Five hackers are behind the most recent tech company hacks, according to a report from a cybersecurity research firm. This finding was announced after the recent Yahoo breach where a link was discovered, connecting the breach to previous exploitations.
Andrew Komarov, Chief Intelligence Officer of InfoArmor claims many of the reports on recent database breaches are considerably inaccurate. The hacks executed against Yahoo, Dropbox, LinkedIn, and Tumblr are all attributed to “Group E,” a small European hacking group. The Group E hackers perform large-scale database breaches and profit from selling the information to the highest bidder.
In an interview with the The Register, Komarov says that Group E deals with brokers to sell the massive data hauls. One such broker is registered on several underground communities as “tessa88.” Tessa88 was the first recorded individual to mention Yahoo had been hacked and that accounts were for sale. The broker then acted as a proxy between Group E and potential buyers on the deepweb.
Shortly after the LinkedIn breach was publicized, tessa88 posted on an underground forum that Yahoo credentials were available. By following conversations on these hidden forums, InfoArmor was able to discover the aforementioned connection between breaches.
The forum user who routinely interacted with tessa88 proceeded to list the database dumps for sale on various marketplaces. In this case, the listings were posted on TheRealDeal marketplace.
The actor “Peace_of_Mind” (PoM), well known for his activities at “The Real Deal Market” (TRDM) and “The Hell” forum, after identifying his post regarding the stolen data at one of the underground forums, contacts tessa88 and proposes some sort of cooperation [partnership] in exchange for some of his data.
Subsequent to this engagement, the databases initially published for sale by tessa88 are then resold by Peace_of_Mind in TOR network at TRDM. This is an interesting example of cooperation between a Russian speaking threat actor and an English speaking actor, demonstrating that cybercrime is an entirely transnational issue.
By following this pattern, InfoArmor found that the most recent database breaches ended up for sale on TheRealDeal or the Hell Forum. The vendors who published the listings directly corresponded with tessa88. Komarov says tessa88 is the main connection between Group E and a second group known as “For Hell.”
The second group of hackers, using the same broker, consists of high profile hackers behind similarly scaled data breaches. One of the most recognizable members is thedarkoverlord (TDO), the notorious electronic healthcare record hacker. TDO hacked millions of healthcare records from companies spanning the United States and is the subject of several major investigations.
The majority of the data sold by the For Hell group of hackers is simply data redistributed from Group E. An example of this can be seen in the relationship between Peace_of_Mind (POM) and tessa88. Following forum exchanges between the two, POM lists breached databases on TheRealDeal marketplace.
The relationship between POM and tessa88 has been well-established by InfoArmor. However, the security firm identifies some distrust between tessa88 and the For Hell group:
Peace_of_Mind also makes claims regarding tessa88, as he determined that some of the acquired data was misrepresented or falsified, not including any additional information regarding successful decryption of hashes and/or having absolutely no relationship to resources he was claiming had been exposed. For example, “LeakedSource,” another partner of tessa88 acquired the same data through the chain of proxies and mentions that the published Dropbox dump for sale is actually Tumblr.
In August, POM listed the Yahoo dump on TheRealDeal marketplace.
Yahoo never announced or acknowledged a hack until after POM began advertising the Yahoo dump. While the validity of POM’s dump is still unknown, Komarov claims the Group E attack compromised likely double what Yahoo announced. Evaluating the Peace_of_Mind claims regarding 200,000,000 compromises, the actual database includes 500,000,000 Yahoo users. The entirety of the database hacked by Group E has not been published online.
The Yahoo dump sold by POM is provided in the following structure: