Cotabato State University

Master of Business Administration

Cotabato City

CASE STUDY ON CYBER KILL CHAIN, 2012-2016 YAHOO! DATA BREACH

JEHAN D. IBRAHIM - MBACC113

1
I. Table of Contents

i. Cover Page 1

ii. Table of Contents 2

iii. Executive Summary 3-5

iv. CSR Analysis 5-9

v. Problem Statement 9-11

vi. Indicators/symptoms of the Issue 11-12

vii. Analysis Conducted 12-15

viii. Alternative Courses of Action 15-19

ix. Recommendation 18-21

x. References 21-24

2
III. Executive Summary

Yahoo!, in full Yahoo! Inc., global Internet services provider based in Sunnyvale, California,

and owned by Verizon Communications since 2017. It was founded in 1994 by Jerry Yang

and David Filo, graduate students at Stanford University in California. Yahoo! provides users

with online utilities, information, and access to other Web sites.

In 2017, the Department of Justice (DOJ) charged the Russian Federal Security Service (FSB)

for planning and executing a cyber- attack against Yahoo! Inc. The attackers gained access

to Yahoo’s computers providing web-mail and internet-related services, to maintain

unauthorized access, and to steal information, including information regarding, and

communication of, a wide array of Yahoo’s users of interest to FSB operations (United

States of America, 2017). The hack was significant for two reasons: First, it is currently the

largest breach in history with over 500 million accounts compromised; Second, it’s the first

case where the Department of Justice filed criminal charges of a cyber case against the

Russian government (Williams, 2017).

It is important to note that the US government made a distinction of two separate hacking

events disclosed by Yahoo in 2016. In September, 2016, Yahoo disclosed a 2014 hacking

3
event involving 500 million-accounts breached. Then months later in December, 2016,

Yahoo disclosed that there are 1 billion user accounts compromised starting in August,

2013 (Newman, 2016). Due to the lack of information regarding the hack disclosed in

December, 2016 by the US government, this report can only include information regarding

the hacks disclosed in September, 2016.

This brief presents an explanation on how the Yahoo breach occurred, based primarily from

the 39-page indictment created by the United States District Court for the Northern District

of California created on February 28, 2017. Supporting information includes media reports

and expert analysis.

This report analyzes the Yahoo data breach through the “Cyber Kill Chain ®” (CKC)

framework, an analytical tool introduced by Lockheed Martin in 2011. The framework was

established by Lockheed’s security team during an intrusion involving stolen credentials for

their Security ID system (Higgins, 2013). The multi-million dollar system is designed to stop

advanced persistent threats (APT) by providing barriers at each level of the attacking

process and data ex-filtration phases.

The analysis proves Yahoo missed opportunities along the CKC to stop intrusion and

prevent the largest data breach on record. Key points at which Yahoo failed to detect and

stop the attack include, but not limited to the following:

 Executive level apathy for IT security, enabling all levels of attack on CKC

4
  Lack of staff training to prevent social engineering to prevent delivery and exploitation

during the CKC

 Lack of encryption to prevent attacker’s recon efforts of the CKC- Only some of the

information on the UDB (i.e. user database) was encrypted that provided a means of

unauthorized access

 Lack of IDS mechanisms at the exploitation and C&C levels of the CKC

 Privilege escalation artifacts/logs at the exploitation level of the CKC

 Detecting malicious applications (e.g. log-cleaner, mint applications) at the installation

level of the CKC

 Lack of antivirus or cyber threat intelligence to bolster defenses at all levels of CKC

IV. CSR Analysis

A. Current Performance or Situation

1. Past corporate performance or Situation

Yahoo!, which includes features such as a search engine, an e-mail service, a

directory, and a news branch, began as a simple collection of Yang and Filo’s

favourite Web sites. It was initially called “Jerry and David’s Guide to the World

Wide Web,” but, as the site grew in popularity, it was renamed Yahoo!,

an acronym for “Yet Another Hierarchical Officious Oracle.” Incorporated in 1995,

5
Yahoo! acquired various companies such as Rocketmail and ClassicGames.com,

which eventually became Yahoo! Mail and Yahoo! Games, respectively. As one of

the major players in the dot-com frenzy of the late 1990s, Yahoo! managed to

survive the collapse of many Internet-based companies in 2001–02, but it

sustained heavy economic losses.

