Yahoo says hack of 500 million users "state-sponsored," but a security firm calls bullshit

So, that huge hack of 500 million Yahoo user accounts last week that Yahoo blamed on a "state-sponsored actor"? A private internet security firm is calling bullshit on the "state-sponsored" part.

The hack of more than 500 million account credentials was the work of an Eastern European criminal gang, claims InfoArmor.

The Arizona-based firm released a report Wednesday challenging Yahoo's claims that a nation-state actor was behind the data heist.

Dustin Volz at Reuters writes:

InfoArmor, which provides companies with protection against employee identify theft, said the hacked trove of user data was later sold to at least three clients, including one state-sponsored group.

Reuters was unable to verify the report's findings. Yahoo declined comment. The Federal Bureau of Investigation, which is investigating the hack, did not return a call seeking comment.

A U.S. government source familiar with the Yahoo investigation said there was no hard evidence yet on whether the hack was state-sponsored. Attribution for cyber attacks is widely considered difficult in both the intelligence and research communities.

The task is made especially challenging by the fact that criminal hackers sometimes provide information to government intelligence agencies or offer their services for hire, making it hard to know who the ultimate mastermind of a hack might be.

After examining a small sample of the compromised accounts, InfoArmor decided the hackers known as "Group E" were criminals rather than spies. Andrew Komarov, the firm's chief intelligence officer, said in an interview Wednesday that "Group E" has a history of offering stolen user data for sale on the so-called "dark web." Reuters reports that they're linked to earlier hacks of LinkedIn, Tumblr and MySpace.

"They have never been hired by anyone to hack Yahoo," Komarov added. "They were simply looking for well known sites that had many users."

The details of Komarov's report methodology are interesting reading. Here are his conclusions, at the end of the InfoArmor report:

The actual Yahoo data dump is still not available on any underground forums or marketplaces, and has been distributed from so called Group "E" to one of their proxies for further monetization based on the sale of particular records from the dump, which can be delivered based on the specific criteria of the buyer (login, recovery e-mail, geography, etc.).

According to InfoArmor, the data theft of the Yahoo customer database may be the key in several targeted attacks against US Government personnel, which resulted after the disclosed contacts of the affected high-level officials of intelligence community happened in October 2015. It should be noted that after the LinkedIn breach, the company acted proactively by notifying their subscriber base and implementing new security measures to avoid further incidents.

InfoArmor recommends that the Security Community use appropriate due diligence in evaluating any threat actor claims regarding legitimate data sources. Given the nature of the relationships between threat actor groups, proxy organizations and parsing of data, as shown above, enterprises, agencies and individuals are encouraged to be on high alert for espionage, infiltration, and impersonation. InfoArmor will continue to monitor this situation and provide further updates as pertinent information becomes available.

In equally embarassing news for Yahoo and CEO Marissa Mayer, leaks are making their way out about how little of a priority the company is said to have placed on the security of the many millions of people around the world who use Yahoo. Security simply took a back seat to profits, no matter how hard the security experts Yahoo hired fought.