ASD Enters the Ransomware Suppression Business

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray with help from Catalin Cimpanu. It's supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.ok

The Australian government has officially "released the hounds" on ransomware crews, tasking 100 ASD and AFP members to a standing operation. In other words, ransomware crews and their affiliates are about to live in interesting times.

On November 12, Australia's Minister for Cyber Security and Home Affairs Clare O'Neil announced "an ongoing, joint standing operation to investigate, target and disrupt cyber criminal syndicates with a priority on ransomware threat groups". Speaking to the ABC's Insider's program the next day, O'Neil used strong language, describing the operation as "a partnership of new policing between the Australian Signals Directorate (ASD), which are the cyber guns of the Australian Public Service, and the Australian Federal Police (AFP)".

"What they will do is scour the world, hunt down the criminal syndicates and gangs who are targeting Australia in cyber attacks and disrupt their efforts. This is Australia standing up and punching back."

Risky Biz News described the events that led to the announcement:

The focus on ransomware follows the recent ransomware attack on Australian private insurance provider Medibank. The company says attackers broke into its network, stole internal files—including sensitive personal and healthcare details on 9.7 million Australians—encrypted files, and demanded a ransom. When it refused to pay, the ransomware gang, going by the name of BlogXX, believed to be a spin-off from the infamous REvil ransomware operation, started leaking some of Medibank's patient records—as a form of intimidation and put public pressure on the company to pay the ransom.

BlogXX released a number of files to its dark web blog, including a file called "abortions.csv", containing more than 300 claims made by policyholders in relation to pregnancy terminations and miscarriages, and another called "boozy.csv" containing details of alcoholism-related treatment.

Both the US and UK governments have previously acknowledged that they use offensive cyber capabilities (those that degrade, disrupt etc.) against cyber criminals, but we still think this is a very significant announcement. Rather than spinning up operations whenever significant incidents occur, it commits to an ongoing effort and also attaches some political significance to the operation.

This is a reason for optimism on a couple of fronts.

Firstly, having a political priority will simply enable both AFP and ASD to get stuff done. We doubt that disrupting ransomware crews will require the rarest of skills, but the two organisations' top talent will be available on tap if it's needed. And the expertise on tap will also include policy experts and lawyers to answer questions about limits and proportionate behaviour — questions that will inevitably arise because tackling cyber crime on an ongoing basis is essentially a new endeavour.

Another reason for optimism is that O'Neil's strong public statement essentially commits the government to some level of transparency. At some point, she'll be asked about the success (or failure) of this taskforce in parliament's Question Time and she will have to answer with at least some detail. O'Neil wouldn't have made such a strong public statement without knowing that she'll be able to back it up with a good news story. We think success prosecuting the recent hacks of Optus and Medibank may have given her the confidence to make such a strong commitment.

There are also lots of opportunities to dramatically affect cyber criminal organisations. These groups are typically pseudonymous in that they communicate using messaging apps, keep accounts over time to maintain reputations and build trust, but don't share real identities. Combined with sometimes porous security — chat logs from cyber crime groups have been leaked more than once (see this week's Reasons to be Cheerful Zeus botnet arrest) — they are ripe for disruption that severs communications between key people and sows doubt and mistrust between them.

Although we're optimistic that offensive cyber operations against cyber criminals will be effective, we don't think they'll make the crime go away. It's too easy and too lucrative, but we expect that it will disrupt the most impactful groups. Perhaps this means greater churn in the ransomware industry as groups arise, get disrupted, disband and take on new forms. If the taskforce is very successful, this "regeneration" process will also be disrupted as the individuals who lead these groups — the kingpins — face rolling disruption to their digital lives.

Offensive cyber action isn't the Australian government's only response to ransomware, it's just one of the latest of a range of measures. This newsletter previously covered the whole-of-government response kicked off by the Medibank breach. Other actions include setting expectations that companies pay for the costs of affected customers and foreshadowing increased fines and revamped regulations.

This week O'Neil also placed the possibility of banning ransomware payments on the table, saying that it would be considered in the context of the next national cyber security strategy. We certainly think this is worth discussing, but we have mixed feelings about an outright ban.

In the case of Medibank, for example, extremely sensitive personal information was stolen. When examined in isolation, there is a solid argument that it would have been worth paying the extortionists to prevent it being published. In some ways, it would have made sense to negotiate an acceptable price (one that's discounted because there is no certainty the data really will be deleted) and pay the ransom.

Ultimately, however, this would just encourage ransomware crews to do more crime. In the end, Medibank arrived at the same conclusion and didn't pony up.