Yahoo! battled Google—a major competitor in the search engine industry—for

many years in an attempt to claim a larger share of the market. Yahoo! notably

released its Yahoo! Instant Messenger, bought out the Internet photo network

Flickr, included a myriad of other features, and acquired a 40 percent share of the

Chinese e-commerce company Alibaba. Despite such moves, many of Yahoo!’s

rivals endured. In February 2008 the Microsoft Corporationoffered to buy Yahoo!

for $44.6 billion, but this proposal was rejected by Yahoo!, and Microsoft

then rescinded its offer. However, negotiations between the companies continued,

and on July 28, 2009, an agreement was reached in which Yahoo! would use

Microsoft’s search engine, Bing, for its Web site and would handle premium

advertisements for Microsoft’s Web site, an arrangement scheduled to last for 10

years.

Amid growing financial struggles, Yahoo! hired Marissa Mayer as CEO and

president in 2012. Although she had played a key role in the rise of Google, her

efforts to turn Yahoo! around had little success. In 2016 it was announced

6
 that Verizon Communications would acquire the company’s core assets, notably its

Internet operations, for approximately $4.8 billion. However, the closing of the

deal was delayed by the public announcement that Yahoo! had been subjected to

a series of security breaches, which was said to have affected more than one

billion user accounts; it was later revealed that all Yahoo! accounts (approximately

three billion) had been compromised. The final sale, which was completed in 2017,

was valued at approximately $4.48 billion. Yahoo! subsequently became part of

the newly created subsidiary Oath, though it continued to exist as a distinct brand.

The portion of Yahoo! that was not sold—notably its interest in Alibaba—was

reformed as Altaba.

. CSR postures of the Business

a. Yahoo’s Mission Statement

"As a leader in global daily habits like email, entertainment, news and sports,

we strive to inspire, delight and entertain. By infusing our products with

beauty and personality driven by our users, every Yahoo experience feels

made to order."

. Yahoo’s Vision Statement

Yahoo! 's vision is to be the center of people's online lives by delivering

personally relevant, meaningful internet experiences.

. Objectives of Yahoo inc.

7
  Improve consumer and advertiser product quality and grow daily active

users (DAUs)

 Drive continued growth in revenue realized through Mavens (mobile,

video, native and social) to $1.8 billion this year,

 Improve profitability to reach an adjusted EBITDA run rate of

approximately one billion dollars by the second half of 2016

 Reduce operating expenses by more than $400 million by the end of 2016

 Limit GAAP revenue impact of product and regional exits to approximately

$100 million

 Explore non-strategic asset divestitures that, if consummated, could

generate in excess of $1 billion in cash, and

 Deliver increased value to shareholders, advertisers, and the more than

one billion people who use Yahoo’s products and services.

. Corporate Governance

1. Board of Directors and Top Management

As of December 19, 2016

 Marissa Mayer- CEO

 Tor Braham (2016) – managing director and global head of technology, mergers

and acquisitions at Deutsche Bank Securities

8
  Eric Brandt

 David Filo (2014) – co-founder, chief Yahoo and director, Yahoo Inc.!

 Eddy Hartenstein (2016) – non-executive chairman of the board of directors at

Tronc

 Richard Hill – chairman of the board of directors at Tessera Technologies

 Catherine J. Friedman

 Vinny Lingham – co-founder & CEO at Civic

 Marissa Mayer (2012) – CEO, Yahoo! Inc.

 Thomas J. McInerney (2012) – former executive vice president and chief

financial officer, IAC/InterActiveCorp

 Charles R. Schwab (2014) – chairman of Charles Schwab Corporation.

