The attack on the company, whose existence was revealed on Wednesday, occurred over three years ago, in August 2013. Involving over a billion user accounts, the hack is the largest security breach in history. The company had already secured this humiliating title just three months ago, in September 2016, when the data of 500 million users was reported to have been breached. That attack was said to have been the work of a "state-sponsored actor," and Yahoo believes the two hacks may be connected.
Speaking to Radio Sputnik, Gary Miliefsky, senior cybersecurity expert and founding member of the US Department of Homeland Security, discussed the details of the latest hack, and why he agreed with Yahoo's assessment of this probably being the work of a foreign government.
For a start, the expert explained that the Yahoo hack appears to be part of the global problem of sophisticated phishing attacks. "If we step back and look at all the breaches all across the globe…it's all about an employee in the company getting an email that appears to be from someone they trust, called a spear phishing attack. When they click on a link, or download an attachment or open a file they think they should open, because they trusted the email, they get infected with a remote access trojan which allows criminals, hackers or nation states to get at the data inside that network from far away."
"Spearfishing is the number one way to steal data from any organization. In the United States, Anthem.com lost 80 million records, OPM.gov lost 22 million records, now Yahoo a billion – it'll just keep happening if people are not more aware and more vigilant," Miliefsky noted.
Specifically regarding the Yahoo attack, the expert said that his gut feeling told him "a nation state" was probably responsible. "Some have leaned toward Russia; I think it's actually the Chinese government, because they're great at these kinds of attacks – and of cross-correlating records. You do one breach here and another breach there and then you find common information," eventually building up a dossier of important data.
At the same time, Miliefsky explained that the massive hack was probably the work of a state actor, due to its targeting of user data en masse, while ordinary cybercriminals "don't waste their time on info if they don't get credit card data."
As for how an attack of this scale could have taken place in the first place, the expert suggested that it was likely done "over a period of many months using what's called a remote access trojan. Many remote access trojans cannot be detected by [even] the latest anti-virus scanner…In other words, most of the new malware that can sit around and eavesdrop on your network for days, weeks or months is custom-written and non-detectable by your favorite anti-virus scanner –that's one of the big problems."
Moreover, the analyst stressed that such attacks, whether against companies or governments, can be very sophisticated, stretching out over a very long period of time to glean reams of sensitive information.
"When you install a remote access trojan, just like the breach of 100 banks in Russia [last year], where they stole over a billion dollars, what they did is sat on the network, and wormed their way across for at least six months, collecting data, eavesdropping on the microphone, the webcam, the keyboard, learning a lot about the environment. And next thing you know [the hacker] is part of the network administration team, and no one even knows they're there." The same scenario may have occurred with the Yahoo breach.
Asked why it took so long for the company to publicly admit the existence of the hack, Miliefsky said that that's actually a very good question. "Under California law, where they're located, they would have had to disclose in 30 days." He suggested that it was possible that the company found out about the incident very late after the event. "According to [cybersecurity firm] FireEye, most companies that have been breached don't know about it for almost a year. So they may not have found out for a while, and then asked the FBI for help, and perhaps the FBI told them not to disclose the breach" in order to investigate it more thoroughly.
Following the hack, Verizon, which planned to acquire Yahoo for $4.8 billion, announced that it would review the terms of the agreement, including the purchase price. Miliefsky noted that the hacking news amounted to an "epic fail" by Verizon's mergers and acquisitions team, and will likely affect the purchase price by a "tremendous amount."