Juha Saarinen: Turning the tables on hackers

Russian REvil associate Yevgeniy Polyanin is on the FBI's wanted list. Photo / AP

OPINION:

Poking a bear may seem an exciting thing to do. At least until the bear in question takes umbrage at being poked and bites off your head.

Law enforcement around the world has over the past couple of years started to turn the tables on digital criminals and nation-state threat actors, adding active deterrent to passive defences.

They are enjoying success too, like the recent arrest of a Ukrainian man Yaroslav Vasinskyi for being the REvil ransomware associate who attacked the managed service provider deployment and monitoring tools company Kaseya on July 4 that saw up to 1500 businesses have their data encrypted.

A Russian REvil associate, Yevgeniy Polyanin, is still at large but also facing charges in the United States, for his role in the Kaseya attacks. American authorities have also seized around $8.4 million in ransom payments, and European cops have swooped on other REvil criminals as well.

The Ukrainian security service SSU scored a direct hit on its Russian counterpart the FSB when it published details of the Gamaredon/Armagedon/Armageddon hacking group.

Armageddon is said to be responsible for thousands of hack attacks on Ukraine government agencies and critical infrastructure in the East European country, and now it would appear that we have the names and photos of several of them.

They are said to be FSB agents, some of them being Ukrainians defecting to the Russian side after the invasion of Crimea in 2014. SSU has now released recordings of the state hackers talking to each other, complaining about really mundane stuff like poor pay and no recognition of their efforts.

Moreover, the SSU snagged and published a range of technical information on Armageddon's methodology, and the software the hackers use, which can now be analysed, verified and correlated against other incidents by security researchers.

Some of Armageddon's command and control infrastructure was also mapped out by SSU.

In essence, what the police and intelligence agencies are doing now is to use the asymmetric attack methods that hackers use against them. They don't have any special hack-proof networks, hardware or software that makes them immune from attacks. Asymmetric warfare works both ways.

It looks like the Armageddon revelations were a bit like shooting fish in a barrel for the Ukrainians.

"Armageddon does not use complex and sophisticated techniques, tactics and procedures, does not try to make an effort to stay secret for a long time. Staying off the radar is not a group priority [sic]," the SSU analysis pointed out.

Nevertheless, a more active defence stance as taken by overseas law enforcement and military is something we should keep a close eye on, and emulate if we aren't already.

Not some undercarriage appendage-swinging "hack back" strategy, but actively observing the activities of criminals and government-affiliated hackers, to make their lives just a tad more difficult and less anonymous.

You could even actively bait attackers, using something like the New Zealand-developed Daedalus proof of concept. Daedalus seeks to steer threat actors into a fake, but very realistic-looking 5G mobile telco tech core.

With Daedalus, you can "tarpit" attackers, as in tie up resources and time for them, give them bogus info to steal, or do nothing and learn how they operate in order to keep them out of bona fide networks.

Similarly, software-defined networking operators can use the technology to create fake, vulnerable services that look like juicy targets, but which just waste time and do nothing for attackers. There's much fun to be had with that strategy which might also help map out common sources of attacks.

Either way, it's worth having better co-operation in the area (and yes I am going on an awful lot about this), and thinking about defences beyond just patching and updating which while necessary, is unlikely to be sufficient to ward off determined attackers.

If the attackers know that they'll never be able to travel outside their country, or put their ill-gotten gains to use because of a more active infosec defence stance, they might just think twice before tapping out that malicious keystroke sequence.