Yahoo has revealed in a filing to the US Securities and Exchange Commission that some its staff knew that a state-sponsored hacker had accessed its systems shortly after the attack in 2014.
In the section titled, “Security Incident”, Yahoo said it commissioned reviews of the company's “network and data security” which included, “a review of prior access to the Company's network by a state-sponsored actor that the Company had identified in late 2014.”
This may come as shock to some, as Yahoo had said it first discovered the cyber-attack in August 2016, a month after Verizon agreed to acquire the company's core assets.
The attack saw details of 500 million of Yahoo's users had leaked onto the internet. Some commentators have said the news now casts doubt on certainty of whether Verizon's US$ 4.8 billion (£3.9 billion) deal to buy the past-its-prime tech firm.
According to the Financial Times newspaper, Verizon is not currently commenting on Wednesday's filing, however it has previously said it wants to know whether the attack will have a material impact on Yahoo. Back in mid-October, Verizon's general counsel Craig Silliman confirmed the company had a “reasonable basis” to believe that it has.
The papers filed yesterday are the result of some members of Yahoo's board launching an investigation regarding the security breach six weeks prior, looking into “the scope of the knowledge within the company in 2014”.
According to the filing, those conducting the investigation said Yahoo did not initially understand the full scope of what had happened because of the sophisticated nature of the attack.
In response, it brought in outside experts to investigate the claim of a separate breach, which turned out to be false, and it is at this point that it had developed a more complete picture.
Confirmed by the the filing is that the forensic experts are investigating whether or not the intruder, who is possibly the same entity, created cookies “that could have enabled such intruder to bypass the need for a password to access certain users' accounts or account information.”
The company also said in the filing that law enforcement agencies had begun sharing data purporting to be Yahoo account information which had been provided by a hacker. It is not clear whether this information is thought to be from the same attack or a separate one.
Neil Fraser, head of space & comms / UK Manager at ViaSat told SCMagazineUK.com: “This ongoing saga from Yahoo has laid bare the true cost of cyber-attacks. The real risk doesn't necessarily come from loss of intellectual property, or damage to business operations, but rather the ongoing harm to the organisation's reputation.”
Research conducted by security company Venafi Labs in the immediate aftermath of the announcement of the breach in September 2016 showed that Yahoo had not taken the action necessary to ensure it is not still exposed and that the hackers do not still have access to its systems and encrypted communications.
Venafi said Yahoo was still using cryptography (MD5) that has been known to be vulnerable for many years now.
Venafi Labs analysed data from TrustNet, a global database of certificate intelligence, and found that 27 percent of the certificates on external Yahoo! websites had not been reissued since January, 2015.
Only 2.5 percent of the 519 certificates deployed have been issued within the last 90 days, so it's likely that Yahoo! did not have the ability to find and replace digital certificates quickly.
Some 41 percent of the external Yahoo! certificates in the TrustNet data set used SHA-1, a hashing algorithm that is no longer considered secure against well-funded opponents. The major browser vendors have stated that they will stop accepting SHA-1 certificates in January 2017.
Alex Kaplunov, vice president of engineering for Venafi told SCMagazineUK.com: “In our experience major breaches, such as the one suffered by Yahoo!, are often accompanied by relatively weak cryptographic controls. To confirm this assumption we took an in-depth look at externally facing Yahoo! web properties and the details of how these sites are using cryptography. We found the encryption practices on these properties to be relatively weak. This is not surprising. In our experience most enterprises, even global brands with deep cyber-security investments, have weak cryptographic controls.”