Last week was huge in terms of media attention on information security. I spent pretty much the entire day on Friday just talking media the world over about Yahoo. Of course this was all on the back of them coming forward and acknowledging that is appeared they’d lost half a billion records a couple of years back which would put it firmly in the number one spot in terms of the largest ever data breach by record numbers. But it’s not the raw numbers that left many people scratching their heads, it’s the attribution.
The words Yahoo used were that “a copy of certain user account information was stolen from our systems in late 2014 by what we believe is a state-sponsored actor”. To be clear, when we say “state sponsored” we’re talking about actions performed on behalf of a government. Attribution of this nature is very serious; it’s one thing to say malicious activity is coming from a particular country, it’s quite another to say that it’s a planned attack with government support. But in Yahoo’s case, what on earth would be of interest to governments? Let’s look at two precedents.
In 2010, the Tunisian government attempted to steal the entire country’s Facebook passwords. They did this by exploiting the fact that at the time, the Facebook login page loaded insecurely and didn’t use an HTTPS connection. It posted the password securely once logging on, but that left an opportunity for the Tunisian government to intercept Facebook traffic and drop a keylogger on the login page before it hit the users’ browser. Once passwords were obtained the government could spy on personal communications from activists within the country, take down political protest pages and even delete entire accounts.
The following year saw a state sponsored attack by the Iranian government against the Dutch certificate authority DigiNotar. The government there was after exactly the same thing as the Tunisian government was, namely the private communications of their citizens being made on a large foreign web asset. By compromising a CA they were able to fraudulently issue certificates which could be used to intercept Gmail traffic that was otherwise strongly encrypted. Like Facebook, Gmail is obviously a rich source of private communications of the kind that a government like Iran would love to get a piece of.
When we consider those two precedents in the context of the Yahoo attack, you can see why it would be a valuable asset. Even though when the attack occurred in 2014 Yahoo was well and truly past its heyday, it remained (and still remains today), one of the world’s largest email providers and that makes it an extremely valuable target for governments of this ilk.
Yahoo is being tight-lipped about which state they believe sponsored the attack and obviously there’ll be some rather serious law enforcement investigations ongoing for some time. We may well find out sooner or later though – attribution to North Korea for the Sony Pictures attack was willingly made quite early by the US government – and it will be yet one more example of just how valuable online assets are becoming to governments and the lengths they’re willing to go to in order to compromise them.