The findings by the cyber security firm InfoArmor are consistent with Yahoo officials' claim last week that a state-sponsored actor was behind one of the largest corporate breaches in U.S. history.
Yet InfoArmor's version of events, if accurate, provides significant new details about how and why the company was hacked. Minor league hackers who were peddling Yahoo users' personal information for cash in "dark web" marketplaces were also part of a foreign government espionage campaign dating back to 2014. And the findings also suggest that hacks of LinkedIn, Dropbox, MySpace and other firms -- breaches affecting billions of customers worldwide -- might've been part of the same state-sponsored effort.
In an interview with NBC News prior to the release of his firm's findings, InfoArmor's chief intelligence officer Andrew Komarov described the Yahoo breach as part of a larger, ongoing campaign to break in to the email accounts of prominent officials from the U.S. and across the globe.
He said that his analysts have uncovered a previously unidentified collective of elite black hat hackers-for-hire from Eastern Europe -- a group that InfoArmor analysts now contend was also responsible for hacks of the other social media companies.
Komarov said that a state-sponsored actor from Eastern Europe commissioned and later paid the hacker collective $300,000 for the Yahoo data trove. He said he didn't know if the hacks of the other social media companies were also commissioned by a state-sponsored actor, but believed it was likely. He also said he didn't know if the state that directed the hacks was Russia, or if the state-sponsored actor that paid the hackers was a Russian intelligence agency or some other arm of the Russian government, but that Eastern European hackers often have links to the Russian government.
Eastern European operatives tied to Russia's intelligence agencies have been widely suspected by cybersecurity researchers of multiple efforts to hack U.S. government officials' email accounts and the accounts of Democratic party operatives.
Komarov said that InfoArmor's conclusions that the hackers who attacked Linkedin and other companies were also responsible for the Yahoo breach are based on an extensive intelligence analysis, underground contacts and information gleaned from multiple sources surrounding the Yahoo hack. His firm went into dark web chatrooms and made contact with hackers advertising Yahoo addresses for sale who said they were involved in the breach, and accessed and validated what Komarov described as a "large sample" of the stolen Yahoo data.
Yahoo's confirmation last week of the massive breach has placed the tech giant at the center of a storm of controversy and unanswered questions, and could jeopardize the company's imminent $4.8 billion sale of its core business to the telecom giant Verizon.
It remains unclear how long and how much Yahoo officials knew about the breach before publicly acknowledging it. Company officials have said that Yahoo became aware of the breach in August, and began to investigate. Experts have said that it's not uncommon for a company of Yahoo's size to withhold disclosure of a suspected breach until an internal forensic investigation has been complete.
Last week, Yahoo's chief information security officer, Bob Lord, said that an internal probe had determined that usernames, email addresses, telephone numbers, dates of birth, security questions and answers, and in some cases passwords were harvested from more than 500 million compromised Yahoo accounts.
Lord said in a blog post that the company does not believe that banking or payment information was stolen, and has found no evidence to indicate that the hackers remain inside Yahoo's systems.
Yahoo declined to comment.
"Island-Hopping" To Reach U.S. OfficialsKomarov said that the apparently state-sponsored actor involved in the heist was using an indirect but increasingly common strategy known as "island-hopping" or "leap-frogging" to reach its ultimate targets. Rather than going after U.S. and other government officials directly, the aggressors used the data from the hired black-hat hackers to breach the Yahoo accounts of friends, family and associates of their ultimate targets.
Once inside compromised Yahoo accounts, hackers can email or respond to their targets directly with seemingly legitimate Yahoo emails that are virtually indistinguishable from real ones.
"The target will receive the exact same email from the Yahoo user and, for him, it will look legitimate," Komarov said.
"Then you simply hack the Yahoo account's contacts, and then analyze the [emails] sent from the real object of interest. At some point you replace [a legitimate Yahoo email sent to a target] and fill it with malware," he said. Once the end target clicks on a link or an attachment in the infected Yahoo email, hackers can get inside the target's account.
From Foreign Espionage to Dark Web MarketplacesKomarov said that the state-sponsored actor appears to have been working with the black hat hacker collective -- which the InfoArmor team has dubbed "Group E" -- for at least several years.
He said that his analysts have determined that Group E was also responsible for earlier, high-profile hacks of LinkedIn, MySpace, Dropbox, the music-streaming service Last.fm, the microblogging site Tumblr and others -- likely for the same purpose of identifying trusted third parties surrounding their real targets. Tumblr was purchased by Yahoo in 2013.
"If you calculate all the victims for all these hacks by the same group, it will be several billion victims," Komarov said.
InfoArmor has determined that at least some of the hacks of the other tech firms "were requested of Group E…so we assume that the Yahoo breach was one of the tools used for successful attacks against U.S. government officials."
Komarov said that in recent years the state sponsored actor approached Group E and asked them to hack millions of Yahoo email users' accounts. They provided Group E with specific email addresses they were seeking, and when they were turned over and verified, the foreign agent agreed to purchase the entire trove, he said.
The agent had initially sought exclusive access to the stolen Yahoo data set, but balked at Group E's $500,000 price. Instead, Group E brought the price for the Yahoo trove down to $300,000, and retained the right to peddle the hacked emails elsewhere.
Komarov told NBC News that the Yahoo trove was later sold off to two well-known spammers, who exploited it for profit.
After it had been sold off and mined for months, Group E appears to have provided a low-level but well-known hacker named Tessa88 with mostly useless leftovers from the Yahoo trove to further distance the foreign agent from the Yahoo hack, Komarov said.
Tessa88 began advertising Yahoo data for sale on a Russian-speaking dark web marketplace, and appears to have partnered with a hacker who goes by the handle "Peace," or "Peace of Mind," to do the same in an English-speaking online marketplace called The Real Deal, according to InfoArmor.
It was only when Peace began advertising the Yahoo trove for sale that the company apparently became aware that they had been breached.
InfoArmor's report describes the entire enterprise as "carefully orchestrated in order to mask the actual sources of the hacks."
"Hands in the Cookie Jar"An independent cybersecurity expert, who was briefed by NBC News on the upcoming report -- with the permission of InfoArmor -- said the firm's conclusions are consistent with what the cybersecurity community has privately postulated about the Yahoo hack.
"The story overall has a legitimacy to it," said Ann Barron-DiCamillo, chief technology officer for Strategic Cyber Ventures, who recently retired as director of the U.S. Department of Homeland Security's Computer Emergency Readiness Team (U.S. CERT).
"If you look at when the data was stolen, because the data was stolen in 2014 and never [until recently] showed up for sale on these [dark web] markets, there's usually going to be a nation-state involved," Barron-DiCamillo said on Tuesday.
"Nation-state actors like to have a degree of separation, so their hands are not in the cookie jar if they get caught. You're seeing them more and more leveraging others. Plus there's the fact that the [Yahoo] data wasn't quickly monetized." She said that with large scale hacks like those of Yahoo email users, the attackers must move quickly to profit off the theft.
If the motive is pure profit, hackers "are going to want to monetize [the data] so quickly, because it has a short shelf-life in terms of its value."
Barron-DiCamillo said that she wouldn't be surprised to see a nation-state haggle over the price for a data dump it had commissioned.
"It's just like any other business transactions," she said. "It feels different because the outcome is a little unusual, but it's just like any other business transaction."