10

It was recently disclosed that private information pertaining to over 500 million Yahoo accounts was stolen.

Yahoo's Chief Information Security Officer, Bob Lord, states that the information was stolen from Yahoo's computers by what Yahoo "believes is a state-sponsored actor".

First of all, what "state"?

Second of all, how would they know?

Bonus: Why does he use the word "actor"?

Anders
  • 64,406
  • 24
  • 178
  • 215
RockPaperLz- Mask it or Casket
  • 3,114
  • 21
  • 50
  • 8
    Self interest. If it's "state sponsored" they look far less stupid than if it's "a couple of guys". – Steve Sether Sep 23 '16 at 02:27
  • @SteveSether to be fair, if yahoo was using bcrypt for password hashing, I can only imagine that they had other good security measures in place. I think their claim that it was a state sponsored attack is definitely possible. – d0nut Sep 23 '16 at 04:25
  • 2
    @iismathwizard It's possible. The more distressing part is either one is possible. This sort of thing is normally inferred by the interests of the actor. What does a state sponsor have to gain by hacking 500 million yahoo accounts? Not much. Yahoo of course has much to gain by calling it state sponsored. In any case, I wouldn't trust Yahoo to tell us the truth. – Steve Sether Sep 23 '16 at 04:56
  • 3
    @SteveSether " What does a state sponsor have to gain by hacking 500 million yahoo accounts? Not much." with 500 million accounts, i'm sure a couple of those are VIPs. I mean, it wouldn't be the first time in recent history that a government official had classified information on a 3rd party email server :p – d0nut Sep 23 '16 at 05:00
  • @iismathwizard 500 million is a big number. Big numbers draw attention. Attention is exactly what you don't want if you want to maintain access. – Steve Sether Sep 23 '16 at 05:05
  • @SteveSether feel free to elaborate a little more. I don't see your point. – d0nut Sep 23 '16 at 05:06
  • Anyone that wants access to someones email doesn't want to lose access to it. If suddenly download 500 million user accounts, you're far more likely to attract attention than if you just break into 50. – Steve Sether Sep 23 '16 at 05:15
  • 'Actor' and 'agent' are just very abstract words to describe entities (another super abstract word that intentionally contains no information/prejudice) that 'act', that is: do something. In this case, they hack. – Leif Willerts Sep 23 '16 at 15:49

3 Answers3

19

That Yahoo claims that the attack was state sponsored does not mean that it was state sponsored, or even that them themself believe it was. The reason for why they would claim this lies somewhere on a continium between two extremes:

  1. Yahoo were completely incompetent and vulnerable. There is no way they are going to admit to the world that the thief was a 15 year old working from his mothers basement, so to make it look like it's not their fault they are portraying the attacker as extremely dangerous and competent, which is exactly what "state sponsored" implies.
  2. Yahoo were in fact very competent, but the attackers used very advanced methods (0-days, computaionally expensive crypto cracking, etc) so it is in fact reasonable to believe that the attackers would need to be sponsored by someone with a lot of resources - i.e. a state - to be able to pull it off.

As Micheal mentions in his answer, Stuxnet was an example of #2. That time Comodo claimed they had been hacked by a foreign state but it was in fact a 21 year old Iranian student is an example of #1.

Where on this scale Yahoo falls is anybodys guess.

As to what state: In case of #1 no state at all. In case of #2, they would not have to know what state it was just to suspect that a state was involved. The key point here is that "state sponsored" is just code for "someone with loads of resources".

Anders
  • 64,406
  • 24
  • 178
  • 215
  • Good analysis Anders. Can you expand on *"someone with loads of resources"*? I thought security largely comes in five flavors these days: (1) trivial to exploit (2) unpatched software exploits (3) zero-day exploits (4) exploitable with just a few hundred fast GPU's in a short amount of time (5) allegedly not possible to exploit with any feasible amount of resources within the duration the sun is supposed to last. – RockPaperLz- Mask it or Casket Sep 23 '16 at 09:32
  • Admittedly, most people suspect that *- secretly -* large governments can exploit #5, but any public claims by a large company like Yahoo that #5 can be broken would result in a global breakdown in the belief that secure systems are actually "secure". – RockPaperLz- Mask it or Casket Sep 23 '16 at 09:33
  • Consequently, based on resources alone, it seems odd that Yahoo would be claiming that this breach was "state-sponsored" when #1, #2, #3, and #4 only require minimal resources to exploit, and #5 is *- publically -* treated as if breaking it is impossible. Then again, Yahoo was entrusted with 500,000,000 private credentials that were apparently all stolen two years ago, and the public is just learning about it now with minimal details... so anything is possible. – RockPaperLz- Mask it or Casket Sep 23 '16 at 09:33
  • 1
    With resources I don't mean just computational power. I mean know how, manpower, money. I don't think you can divide attacks in five caregories and say there is no category six. There are attacks that motivated criminals on a low budget can not pull off, but a well funded government could. – Anders Sep 23 '16 at 10:31
  • It is an excuse for getting hacked, and so good PR. Of course yahoo looks a lot better if some "state" hacked them, because they surely couldn't defend against that evil empire. They can claim they did everything they could, but this state is just so powerful that they couldn't prevent it **without any fault** on their part. That would also be nice if someone sues them.At the moment, in the US everything is blamed on Russia for political reasons, so that fits well. – Josef Sep 26 '16 at 13:08
8

First of all, what "state"?

When people say "state-sponsored" they are referring to a nation state, or a government-sponsored attack. State-sponsored attacks are typically considered at the height of attacker capabilities because they have money, training, and resources that script kiddies do not.