 Jane E. Shaw (2014) – retired chairman of the board at Intel Corporation

 Jeffrey Smith (2016) – chief executive officer & chief investment officer at

Starboard Value

 Maynard Webb (2012) – chairman, Yahoo, founder, Webb Investment Network

and chairman and former CEO of LiveOps

. Problem Statement

A. Statement of the Problem

The Internet service company Yahoo! was subject to the largest data breach on

record. Two major data breaches of user account data to hackers were revealed during

9
the second half of 2016. The first announced breach, reported in September 2016, had

occurred sometime in late 2014, and affected over 500 million Yahoo! user accounts. A

separate data breach, occurring earlier around August 2013, was reported in

December 2016. Initially believed to have affected over 1 billion user accounts,Yahoo!

later affirmed in October 2017 that all 3 billion of its user accounts were

impacted. Both breaches are considered the largest discovered in the history of the

Internet. Specific details of material taken include names, email addresses, telephone

numbers, encrypted or unencrypted security questions and answers, dates of birth,

and hashed passwords. Further, Yahoo! reported that the late 2014 breach likely used

manufactured web cookies to falsify log-in credentials, allowing hackers to gain access

to any account without a password.

Yahoo! has been criticized for their late disclosure of the breaches and their security

measures, and is currently facing several lawsuits as well as investigation by members

of the United States Congress. The breaches impacted Verizon Communications's July

2016 plans to acquire Yahoo! for about $4.8 billion, which resulted in a decrease of

$350 million in the final price on the deal closed in June 2017.

Outline events through the CKC,

PHASE DETAIL (United States of America, 2017).

10
 I  FSB conspirators hire Belan to hack Yahoo. Objective is to gain entry to Yahoo

network and programs to establish an unauthorized persistent presence. Phase I

includes Belan’s operations on the network for personal gain.

II  FSB conspirators mine Yahoo accounts using cookie minting tools provided by

Belan. Conspirators contract with Baratov to access non-yahoo accounts. Baratov

gains entry to non-yahoo accounts using data stolen on the Yahoo network.

I. Indicators/Symptoms of the Issue

Yahoo has confirmed a massive breach that compromised the personal information of 500

million of its users, affecting account holders of Yahoo Mail, Yahoo Finance, Yahoo Fantasy

Sports, and Flickr. The tech giant was quick to issue a plan of action, with Yahoo chief

information security officer Bob Lord posting an announcement on Tumblr on September

22. The post outlines the investigation, a protection plan, and security recommendations.

Yahoo also confirms that user account information was stolen in late 2014, and the data

may have included names, passwords, security questions and answers, as well as other

personal information like dates of birth and email addresses. Lord’s report noted that there

is no evidence to suggest that user payment card data or bank account information was

compromised—the system housing that information is believed to be unaffected.

According to the indictment, the hackers "sought access to accounts of employees of

commercial entities, including executives and other managers of a prominent Russian

11
 investment banking firm...; a French transportation company; U.S. financial services and

private equity firms; a Swiss bitcoin wallet and banking firm; and a U.S. airline" (United

States of America, 2017). See Appendix II titled “Yahoo Accounts & Non-Yahoo Accounts

Targeted” for full list.

The initial attacker Belan, created additional programs for self-interest to “a) create an

online marketing scheme, by manipulating Yahoo search results for erectile dysfunction

drugs; (b) by searching Yahoo user email accounts for credit card and gift card account

numbers and other information that could be monetized; and (c) by gaining unauthorized

access to the accounts of more than 30 million Yahoo users, the contacts of whom were

then stolen as part of a spam marketing scheme” (United States of America, 2017). It

appears Belan’s interest to compromise servers for financial gain enabled FSB establish a

foothold in the Yahoo network.

II. Analysis Conducted

SWOT Analysis of Yahoo!

Strengths

 Yahoo has the maximum number of users and most of revenue is generated through ads

in yahoo mail

12
 Due to its large mail subscriber base, yahoo is considered to be the powerful marketing

company

 Yahoo is known for its web portal, search engine, yahoo finance, yahoo answers, yahoo

mail, yahoo directory etc

 Its product portfolio includes yahoo messenger, yahoo mail, yahoo personals, yahoo 360,

Delicious, Fickr, Yahoo Buzz, yahoo Mobile, yahoo shopping, yahoo real estate, yahoo

next, yahoo boss, yahoo meme, Y! connect Etc

Weaknesses

13
 As per Jan 2012  data, a survey says Yahoo’s market share in search engine is only 6%

 Google already has 83% market share and the immediate competitors are Baiduwhich

has same 6% and bing has 4% in search engine

 Lack of Information Technology Security

 Yahoo is losing its market share in mailing services very gradually due to Google’s strong

presence in search engine market and it related product portfolio complementing to

search engine services

 Mail services, news, shopping, financial data and business directory services are

provided by many others like MSN, CNN, e-bay, Money control etc.

