A United States cyber security company has asserted that the hack of 500 million account credentials from Yahoo was the work of an Eastern European criminal gang, adding another layer of intrigue to a murky investigation into the unprecedented data heist.
InfoArmor has issued a report which challenges Yahoo’s position that a nation-state actor orchestrated the heist.
InfoArmor investigated deals done in underground forums by threat actors Peace_of_Mind and tessa88, who the company said acted as proxies for the real hackers, and found the hacked trove of user data was later sold to at least three clients, including one unnamed state-sponsored group.
Yahoo declined comment. The Federal Bureau of Investigation, which is investigating the hack, did not return request for comment.
A US government source familiar with the Yahoo investigation said there was no hard evidence yet on whether the hack was state-sponsored. Attribution for cyber attacks is widely considered difficult in both the intelligence and research communities.
The task is made especially challenging by the fact that criminal hackers sometimes provide information to government intelligence agencies or offer their services for hire, making it hard to know who the ultimate mastermind of a hack might be.
Yahoo said last week that it only recently discovered the intrusion, which it blamed on a state-sponsored actor without providing technical evidence.
Nation-state hackers are widely viewed as possessing more advanced capabilities than criminal groups, a perception that could benefit Yahoo as it works to minimise fallout from the breach and complete its sale to Verizon.
InfoArmor concluded the Yahoo hackers were criminals after reviewing a small sample of compromised accounts, Andrew Komarov, the firm's chief intelligence officer, said.
The hackers, dubbed Group E, have a track record of selling stolen personal data on the dark web, and have been previously linked to breaches at LinkedIn, Tumblr and MySpace, Komarov said.
“They have never been hired by anyone to hack Yahoo," Komarov said. "They were simply looking for well known sites that had many users."