The Five Eyes are set to adopt new strategies in the fight against state-backed cyber criminals as threat levels surge. Roger Spence from ASX-listed cyber security company Tesserent explores.
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
In 2022 there is a real prospect that Australia and its Five Eyes partners (New Zealand, Canada, UK and US) will target and ‘hack back’ against perpetrators of ransomware and other cyber attacks that target Australia’s critical infrastructure such as utilities, medical and food supply.
Looking ahead, we can expect the Australian government and its partners to ‘release the hounds’ and attempt to cripple or shutdown gangs preemptively, rather than wait for an attack.
The challenge for governments dealing with ransomware and other malicious online activity is that most criminal gangs are loose affiliations of individuals chasing profits rather than any specific military, nationalistic or idealogical agenda.
While governments, acting in their own national interest, have often pushed back and taken action against other countries when threatened in both the physical and digital worlds, we are starting to see a shift in the rhetoric with nation states raising the prospect of taking a more offensive posture against gangs that may not have direct ties to a specific government.
This is likely to go beyond the current Australian government policy of tracking, catching and prosecuting threat actors through the courts after a crime has been committed.
Ransomware is one of the key tools used by criminals and other parties seeking to compromise the operations of organisations around the world.
The issue is so significant that we are seeing the emergence of ransomware-specific legislation being considered in some countries.
Australia has led the way, amongst Five Eyes countries, with the Ransomware Payments Bill, while the US has followed with its Ransomware Disclosure Act for consideration. Australia has acknowledged that it has had offensive ‘hack back’ capability since at least 2016.
One of the key drivers behind this shift in policy is that, while ransomware attacks are executed by private citizens, there is a strong belief that the actions of these gangs are being sanctioned, and possibly supported through funding and other means, by nation states that are seeking to weaken their political and ideological opponents but don’t want to launch a full-scale cyber war.
A further complexity for governments trying to protect critical infrastructure is that much of it is in the hands of private industry, making national cyber security a challenge of civil defence.
Recently, Australia, the US and a number of other countries said an attack allegedly perpetrated by Chinese nationals was backed by the People’s Republic of China. There have been similar accusations made against North Korea.
But many other countries also boast offensive cyber capability.
The US Cyber Mission Force, the UK’s National Cyber Force, Russia’s Foreign Intelligence Service, China’s PLA Unit 61398 and North Korea’s Bureau 121 all have ‘hack back’ capability, while Israel has a long standing and well-practiced offensive cyber capability via Unit 8200, the largest unit of the Israeli Military Intelligence Directorate.
Almost every security report released over the last few months indicates the frequency of ransomware attacks in Australia is increasing.
And the situation has been further complicated as these attacks not only lock down critical systems, but are often matched with data exfiltration tools.
As a result, the victim of an attack may not only face a loss of access to systems and data, but also find private information made available in the public domain. It’s the ‘double whammy’ of ransom and extortion.
This is why Australian organisations must not only focus on defending against ransomware attacks but also ensure they have appropriate monitoring and tools in place to detect and block any unauthorised data exfiltration.
This means having a broad focus on everything from identity and access management through to strong end-point protection. Following all the guidelines in the Australian Cyber Security Centre’s Essential Eight will help to mitigate the effects of a ransomware attack.
While the Australian Government is concerned with all attacks that can damage citizens’ interests, there is a specific focus on critical sectors.
When the world’s largest meatworks, JBS, was attacked earlier this year, it led to concern that the global meat supply could be compromised resulting in a significant increase in the commodity price of beef across the world.
And the attack on Colonial Pipelines resulted in price increases and gas shortages before it was resolved.
Criminal groups that target critical infrastructure such as utilities, hospitals and food supply will likely have to deal with significant counter action.
Already, attackers can find their access to domains and cloud services they use blocked. But governments may take stronger actions.
The REvil group was recently hacked and forced offline by a coalition of governments. As a bonus, the government hackers recovered a universal decryption key that could reverse much of the damage done by this group.
Traditional law enforcement methods, built on catching someone after a crime has been committed, don't work in a connected world where the threat actors are in other countries and benefit from the anonymity of the digital world.
This means that the Australian government and its Five Eyes partners will increasingly be more proactive and attempt to break the threat actor’s supply chain before they can execute and cripple a key piece of infrastructure.
Whether the Australian government is prepared to unleash the hounds, and how offensive they are prepared to be, will be fascinating to watch.
Roger Spence is the client services director at cyber security solutions provider Tesserent.