 Financial health of the company is not so promising for the investors. The company’s

assets both in terms of intangible and tangible are on the declining side.

 Google being the leading the service provider on the internet , is grabbing the revenues

from advertisements

 Most of the services provided by Yahoo are unknown in the internet space

Opportunities

 Yahoo Directory is the most structured and authenticated business directory, any

customized development to its user in this will lead to flow of new revenue to the

company

 The number of mobile users is constantly increasing in developing nations. Development

of Yahoo! Mobile wap services will improve the market share

14
  Advertising in social media and internet has become essential element for every

commodity

 Yahoo has huge potential in combining its services with social media platforms like Flickr

etc

 It can focus on diversification of related business segments in Internet space

Threats

 The biggest threat for any global service provider on the internet is increasing

competitions in the local market especially China

 Another major threat is addressing of the cultural issues while going to foreign market

 Yahoo’s presence in the search engine services is declining very rapidly because of

Google’s strong presence

 The number of competitors is increasing of new innovations in the internet space by

young entrepreneurs

 The advertising market which was once dominated by yahoo is being slowly grabbed by

the social networking sites like Facebook, Myspace etc.

. Alternative courses of Action

First, it starts with caring about security. According to a report by the New York Times,

Yahoo focused more on products and features than actual IT security (Turton, 2016). This is

already recipe for disaster as this is a prime example of “tone at the top” where the quality

15
of product or service is reflected by management. Few reasons exist for management of a

gigantic company to neglect security. One reason, if the yahoo infrastructure at this

location is one massive honeypot for an APT. Second, if an insider planned on taking a cut

from Verizon as a thank you for the lowered buyout price– my honest speculation.

Second, the CEO should listen to its security staff. According to the New York Times, “Yahoo

executives, led by CEO Marissa Mayer, were completely apathetic about security, and

refused to fund security initiatives, leaving the company vulnerable to attack” (Turton,

2016). Additionally, Mayer allowed the installation of a “secret” program for US intelligence

officials without approval of the security team (Menn, 2016).

Third, have user information encrypted to prevent exploitation of readable data. It appears

a Yahoo VP is currently pressing for end-to-end encryption: “Jeff Bonforte, the Yahoo senior

vice president who oversees its email and messaging services, said in an interview last

December that Mr. Stamos and his team had pressed for Yahoo to adopt end-to-end

encryption for everything. Such en cryption would mean that only the parties in a

conversation could see what was being said, with even Yahoo unable to read it” (Turton,

2016).

Fourth, using two-factor authentication via personal phones or alerting logins to personal

devices helps trigger mitigating actions from the user. This includes location data on where

login occurred. If the user changed their password after the copy of the UDB was stolen, it

16
proved to be effective way for stopping future intrusions. The indictment report states:

“The conspirators failed to access those accounts whose users had changed their

passwords after BELAN stole the UDB copy” (United States of America, 2017).

Fifth, reviewing who has access to certain databases may have thrown a red flag to IT staff.

According to the FBI brief reported by Ars Technica after the indictment, the attackers used

a spear phishing email to target a “semi-privileged Yahoo employee and not top

executives...social engineering or spear phishing ‘was the likely avenue of infiltration’ used

to gain the credentials of an ‘unsuspecting employee’ at Yahoo”. The semi-privileged

employees are NOT to have the same rights as the executive level, that may have caused

such changes on the Yahoo network. A review of user access privileges may have prevented

or detected intrusion.

Sixth, if the employee felt they have been socially engineered by providing credentials or

clicking on a malicious link, they should have been trained to come forward to alert

management regarding the compromised account or machine without fear of repercussion.

