Yahoo Breach the Work of Cybercriminals with Nation-State Connections

Data from the Yahoo breach of 1 billion user accounts has already been sold on the black market on multiple occasions, according to InfoArmor.

While Yahoo maintains that the attack was performed by a nation-state sponsored hacking group, InfoArmor’s research suggests otherwise and many security experts agree. Instead of a nation-state sponsored hacking group, it has been suggested that it was a criminal organization behind the attack, with those actors believed to reside in Russia and/or Ukraine.

InfoArmor’s chief intelligence officer Andrew Komarov claims the attack was performed by a hacking group operating under the name “Group E.” The group comprises of four hackers of Eastern European and Russian origin. The group is involved in hacking organizations to obtain data which are then sold on to spammers and. The Group is also believed to have been behind some of the most high profile hacks of recent years, including the hacking of Dropbox, MySpace, and LinkedIn.

Komarov says the attack on Yahoo most likely occurred in the spring of 2013 and that the data from the attack has already been sold to at least three parties for a sum of around $300,000 per sale. While the attack is not believed to have been performed by a nation-state backed hacking group, Group E does have links to at least one nation state.

Komarov claims that Group E has been doing business with a specific nation state for some time. After the attack on Yahoo, an offer was allegedly made to buy all of the data and have exclusive access. However, Group E declined as it would be more profitable to sell the data to multiple parties. The group was reportedly offered $1 million for exclusive access but allegedly only agreed to sell the data on a non-exclusive basis. Whether the data was purchased is not known.

If the data were sold to the nation-state, it would have other interests than spamming users. Many individuals were government workers or military personnel and their accounts would be of most interest. It is possible that many of those accounts could have already have been compromised while the email addresses could have been used for spear phishing campaigns.

Group E sells data to a number of large-scale spammers and cybercriminals, who would be able to use the data quickly to recover their initial outlay by conducting massive, targeted spamming campaigns. The account details that were stolen could be used to attack other online services to obtain even more data and since passwords were also compromised, accounts could be accessed and used for a variety of nefarious purposes. The passwords were encrypted using MD5, but that would not pose much of a problem to the individuals now in possession of the data. MD5-encrypted passwords can easily be cracked.

Regardless of who now has the data, all individuals impacted by the breach are at risk. However, while the breach has only come to light this year, all affected individuals have been at risk for more than 3 years. Many of those individuals will have already been targeted, attacked, and defrauded.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of