Second of all, how would they know?

If someone says they believe an attack to be state-sponsored, it can be for a variety of reasons. It can be attack patterns do not match known groups like LulzSec, Lizard Squad, and other groups, or zero-day vulnerabilities. Stuxnet is an example of a state-sponsored attack. It used multiple zero-day vulnerabilities.

Bonus: Why does he use the word "actor"?

In Information Security, an actor is someone who performs actions. Common examples of this usage is a "bad actor" or a "good actor." A bad actor is someone who behaves with mal-intent to harm a system or data.

A state-sponsored actor is someone or a group who is acting on behalf of a government.

h4ckNinja
  • 3,006
  • 15
  • 24
  • 3
    One additional point- the use of the term "state-sponsored actor" can sometimes imply a distinction in contrast to the common alternative term "state actor." The latter can be used when there is good intelligence that the actors are actual state employees, while the former implies a step or more of removal, for reasons of deniability and so forth, like the difference between soldiers or state analysts and private military personnel. The latter would be "state-sponsored actors." – Jonah Benton Sep 23 '16 at 03:08
  • 1
    Fair point. Feel free to suggest an edit. :) – h4ckNinja Sep 23 '16 at 03:54
1

Well first, I think it's good to keep in mind that the "sophisticated attack" trope is one of the most common ones that's trotted out today by company executives (and government agency heads) who are acknowledging large-scale compromises. Sometimes, once more facts about how a breach actually occurred become known, it turns out that the attacker really was sophisticated in its methods. But very, very often, that turns out not to be true. Since one might therefore wonder about whether Yahoo!'s "nation-state" comment should be taken an interesting variation on this standard-procedure P.R. strategy versus a solid product of investigation, it's not necessarily wrong to start with some skepticism about whether this is a nation-state operation at this stage.

(Of course, 100 percent of the time the implication being made by a hacked organization with the "sophisticated attacker" point is that the organization could not possibly have been reasonably expected to prevent what happened. Because "sophisticated". And there is almost no doubt that Yahoo's "nation-state" comment is similarly intended to serve a buck-passing function in this manner. But I digress...)

Still... Yahoo's statement could well turn out to have some real basis. So it's certainly useful to talk about how an investigation might start to determine whether an attack was from a "nation-state actor", and what that even really means.

To start to answer the question: There are all kinds of ways that investigators can look at evidence related to a hack and start to draw some conclusions about whether a nation-state actor (intelligence agencies, mostly) or somebody linked to a nation-state (like a private cyber "militia" that a government covertly gives support to).

One factor that gets looked at, just as in investigations of crimes and disputes of every conceivable kind, is motive. In cyberattacks whether the attacker wouldn't have an obvious and easy way to profit financially from the attack, looking at whether a nation-state actor or nation-state-linked organization might have had reason to pull it off can make some sense. In particular, when we're talking about attacks that happen against the U.S. government, U.S. interests, or major U.S. companies, some attention immediately starts to shift to whether a group connected to one of the four persistent U.S. adversaries who have very active in-government or state-linked offensive cyber units--Russia, China, North Korea, and Iran-- might be involved.

Another factor that one might consider is how "sophisticated" the attackers would have needed to be to conduct the attack the way they did. What Tools, Tactics, and Procedures they used. And especially whether in their attack they used Tools, Tactics, and Procedures that haven't been widely used before in the information security community. Developing, or buying, novel attack methods and assets that are often used in genuinely-sophisticated attacks takes resources. Lots of resources. (Money, access to highly-skilled people, etc.)

Now, what are some organizations that have the most such resources, strong motivations to do lots of information gathering against other organizations, and also effective legal impunity (well, for all intents and purposes) in conducting attacks? Governments. Governments do. Therefore, when you see an attack that actually did require some advanced capabilities many people tend to jump to looking at nation-state actors

Of course, the problem is that not all technically sophisticated attacks are done by nation-state actors. Far, far from it. A corollary of that is that hackers working for nation-state units very, very often use completely common & mundane methods against less well-defended targets that don't require cutting edge attacks. Which is the vast majority of them.)

Which leads us to a third, and often much, much more reliable factor for attributing an attack to nation-state actor or nation-state linked group: clues gathered about the actual electronic infrastructure and software an attacker used.

Put bluntly, people are sometimes lazy and/or careless and make sloppy mistakes; nation-state hackers among them. And they leave behind clues during one attack that links that event to other attack/s. Including attacks where the party responsible is already either known or strongly suspected.

How do they get lazy?? Well, among other ways...

  • They reuse the servers they launch attacks from, command-and-control servers, servers they exfiltrate hacked data back to, proxy servers, and other elements of attacker infrastructure between different targets. Ideally, you should use different infrastructure for each attack effort you carry out. But that's a nuisance to do, and it's easy to just keep reusing it. Which leads to things like the OPM hack being initially detected by the U.S. government when Chinese hackers reused a command-and-control server that was already known to the feds' Edison intrusion detection system as malicious.

    • They reuse malware and other tools between different attacks more often than is wise. (Admittedly, this must be a hard one to get away from; nobody has the resources to develop or buy completely new versions of all their malware, exploits, attack tools, methods, etc. for every one of hundreds/thousands/more targets that an attacker goes after.)
    • They unnecessarily leave tools that shouldn't be exposed, exposed, and someone finds them. (Ahem, looking at you, NSA.)

And, no doubt, in countless other ways.

In short, they unintentionally leave clues behind that investigators find.

mostlyinformed
  • 2,715
  • 16
  • 38