Seventh, network monitoring to identify suspicious activity and alert IT administrators will

detect data being exfiltrated. According to Jason Rhykerd, an IT security expert with System

Experts, hackers in 2012 were able to capture “ more than 2,000 database tables and/or

column names, along with 298 MySQL variables...All that traffic had to traverse from the

Yahoo server to the hackers PCs... The amount of traffic this attack would have generated

17
 should have set off the lightest of IDS rules”. This statement from 2012 show Yahoo’s

intrusion detection system (IDS) has been struggling for at least five years. The attackers in

the 2014 hack used FTP to transfer data out of the network, again, an action that should

have set off IDS alarms. The strength of the IDS would depend on the rules or applications

not being changed by the intruder, meaning that the intruder cannot gain credentials to

the IDS system or server or make changes to the IDS or server without authentication.

There should not be enough information in Yahoo’s server to provide a means of socially

engineering the security vendors.

Eight, using anti-virus rules to blacklist links, scripts, and programs that will appear on the

network. If Yahoo made an investment for an anti-virus program to monitor activity over

the network and on user devices, malicious links and scripts over email will be blocked, and

most hacker tools on the server are prevented from being loaded. With a cyber threat

intelligence module added, staff can research the latest attacking trends and stay up to

date on vulnerabilities to provide a long-term strategic advantage for Yahoo’s IT

infrastructure.

. Recommendation

Yahoo Mail is a free mail service offered by American Company  Yahoo. It was

launched in 1997 and became the third-largest web-based email service by 2011.

The Yahoo Mail had three web interfaces available including Yahoo Mail Classic that

18
has preserved its originality. In 2005, Ajax interface was introduced with a drag-and-

drop facility, improved search and several more tabs.

In 2010, a beta version of the Yahoo Mail was released. By 2011, the beta version

became the default interface. Moreover, till 2013, Yahoo Mail had unlimited

storage. The new design faced a lot of criticism from the users for its layout and user

ability. Many users could not access their emails. Finally the problem got completely

resolved only in 2013.

The latest Yahoo Mail as compared to G-mail, remains the web-mail market leader.

In 2002, Yahoo eliminated the free software client access and introduced the $29.99

per year Mail Forwarding Service. The active registered users accepted the paid

services with enthusiasm.

In the same year, Yahoo launched Yahoo Mail Plus, another paid service. Yahoo

became the first to announce 100 MB of storage for basic accounts and 2 GB storage

for premium users. In 2004, Yahoo acquired Oddpost, which supported features like

drag-and-drop, right-click menus, RSS feeds, all of which were well appreciated by

the users.

In 2011 the new Yahoo code-named Minty was released with an enhanced

performance and improved Facebook and twitter integration. Yahoo later released

the beta version in 2011, mandatory for the users. However the users were not

19
satisfied with this development.  Unfortunately, Yahoo failed to resolve the issues

until 2013. In 2013 Yahoo faced criticism from the users for removing features that

were user-friendly.

In December the same year, Yahoo Mail suffered an outrage where users couldn’t

access their mails. Yahoo later apologized for the inconvenience caused and

admitted that a number of user-names and passwords were disclosed due to a

security breach.

Yahoo! Have made a history because of the data breach case that happened in the

year 2013-2016. The Yahoo breach appears to be planned and sponsored by nation-state

actors (i.e. FSB officers) involving Dmitry Dokuchaev and his superior Igor Sushchin. The

two FSB officers contracted the talents of two individual criminal hackers named Alexsey

Belan, located in Russia and used for the main breach of the Yahoo network, and Karim

Baratov, located in Canada, to compromise non-yahoo accounts. Alexsey Belan is one of

the “Most Wanted” hackers since 2012 by the FBI (United States of America, 2017).

Yahoo! CEO Marissa Ann Mayer admitted that she refused to care more about the IT

security of the company and concentrated more on its products and services which led to

the Data Breach case. The reason behind Marissa’s refusal was the lack of funds to

implement stronger IT security. Marissa Ann Mayer also stated that Yahoo! is losing its

20
 market share in mailing services very gradually due to Google’s strong presence in search

engine market which affected the sales of the company.

