti-radiation missiles that the US doesn't sell much or at all, that makes it reasonable to find US involvement more likely than the bombs just having come off an F-16's racks does. That's just as true whether one such missile was used, or one hundred.
(In military parlance "suppress" usually means not specifically to destroy, but to render ineffective. For example, at the infantry level, "suppressing fire" isn't intended specifically to kill members of an enemy formation, but rather to make them keep their heads down so as not to die, rather than doing something useful like actively opposing a move by another of your fire teams. In the case of anti-air defenses being suppressed to clear the way for an air attack, though, the tool of choice is going to be a standoff anti-radiation missile; see "Wild Weasels" for more detail on how it's done.)
Going after authentication info (esp. the security questions) _is_ a narrow target. You are probably looking at a couple of tens of GB total. If you get away with it clean you can also then go back in and hit specific targets using that authentication info, so you walk away with a useful basket of data that does not reveal anyone you might have targeted but in turn makes it easier to go after those targets in the future.
helps to "save face", when all 0-day exploits are now considered "state sponsored".. otherwise they'd have been reported within bug-bounty program.. who else pays more - hostile governments, of course =)
If they claim it was a state-sponsored attack and then a non-state-sponsored hacking group makes a credible claim to have been the perpetrators, Yahoo will look even worse than they do now. I doubt Yahoo is saying 'state-sponsored' just for PR.
While attribution is difficult and sometimes impossible, if you find that the attacker used custom malware/infrastructure also seen in other attacks, it is likely that it's the same attacker group. And in some cases, it's known that certain groups work for certain governments.
also, did it take them 2 years to discover this breach? that's bad. or, do they just announce it now? that's worse.