The Australian government is launching an offensive against cybercriminals after a data breach exposed the personal information of millions of people.
On November 12, Cybersecurity Minister Clare O’Neil announced a task force to “hack the hackers” behind the recent Medibank data breach.
The task force will be a unique permanent joint collaboration between the Australian Federal Police and the Australian Signals Directorate. The 100 or so agents will use the same cyberweapons and tactics as cybercriminals to track them down and eliminate them as a threat.
Details about how the task force will operate remain murky, in part because it’s supposed to keep this information away from criminals. But the fact remains that taking an offensive stance while it could deter further attacks could also put a large red cross on Australia’s back.
Australia strikes back
It wasn’t until 2016 that the Australian government came forward for the first time publicly acknowledged it has offensive cyber capabilities hosted by the Australian Signals Directorate – and used against offshore cybercriminals. The confession came from the then Prime Minister, Malcolm Turnbull, following attacks on the Bureau of Meteorology and Department of Parliamentary Services.
Australia has used cyber offensive strategies a number of times in the past. This has included operations against ISIS and, more recently, attempts to disable scammers infrastructure and access to stolen data at the start of the pandemic. Details of intelligence operations are generally kept secret, especially if the Australian Signals Directorate is involved.
How might the task force work?
That’s what Secretary O’Neil said the new task force does:
scour the world, hunt down the criminal syndicates and gangs attacking Australia with cyberattacks and disrupt their efforts.
Whether it could launch a counterattack against the Medibank hackers, the resources are there, but working out the kinks will be critical. Australia’s intelligence community has more resources than the average organized cyber gang, not to mention connections to other sophisticated intelligence agencies around the world.
However, a major issue in holding cybercriminals to account is attribution. A legitimate counter-attack requires that the source of an attack be identified beyond reasonable doubt. The Medibank data breach has been attributed to criminals based in Russia – most likely from, or at least associated with, the REvil cyber gang.
This assumption is based on similarities between existing REvil dark web sites and the extortion site hosting the stolen Medibank data, as well as other similarities between the Medibank attack and REvil’s previous attacks.
That said, hackers can hide their identities by routing through (often unwitting) third parties. So even if this attack is due to REvil or its close associates, the attackers can easily deny involvement if brought to justice.
The group could say that its systems were being used as unwitting hosts by another third-party perpetrator. Plausible deniability can almost always be maintained in such cases. Russia (and China) have one State of service deny involvement in cyber espionage.
As such, it is very difficult to prosecute cybercriminals, especially in cases where these criminals are supported (officially or unofficially). by their government. And if perpetrators can’t be put behind bars, they can simply lay low for a while before showing up elsewhere in cyberspace.
In addition to the Medibank hackers, the task force will also focus on other potential threats to Australia. In the case of imprecise attribution on any of these operations, we can see tit-for-tat escalation. In the worst case, attacks based on misattribution can trigger a cyberwar with another country.
Defense before attack
By actively seeking out and trying to neutralize offshore gangs, Australia will put a target on its back. Criminal gangs affiliated with Russia and others could be encouraged to retaliate and attack our industries, including critical infrastructure.
Strengthening Australia’s cyber defenses should be the top priority – arguably more so than retaliation. Mainly because, even if the task force successfully counter-attacks the Medibank hackers, the stolen data is unlikely to be recovered (since criminals make copies of stolen data).
Going after cybercriminals addresses the symptoms of the problem, not the root: the fact that our systems were vulnerable enough to be hacked in the first place. The breach of the Medibank, and the great Optus breach that preceded it have both shown that even companies with seemingly strong cybersecurity protocols are vulnerable to attack.
The best option from a rational and technical point of view is to prevent data from being stolen as much as possible. It may not be such a flashy solution, but it’s the best in the long run.