This shows how much technology affects the productivity of a business both positively and

negatively. If a business will fail to cope up with the rapid changes of technology, a business

will not strive and will face issues that will affect the trust of users/customers, investors,

employees and other stake-holders.

. References

NYE, Ryan (2017, August 14) A “kill chain” Analysis of the 2016 yahoo! Data Breach

http://www.rnyte-cyber.com/uploads/9/8/5/9/98595764/ckcyahoo_by_rnye.pdf

Department of Justice. (2017, March 2015). U.S. Charges Russian FSB Officers and Their

Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts. Justice.gov. retrieved

from https://www.justice.gov/opa/pr/us-charges-russian-fsb-officers-and- their-criminal-

conspirators-hacking-yahoo-and-millions

Higgins, K.J. (2013, February 2). How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack.

Darkreading.com. Retrieved from http://www.darkreading.com/attacks-breaches/how-

lockheed-martins-kill-chain-stopped-securid-attack/d/d-id/1139125

Gallagher, S., Kravets, D. (2017, March 15). How did Yahoo get breached? Employee got spear

phished, FBI suggests. Arstechnica.com. Retrieved from https://arstechnica.com/tech-

21
policy/2017/03/fbi-hints-that-hack-of-semi-privileged-yahoo- employee-led-to-massive-

breach/

Goel, V. (2017, March 17). One Billion Yahoo Accounts Still for Sale, Despite Hacking

Indictments. Nytimes.com. Retrieved from

https://www.nytimes.com/2017/03/17/technology/yahoo-hack-data-indictments.html

Lockheed Martin Corporation. (2015). Gaining the Advantage, Applying Cyber Kill Chain

Methodology to Network Defense. Lockheedmartin.com.

https://ole.sandiego.edu/courses/1/CSOL-580-01-

SU17/content/_1006814_1/story_content/external_files/Cyber%20Kill%20Chain.pdf

Market News. (2016, December 14). BRIEF-Yahoo says identified data security issues

concerning certain user accounts. Reuters.com. Retrieved from

http://www.reuters.com/article/idUSFWN1E90R2

McGoogan, C. (2017, February 16). Yahoo hack warning: What happened and should you be

worried? telegraph.co.uk. Retrieved from

http://www.telegraph.co.uk/technology/2017/02/16/yahoo-hack-warning-happened-should-

worried/

22
Menn, J. (2016, October 4). Exclusive: Yahoo secretly scanned customer emails for U.S.

intelligence – sources. Reuters.com. Retrieved from http://www.reuters.com/article/us-

yahoo-nsa-exclusive-idUSKCN1241YT

Newman, L.H. (2016, December 14). Hack Brief: hackers Breach A Billion Yahoo Accounts. A

Billion. Wired.com. Retrieved from https://www.wired.com/2016/12/yahoo-hack-billion-

users/

United States of America v. Dmitry Dokuchaev, Igor Sushchin, Alexsey Belan, Karim Baratov.

CR17.103. (2017). Retrieved from https://www.justice.gov/opa/press-

release/file/948201/download

United States Senate. (2014, March 26). A “Kill Chain” Analysis of the 2013 Target Data

Breach. Commerce.Senate.gov. Retrieved from

https://www.commerce.senate.gov/public/_cache/files/24d3c229-4f2f-405d-b8db-

a3a67f183883/23E30AA955B5C00FE57CFD709621592C.2014-0325-target-kill-chain-

analysis.pdf

Turton, W. (2016, September 28). How Yahoo Totally Blew It on Security. Gizmodo.com.

Retrieved from http://gizmodo.com/how-yahoo-totally-blew-it-on-security-1787177844

23
Weinberger, M. (2016, December 14). IT HAPPENED AGAIN: Yahoo says 1 billion user

accounts stolen in what could be biggest hack ever. Businessinsider.com. Retrieved from

http://www.businessinsider.com/yahoo-data-breach-billion-accounts-2016-12

Williams, P. [MSNBC]. (2017, March 15). DOJ: 2 Russian Spies Indicted in Yahoo Hack |

MSNBC [Video File]. Retrieved from https://www.youtube.com/watch?v=sFCsAZjqSJE

24