Yahoo Breach: The Great 'Nation-State' Cop OutBlaming Russia - Not Hacktivists, Insiders or Incompetence - Is Easy
Asked to explain the data breach that compromised 500 million of its users' accounts, Yahoo appears to be trying to blame Russia. Of course, that would be an easy face-saving exercise for a publicly traded firm currently negotiating its $4.8 billion sale to Verizon.
In Yahoo's Sept. 22 breach notification, company CISO Bob Lord wrote: "A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor."
Never attribute an attack to a nation-state, and if someone does, exercise caution.
Now, referencing "a person familiar with the matter," The Wall Street Journal reports that Yahoo detected the attack - several weeks after it occurred - in the fall of 2014, believed that it had been launched from Russia and said it seemed to be seeking data relating to up to 40 specific users of its service. At the time, Yahoo also reportedly notified the FBI.
The story is careful to note that it's not clear that the breach that was detected in late 2014 was tied to the attack that resulted in the theft of half a billion credentials. A Yahoo spokesman, while telling me that "our investigation into this matter is ongoing and the issues are complex," declined to comment on the claims contained in the Wall Street Journal report,
But of course, the story raises this suggestion: Maybe the Russians did it.
Attribution: Who Stands to Gain?
Here's why that suggestion should raise a warning flag: Security experts have long cautioned that attributions are political, not technical, in part because accurately tracing attacks back is notoriously tricky. Clues are easy to fake, motives are murky, mercenaries may have been at work - selling their spoils to the highest bidder - and really, the only upside of blaming a government involves diplomatic moves or political figures furthering their own domestic or foreign agendas.
In other words, never attribute an attack to a nation-state, and if someone does, exercise caution.
Unless, of course, you're the CEO of a breached organization, in which case foreign governments make ideal scapegoats for what might have simply been a bout of IT incompetence revealed by some SQL-database-dumping, script-kiddie shenanigans.
Indeed, when seeking someone to blame for a breach, Jeffrey Carr, CEO of counterintelligence software vendor Taia Global, says in a blog post that the course of action is too often predictably clear. Namely, CEOs don't want to blame hacktivists, because it will make it look like their firm got owned by bored teenagers - as with TalkTalk and thousands of other breaches. Blaming insiders is also to be avoided, because it means that their organization would have failed to heed related warning signs, as in the case of the National Security Agency and Edward Snowden.
Instead, the easy money when betting on how a company will attempt to spin the narrative of its breach - beyond employing the typical boilerplate that it was "advanced," "sophisticated" and thus predestined to succeed - is to predict that it will blame a foreign country.
"If you can blame a nation-state by calling the actors 'state-sponsored,' then you cannot be held responsible," Carr says. "You'd be the victim of a military organization or an intelligence service with vast funding and sophisticated capabilities that could overcome any corporate network." Such story lines can feed the goals of everyone from the firm's CEO, to politicians, to incident response firms, who all stand to gain in publicity - or deflected blame - thanks to the machinations of overseas bad guys who want to destroy our way of life. And so on.
At What Price, a Missed Mega-Breach?
Just because reports in some business newspapers insinuate which bad guys were involved doesn't mean that people are buying in. Yahoo's claim that it was hacked by a state-sponsored adversary, notably, has sparked skepticism - to put it mildly - among some of our readers.
Meanwhile, the breach - and Yahoo's two-year delay in warning users - has some security experts calling for blood. "I really hope Verizon drastically drops the price they are paying for Yahoo," John Pescatore, director of emerging security trends at the SANS Institute, says in a recent SANS newsletter.
In late July, Verizon agreed to buy Yahoo's operating businesses for $4.8 billion.
Yahoo's Sept. 8 preliminary proxy statement relating to the deal notes that Yahoo isn't aware of any "security breaches, unauthorized access or unauthorized use of any of seller's or the business subsidiaries' information technology systems or ... loss, theft, unauthorized access or acquisition, modification, disclosure, corruption or other misuse of any personal data in seller's or the business subsidiaries' possession."
Accordingly, expect publicly traded Yahoo to now face sharp breach-related questions about what it knew and when, and what it didn't know - and why. Also, it's likely that Verizon will demand a discount over what's currently the biggest known breach in history.
"A big drop in acquisition value because of this would be a good wake-up call to other boards of directors," Pescatore says.
Update (Sept. 26, 2016): This blog has been updated with comment from Yahoo.