Juha Saarinen: Australia gets ready to hack back at cyber criminals

Hackers stole sensitive information from Medibank on almost 10 million people in Australia. Photo / Ian Currie

OPINION:

The information security industry got a surprise the weekend before last when the Australian government announced a permanent operation with around 100 police and defence officers from the Australian Federal Police and the Australian Signals Directorate.

That operation will go after ransomware gangs, with attorney-general Mark Dreyfus and cyber security minister Clare O'Neil saying the police and sigint personnel will gather intelligence on them, identify leaders and networks and infrastructure.

Government hacking back isn't new as such, but it's not been openly advertised in the past.

Anyone can see why. Australia's move comes after a ransomware attack on private medical insurer Medibank which saw sensitive information on almost 10 million people being stolen.

The AFP and ASD are now tasked with disrupting and stopping similar attacks.

Very sensitive information it is too: Medibank rightly refused to pay the extortion money to the BlogXX criminals who in turn have started to release patient records in public. Among other things this includes names of hundreds of people who’ve undergone treatment for alcoholism and have had abortions.

All the data is available in neatly comma-separated files, with patients’ birthdates, addresses, phone numbers and emails.

That ransomware raiders are a particularly scummy lot has been known for a while now. Two years ago, Finnish psychotherapy provider Vastaamo was hacked with its patient database copied by criminals who proceeded to extort individuals registered with the mental health provider.

There is no doubt that punishing unscrupulous criminals who hurt vulnerable people without hesitating is a must. However, hacking back is a contentious proposition to say the least.

Cyber criminals use compromised systems removed from themselves so as to obfuscate where the attacks originate from and there's a risk of causing collateral damage if the always-difficult attribution of who's guilty is incorrect.

There's also the risk of leaking hacking techniques and revealing vulnerabilities that are not known to the outside world. Agencies tasked with hacking back also face the ethical conundrum of not sharing software and hardware exploit knowledge so that the flaws can be patched and make the world's IT systems safer.

Even so, something had to be done beyond the well-meaning and sound advice to use strong passwords and apply updates from authorities. There is now an official political remit to go after the hackers anywhere in the world. It'll be an area to watch as many gangs are state-linked operations in countries hostile to the West.

For example, Russia has sheltered ransomware criminals and destructive hackers who have at times worked with the country's intelligence agencies. This is evident from simple things like malware being coded not to activate in Russia and its allied countries.

As the corrupt and shambolic Russia continues to flail and come a cropper in its barbaric invasion of Ukraine, there is now an even more clear imperative for Western nations to protect critical IT infrastructure. This is to prevent damage and extortion money landing in Putin’s war chest.

Due to the war, Ukrainian authorities have also become strongly incentivised to crack down on digital criminals. Like the JabberZeus banking Trojan gang, which has both Ukrainian and Russian members and which has stolen tens of millions of dollars worldwide.

Its leader Vyacheslav "Tank" Penchukov from Russia-annexed Donetsk was recently arrested in Switzerland. Penchukov had been protected by his connections with the family of former Ukrainian president Victor Yanukovich for more than a decade.

Never forget that ransomware is big business, which last year led to losses in the tens of billions for victims. With that kind of money on the table and easy access to malware as a service, launching ransomware attacks is tempting for keyboard crims who think they can't be traced.

A spate of prosecutions in recent years show that at best the criminals are pseudonymous.

Sigint agencies and police crews have a crucial advantage over ransomware criminals: the former have had to learn through investigating attacks and actively defending targets; the latter group has usually not, and is often clueless about operational security (opsec).

Developers of ransomware and those who operate the payments system are aware of this, and try to stay out of the limelight, with associates lured to do dirty deeds in return for a cut of the extortion money.

Finding ransomware associates won't be quite like shooting fish in a barrel, but not far off.

Killing as much of the ransomware-as-a-service industry is a great tactic that will hurt the criminals behind the operations.

Nothing is easy in this world, and there is a danger of people and organisations becoming complacent, since there is now an official defence shield. “Outsourcing” information security and thinking it’s the government’s job would be disastrous. Don’t let the guard down in other words.