As challenges mount against Yahoo’s attribution of a massive 2014 data breach to state-sponsored hackers, CISO Bob Lord yesterday confirmed that a cache of 200 million Yahoo accounts marketed this summer in an underground forum is unrelated to the breach.

Speaking at the Structure Security conference in San Francisco yesterday, Lord said the incidents were independent of one another and that Yahoo could not verify that the hacker known as Peace indeed had Yahoo account data for sale in July and August. Lord did say that Yahoo’s investigation into the solicitation on the dark web market known as The Real Deal did prompt a closer look at Yahoo’s network and infrastructure, and led to its discovery of the 2014 breach.

In the meantime, Peace and another hacker called tessa88, both of whom were tied to a string of large password dumps this year, have been exposed as merely resellers of stolen data, proxies between hackers and buyers. The 200 million records they claim to have were not stolen from Yahoo, but were compiled from numerous third-party breaches and leaks. Connecting this data to a potential Yahoo breach may have been hype at the time to monetize the data, much of which was considered “garbage” by experts. In-fighting and distrust of their activities got one of them banned from a number of underground forums, and may have prompted an ongoing DDoS attack against The Real Deal marketplace.

One security company also called into question Yahoo’s conclusion that the attack was the work of a government-sponsored attack group. Andrew Komarov, chief intelligence officer at InfoArmor, said that the 2014 breach was the work of the same cybercrime outfit that breached LinkedIn and MySpace.

Yahoo declined to comment on InfoArmor’s conclusions.

Komarov said his company had acquired a large sample of data from the 2014 Yahoo breach (he would not say how it was obtained) and checked random records to confirm its authenticity.

“It’s an operative source; we never bought the data. And after analysis and verification of the dump, we are confident this is the legitimate dump and no reason to believe it is garbage or from a third party,” Komarov told Threatpost.

Komarov said the data is in SQL format, meaning it was a server-side dump, and he concludes the hackers who breached Yahoo likely did so by exploiting a web-application vulnerability to gain access to the user database.

“It’s definitely not state-sponsored,” he said.

Komarov said the hackers are a criminal group which he calls Group E. It sells stolen data primarily to spammers, he said. One of Group E’s clients, however, was an Eastern European government, which purchased a subset of the data related to officials from government agencies, militaries and embassy officials, and one theory is that Yahoo may have arrived at its state-sponsored conclusion based on victim profiles.

Yahoo last week disclosed the 2014 attack against its network and said a copy of a database containing 500 million user account records had been stolen. Lord said in a blog post disclosing the breach that the data included names, email addresses, telephone numbers, dates of birth, hashed passwords and some encrypted or unencrypted security questions and answers. Most of the passwords, a source said, were encrypted with bcrypt but a few were hashed with the outdated MD5 algorithm and could be open to attack.

Alex Holden, owner and CISO of Hold Security, said he was surprised by Yahoo’s breach disclosure because no Yahoo data is currently for sale on the black market. Holden said that in July he saw samples of data belonging to Yahoo users circulating in the black market that were consistent with what Yahoo last week reported as missing, but it wasn’t clear that the data was stolen from Yahoo. He told Threatpost that he had no evidence pointing toward a state-sponsored attack.

“We don’t have any evidence to point that way, but we are assuming Yahoo knows much more than we do,” Holden said. He added that it would be out of character for government-sponsored hackers to sell stolen data.

“If it were government-sponsored hackers, they should be able to use this data effectively to the detriment of Yahoo,” Holden said. “The impact does not make sense. This is not in the spirit of government-sponsored hackers. This seems to be an amateur job rather than a sophisticated government. As we’ve seen with the OPM and Anthem hacks, those were much more sophisticated attacks.”

Komarov said in a report published yesterday by InfoArmor that tessa88 and Peace were middle men, reselling stolen data to buyers, and that tessa88 had connections to Group E. Tessa88 is Russian and was brought in to sell to Russian-speaking buyers, while Peace would sell to English-speaking buyers.

Tessa88 and Peace reportedly partnered in May, Komarov said, to sell MySpace, LinkedIn, Tumblr and Fling.com data. Conflicts between the two eventually surfaced and in June, Komarov said, tessa88 was blacklisted from many forums for the delivery of phony or low-quality data to certain buyers.

In August, Peace made the first claims of the availability of Yahoo data, a dump of 200 million records on The Real Deal for a low price of 3 Bitcoin; it was the low price that raised initial suspicions for Komarov. He added that most of the data was invalid or from phony or deleted accounts, and that the Group E hackers eventually reneged on a promise to share the breached Yahoo data with them.

“The 200 million is total [BS],” Komarov said. “It has nothing to do with the Yahoo breach. We analyzed a lot of blocks of the dump and it was a collection of Yahoo-related credentials from different places. It was a big collection and everything was structured in the same format [as the Yahoo breach data], which may have created confusion.”

Group E, Komarov said, is likely made up of five people, each with different capabilities and responsibilities. For example, there is one non-technical member responsible for monetization of stolen data, and four others who are technical: one specializes in web application exploits; another on network intrusions, another is a developer building exfiltration and parsing tools; and another is a database engineer. All the data is centrally stored, Komarov said, and the clients are mainly spammers.

“Group E don’t have nicknames on forums. They operate on stealth and only with trusted partners,” Komarov said. “They are concerned about operational security.”

Categories: Hacks, Privacy, Web Security