It doesnt fit the normal intent of state-sponsored attacks, some experts say, pointing to the lack of detailed information from Yahoo about the hack
If Yahoo is to be believed in its assertion that a nation-state hacked into its network and made off with user data from 500m accounts, then there are a few obvious suspects, including China and Russia.
However, Yahoo has not provided any detailed information about the attack, leading some security experts to raise questions over its origin. Why would nation-states be interested in or motivated to hack Yahoo?
It doesnt fit the normal intent or objectives of nation-state attacks. Its not really espionage, its not retaliation, sabotage or for financial gain, said Constant Karagiannis, chief technology officer of Security Consulting at BT Americas.
Its less embarrassing for Yahoo to attribute an attack to a nation state, which typically have the most sophisticated hacking capabilities, than to attribute it to a cybercriminal group or individual particularly as Yahoo is in the middle of being acquired by Verizon for $4.8bn.
Instead of 10-15 people in a basement working together you are talking about 10,000-15,000 cyber warriors working over the course of a few weeks, he said.
Another US-based academic security researcher, who did not wish to be named, said: I dont buy it at all. I absolutely reject out of hand that it was state sponsored.
He did not think that Yahoo was being untruthful about the breach, but suspected that the investigation teams may have fallen victim to confirmation bias.
They are thinking it must be a state sponsor and they look in their logs as they do forensics with this expectation. Its very likely they saw something associated with other attacks linked to a state and connected the dots, he said.
Dan Tentler, founder of Phobos Group, used to work with Bob Lord, Yahoos chief security officer, when he was at Twitter.
In his defense he was handed a pre-compromised infrastructure, Tentler said, referring to the fact that the Yahoo breach took place in 2014 and Bob Lord only joined Yahoo in October 2015. But he was unable to detect attackers on the network he inherited.
The Guardian understands Yahoo only detected the breach after investigating an earlier alleged breach of 200m user account details. A hacker called Peace posted the data, claiming it was from Yahoo user accounts, on to a dark web marketplace, the Real Deal.
While investigating this alleged hack, Yahoo discovered the much bigger breach announced on Thursday. The Guardian has learned Yahoo has consulted highly respected forensic friends to deduce that this was a state-sponsored attack.
Not everyone is so skeptical about the attribution. Jeremiah Grossman, the chief of security strategy at SentinelOne, said: There are certainly questions to be answered around Yahoos claim that this was a state-sponsored hacker and theyve provided no evidence to back up their statement.
That said, Im very familiar with those who work on Yahoos security team, who are very competent and experience. As such, Im inclined to give them the benefit of the doubt.
Senior research scientist Kenneth Geers from Comodo added: Yahoo is a strategic player on the world wide web, which makes it a good and valid target for nation-state intelligence collection.
Yahoo declined to comment.