In the case of data extortion, we can see a total ban on payments makes sense, but it's trickier for ransomware that encrypts data and locks computers. Do we keep hospital services offline because they shouldn't pay a ransom? Do we let companies fail so they don't pay a ransom?

An outright ban on ransomware payments is a tempting knee-jerk policy, but it could cause more problems than it's worth. For now, let's see what ASD and AFP can achieve now the gloves have come off.

Happy hunting.

Twitter Titanic, Meet Elon Iceberg

Elon Musk bought Twitter, and it's been chaos.

In September, after former Twitter's former security chief Mudge testified to the US Senate alleging security and management failings at Twitter, our takeaway was that social media companies don't have strong incentives to tackle the threat of foreign espionage. The Saudi government has already been caught bribing Twitter employees for access to the personal information of activists, and Mudge suspected other agents were working in Twitter.

After taking over Twitter just three weeks ago, on 27 October, Musk laid off half of its employees, 80% of its contractors and has started a series of ill-conceived changes that are affecting safety and security, trashing Twitter's reputation (such as it is) and leading to an advertiser "pause" over brand safety concerns.

Casey Newton and Zoë Schiffer at Platformer have excellent coverage of the rolling chaos and summarise the fallout from Musk's plan to sell "verified" badges for USD$8 a month:

On Thursday evening, after a full day of chaos on the timeline, Elon Musk’s Twitter halted new enrollment into its $8-a-month Blue subscription offering. Offering anyone the chance to slap a “verified” badge on their account had led to widespread impersonation of government officials, corporations, and celebrities. The resulting mayhem, which led to memorable hoaxes from accounts misrepresenting themselves as Eli Lilly, Tesla, Lockheed Martin and others, had triggered an advertiser pullout and a general sense that the platform had descended into chaos.

Musk's plans to refactor the service by removing microservices "bloatware" also appear to have been shortsighted.

Part of today will be turning off the “microservices” bloatware. Less than 20% are actually needed for Twitter to work!

Shortly afterwards, SMS two-factor stopped working — users attempting to login weren't receiving authentication texts, although it is not clear whether this was the result of removing a particular microservice.

Twitter's CISO, chief privacy officer, chief compliance officer and its head of trust and safety all resigned in the last week, so the relatively modest security concerns we wrote about in September now seem quaint and somewhat naive. We were concerned that Twitter wasn't doing enough to protect against insider threats, but it turns out that the damage caused by foreign interference just doesn't compare to the damage a rogue CEO can cause.

The US Federal Trade Commission has already expressed concern about developments at Twitter, telling The Record it was "tracking recent developments at Twitter with deep concern" and "no CEO or company is above the law". Twitter has had previous run-ins with the FTC and was fined USD$150m in May for using email addresses and phone numbers collected specifically for security purposes to target ads. It's also possible that Twitter is no longer GDPR compliant because after the resignation of its chief privacy officer, it doesn't have a designated data protection officer.

US politicians were already thinking of creating a tech regulator after Mudge's September testimony, and this recent debacle won't assuage their concerns. Musk trolling US Senator Ed Markey certainly won't help, although it's not the dumbest thing Musk has done this week.

One of your companies is under an FTC consent decree. Auto safety watchdog NHTSA is investigating another for killing people. And you’re spending your time picking fights online. Fix your companies. Or Congress will.

At this point, we are not sure whether Congress or Musk can fix Twitter.

Three Reasons to be Cheerful this Week:

1. Zeus botnet leader arrested in Switzerland: Krebs on Security reports this week that Vyacheslav "Tank" Penchukov was arrested in Switzerland. Penchukov was a top figure in the JabberZeus cybercrime gang, which used a modified version of the Zeus banking trojan to steal money from small to medium businesses by modifying their payroll. Krebs' report has many interesting nuggets, including that investigators had access to the group's private Jabber chats "for many years" and that Penchukov was identified because he told colleagues his daughter's first name and weight when she was born. This information was compared to Ukrainian birth records to match the online identity Tank to Penchukov. The MIT Technology Review also has a good account of a failed 2010 attempt to arrest Penchukov and other criminal masterminds in Ukraine.
2. EU threatens to improve cyber defences: The Record reports the European Commission has proposed a more robust cyber security policy for the EU. Among other things, the policy states "Member States must increase their investments in developing full spectrum cyber defence capabilities and develop these in a collaborative manner". EU-NATO cooperation is also identified as important.
3. All your Bitcoin are belong to US: The US Department of Justice announced that it had seized over 51,000 bitcoin valued over USD$3.3bn when they were seized in November last year, although they are now only worth around USD$860m. James Zhong stole the Bitcoin from Silk Road by taking advantage of a flaw that allowed him to multiply his money by making a single deposit and multiple rapid withdrawals. Interestingly, the US government seized this Bitcoin not because Zhong stole it, but because it was traceable to the Silk Road dark market and hence forfeited by Ross Ulbricht, Silk Road's convicted administrator. According to the forfeiture affidavit, "... at Ulbricht’s 2015 sentencing, it was undisputed that all 9.9 million Bitcoin that passed through the Silk Road’s Bitcoin-based payment system between 2011 and 2013 were directly forfeitable as a result of Ulbricht’s crimes". This can't be right as it would mean over half of existing Bitcoin belongs to the US government…

