Andrew Komarov, a noted cyber-security researcher with InfoArmor based in Scottsdale, Arizona, not only discovered the latest stolen cache of Yahoo user information and turned it over to the government, which in turn notified Yahoo. But he also discovered one of the most troubling aspects of the hack:
More than 150,000 U.S. government and military employees were among the victims of the massive data breach, the second announced by Yahoo since October. That means the names, passwords, telephone numbers, security questions, birth dates, and backup e-mail addresses of government workers were now compromised, creating a window for bad actors and foreign spies to identify employees doing sensitive and high-security work here and overseas, posing a threat to national security.
“We found that the Yahoo dump had a very big number of users who worked for the government or military and used Yahoo for personal purposes,” Komarov said in an interview Thursday. Hackers, he said, could easily find the secondary email used for password recovery and that would lead them to the user’s governmental – and perhaps high-security – identity. “And it wasn’t just the US users; we found a big number of government employees in the UK, Australia and Canada, too.”
Bloomberg News reviewed the database that Komarov discovered and confirmed a sample of the accounts for accuracy. The thought that employees of government agencies like the NSA may have had their personal information stolen immediately sent chills through the security community. Lonny Anderson, former technology director for the NSA, told Bloomberg “we went to great lengths to keep the fact people worked at NSA as low-profile as we possibly could. The last thing we’d want is an alpha list of NSA employees.”
The story of how Komarov discovered the hack reads like a spy thriller played out in the dark reaches of the Internet’s criminal community. As his company’s website puts it: “When bad actors breach usernames, passwords, or email accounts they can gain root access to networks, systems, applications and data to steal proprietary information, cause catastrophic disruption of business and facilitate widespread fraud. InfoArmor goes where the criminals lurk to monitor the bad actors on dark web forums and gathers intelligence from these dark/closed sources.”
In the Yahoo case, the web where the bad guys roamed was very dark indeed. Since government and military employees had given their work information to Yahoo, the 2013 hack into the search giant’s digital vault produced a gold mine for the hackers. Last August, Komarov got wind of the database that hackers had taken from Yahoo and were trying to sell online, asking for $300,000 for a cache of logins for up to a billion users.
As the chief intelligence officer for InfoArmor, Komarov gets paid to infiltrate cybercrime rings and assist law enforcement and his private-industry clients to safeguard their private data and, if it’s stolen, to track it down. In this case, Komarov had been on the trail of a group of cybercriminals in Eastern Europe that he calls Group E. Earlier this year, he discovered that the group was putting a huge Yahoo stash up for sale, selling the database to three different buyers. He intercepted the database in the middle of the sales and found that two of the buyers were huge underground spamming groups.
The third, however, was more troubling and set off a red flag for the cyber-sleuth from Arizona.
Komarov saw that this buyer had made an unusual request of the seller: The buyer produced a list of ten names of U.S. and foreign government officials and industry executives, asking Group E to verify that their logins were included in the stolen online loot or else no deal. This signaled to Komarov that the buyer must be an agency involved in foreign intelligence.
“The third buyer was potentially a foreign intelligence organization because the questions they were asking were very specific,” he said, referring to the request that the seller verify that specific government employees’ names were included in the dump. ”This was very concerning to me because with any state-supported actor these government and military employees would be their first target. And since the incidence was not disclosed by Yahoo for three years, that means people were using the Yahoo database to possibly monitor these individuals.”
While it’s unknown whether specific government workers were – or are still – being digitally followed by foreign spies, Komarov calls the matter “‘really serious.”
“I have no doubt that someone among those 150,000 US employees in the database have already been compromised,” he said.
In a press release, Yahoo said, “As we previously disclosed in November, law enforcement provided us with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.”
Komarov, who’s been acclaimed by his fellow cyber detectives as one of the best in the business, has worked for private and public sectors, investigating major financial crimes, human and drug trafficking cases and has been involved in collaborating with anti-terrorism operations with International law enforcement agencies. Among other accomplishments, Komarov was responsible for cracking open two high-profile malware cases that were used in several attacks against US retailers. In 2014, Mr. Komarov was listed in “Reboot 25: Threat seekers,” a compilaiton of the top threat intelligence researchers by SC Magazine.
In the Yahoo case, Komarov said the suspects have probably never even met in person, but are experienced hackers who choose as their targets data-rich email providers like Yahoo whose accounts are desirable because they’re easy to sell and they sell for a lot. Other victims have included Dropbox and MySpace, along with popular Russian social-media site VK.com.
The Yahoo hack is particularly worrisome, considering how bad guys who get their hands on the government employee data and target inviduals working for, say, the FBI or CIA.
“The Yahoo hack makes cyber espionage extremely efficient,” Komarov told Bloomberg this week. “Personal information and contacts, e-mail messages, objects of interest, calendars and travel plans are key elements for intelligence-gathering in the right hands. The difference of the Yahoo hack between any other hack is in that it may really destroy your privacy, and potentially have already destroyed it several years ago without your knowledge.”
