The Australian government’s defiant proclamation recently that it would hack back against hackers that sought to target organizations in the country represents a break from the usual cautious manner in which nations have approached international cyber threats.
How effective the country’s newly announced “joint standing operation against cybercriminal syndicates” will be remains an open question, as does the issue of whether other nations will follow suit. Also unclear is how far exactly law enforcement is willing to go to neutralize infrastructure that it perceives as being used in cyberattacks against Australian entities.
Pressure for Hack-Back Legislation May Be Mounting
“As it becomes more obvious that the majority of organizations are poorly prepared to defend themselves, I think it is justifiable for well-resourced governments to step in,” says Richard Stiennon, chief research analyst at IT-Harvest. “I fully expect hack-back legislation to pass in response to some devastating attack that is visible to lots of voters. But I do not expect it to have teeth or change the landscape much.”
Australian prime minister Anthony Albanese’s government on Nov. 12 announced a joint initiative between the Australian Federal Police and the Australian Signals Directorate to “investigate, target and disrupt cybercriminal syndicates with a priority on ransomware threat groups.”
The government launched the initiative following two major cyberattacks — one on telecommunications company Optus and the other on health insurer Medibank — that together exposed personally identifiable information (PII) and other sensitive information belonging to more than one-third of Australia’s total population of some 26 million people.
The cyberattacks were among the largest in scope in the country’s history and sparked considerable outrage and concern, especially after attackers began publicly leaking medical records (including abortion records) following Medibank’s refusal to pay a demanded $10 million ransom. Some security researchers have pinned the blame for the ransomware attack on Medibank on Russia’s notorious REvil threat group.
The Australian counter-hacking operation will prioritize cyber threats perceived as presenting the greatest threat to national interests. It will focus on intelligence gathering, identifying cybercrime ring leaders and networks, so law enforcement can intercept and disrupt operations and actors regardless of where they are operating from. Media outlets including the Guardian quoted Australian home affairs minister Clare O’Neil promising to “day in, day out hunt down the scumbags” responsible for the recent attacks.
“The smartest and toughest people in our country are going to hack the hackers,” the Guardian quoted O’Neil as saying.
An Ongoing Practice
The strong language notwithstanding, it’s unclear how far exactly the Australian government will go — or can go — beyond what is already being done to disrupt cyber threats, especially those originating from outside its jurisdiction. Law enforcement and intelligence agencies in several countries, including the US, UK, and Australia itself, routinely are engaged in the kind of intelligence gathering and tracking down of cybercriminals that the Australian government said it would carry out under the new initiative.
“It is my belief that the U.S. has been taking action in the cyber-domain since at 2010 when US Cyber Command was stood up,” Stiennon says. “Other countries like the Netherlands and Israel have also demonstrated their abilities to strike back at sophisticated attackers.”
Such efforts have resulted in numerous infrastructure takedowns and arrests, indictments and convictions of cybercrime gang members and leaders over the years. Even major U.S. technology companies — often acting under the authority of court orders — have participated in these efforts: Examples include Microsoft’s participation in the takedown of the Zloader botnet operation and its more recent disruption of the Seaborgium phishing operation out of Russia.
“Cybercriminal groups, despite the level of impunity they often operate under, are vulnerable to disruption,” says Casey Ellis, founder and CTO of Bugcrowd. “In my opinion this makes proactive hunting a viable pursuit,” he says, pointing to examples like law enforcement’s takedown of the Conti and REvil group operations.
Since the sort of activity that the Australian government announced has been going on for quite some time now, Ellis says the recent announcement represents a doubling down on those efforts, designed to send a signal.
“Cybercriminal groups are far less effective when they distrust each other or feel as though they are actively targeted,” Ellis says.
US lawmakers have on a few occasions attempted — and failed — to pass bills that would offer some legal backing for organizations that hack back against cyberattackers. One notable example was H.R. 4036, the Active Cyber Defense Certainty Act (ACDC) of 2017, which would have allowed hacking back as a defense measure on an organization’s own network under certain circumstances.
Another bill in 2021, titled “Study on Cyber-Attack Response Options Act,” would have required the US Department of Homeland Security to assess the benefits and consequences of amending the nation’s current computer abuse law to provide provisions for hacking back at attackers.
The initiatives failed amid controversy, largely around concerns that innocent entities could be caught in the crossfire.
The Need for Caution
Security researchers too have long advocated the need for caution around proactive efforts to disrupt criminal infrastructure — or to hack back against operators — because of the difficulties around attribution and collateral damage.
Innocent organizations, for instance, can get disrupted from the takedown of a hosting provider that a threat actor might have used to launch attacks. The ability for threat actors to launch attacks that appear to originate from somewhere else is another reason why critics have noted hack-back initiatives are dangerous.
“In general, truly attributing an attack is quite difficult,” says Erick Galinkin, principal researcher at Rapid7, a company that has been a staunch critic of hack-back bills such as ACDC. “Attribution may be one of the hardest problems in all of cybersecurity.”
There are a number of reasons for this, but among the main ones is that attackers are happy to use victims to target other victims. This means that when a victim hacks back, they may in fact be targeting another victim rather than an attacker, he says. “Moreover, allowing private sector hack back is incredibly challenging from an oversight and accountability perspective — how could a determination be made about who took the first offensive action?” he asks.
There are also potential legal landmines to consider. A law that Georgia’s state legislature passed in 2018 — but which the Governor later vetoed — contained a provision that in essence would have protected a company against legal liability if it conducted a hack-back operation against another entity so long as it was part of “active defense.”
As Rapid7 has noted, the term “active defense” as used in the bill could have been interpreted in any number of ways, leading to potential misuse and unintended consequences. “Here is a hypothetical: Remotely breaking into and searching another person’s computers to see if that person possesses stolen passwords that could potentially be used for unauthorized access,” the company said.
The main con is that you don’t want to get it wrong, especially when operating under government authority, Ellis from Bugcrowd agrees. “This type of activity certainly has the potential to escalate into an international incident,” he says. “The upside is the opportunity to use the cyberattacker’s advantage against them, thereby leveling the playing field a little better.”
Nonetheless, there could be a growing appetite for such measures, Galinkin says, as the Australian bill shows. “Calls for bills such as the Active Cyber Defense Certainty Act and others may increase given the current cyber threat environment, but we as practitioners have a responsibility to continue to inform policymakers about the risks associated with allowing such activities.”