Sponsor Section

In this article, Proofpoint's VP of Threat Detection and Research, Sherrod DeGrippo, explains how recent Twitter verification changes have caused phishing attacks targeting Twitter users to spike.

Proofpoint has also released an entire e-book on securing Microsoft 365. Get it here.

Shorts

More on the Global Hack-For-Hire Industry. Shocking.

The size and impact of the global hack-for-hire industry continue to be revealed in reports covering overlapping stories of how Indian hack-for-hire companies are used and how a large-scale intelligence operation was used to protect Qatar's FIFA 2022 World Cup bid.

The Bureau of Investigative Journalism and The Sunday Times obtained a database from WhiteInt, an Indian hack-for-hire company, that included details of the firm's clients and hacking targets. Just a few of the very significant targets: Philip Hammond, then chancellor, Chris Mason, the BBC's political editor, and Michael Platini, the former head of European football.

Some of these hacks were used to prevent opposition to Qatar's successful 2022 FIFA World Cup bid. In what appears to be overlapping but unrelated reporting SWI swissinfo.ch covers Project Merciless, a massive intelligence operation with a budget of nearly USD$400m.

There's an Australian link here: according to swissinfo Australian businessman Frank Lowy was a target because he was a "bitter opponent of the World Cup being held in Qatar". Lowy was a difficult target, however, because his "wealth and network gave him access to considerable means in the area of counterintelligence".

It's both fascinating and shocking. There's a good discussion about this between Patrick and Adam in last week's Risky Business podcast.

Vanuatu Blues

The Australian government is helping the Pacific island nation of Vanuatu rebuild its IT network after a ransomware attack.

FTX Cryptocurrency Collapse and Hack

Criminals stole somewhere between about USD$340m and USD$660m worth of cryptocurrency from the FTX cryptocurrency exchange, previously one of the world's largest exchanges. The FTX exchange was collapsing into bankruptcy at the time, so both hackers and employees are reasonable suspects. Normally, this size hack would be a BIG DEAL, even in the Alice Through the Looking Glass world of cryptocurrency, but given something like USD$10bn has already disappeared, it feels a bit like a rounding error.

So Long and Thanks for All the Bits

Ian Levy, Technical Director of the UK's National Cyber Security Centre has retired from government service and published a farewell blog post. It's worth reading.

A Digital Red Cross Marker?

The International Committee of the Red Cross (ICRC) has floated the idea of a digital red cross emblem that would signal that certain online systems were being used for medical and humanitarian purposes and therefore protect them from indiscriminate attack.

The idea is interesting and the ICRC's report examines potential benefits and risks in a clear-eyed way.

Risky Biz Talks

In addition to a podcast version of this newsletter (last edition here), the Risky Biz News feed  (RSS, iTunesor Spotify) also publishes interviews.

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss why states in the European Union are no good at military cyber operations.

From Risky Biz News:

The spyware industry has found a cozy home in the EU: In a press conference on Tuesday, PEGA, an EU committee set up to investigate the abusive use of spyware across Europe, presented the initial results of an extensive investigation it started back in April this year.

While there have been reports of spyware abuse across several EU member states—which led to PEGA's creation in the first place—in a 159-page draft report shared with Risky Business, the committee said it found that spyware use and the surveillance industry are prevalent across EU member states.

"All member states have spyware at their disposal. All of them, even if they don't admit it. They do!" PEGA Committee rapporteur Sophie In 't Veld said yesterday.

She added that while some countries use it responsibly, others have abused it to spy on political rivals, journalists, and government critics, but all use the cloak of "national security" to create an "area of lawlessness" where they operate without any accountability. (continued)

Major hack-and-leak info-op unfolding in Moldova: A major hack-and-leak influence operation is currently unfolding in the small Eastern European state of Moldova, where a newly-registered website named Moldova Leaks has released the private correspondence of at least two political figures and promises to release more. (continued)

Infosec's Mastodon: Infosec.exchange has turned out to be the favourite Mastodon instance to where most security researchers have migrated to. As a result of the sudden influx of thousands of new accounts, the team behind the servers is looking for moderators and support staff. Donations are also currently needed and encouraged. More info about the instance can be found on its wiki.