Australias Hack-Back Plan Against Cyberattackers Raises Familiar Concerns

How far can its government — or any government or private company — go to proactively disrupt cyber threats without causing collateral damage?

The Australian governments defiant proclamation recently that it would hack back against hackers that sought to target organizations in the country represents a break from the usual cautious manner in which nations have approached international cyber threats.
How effective the countrys newly announced joint standing operation against cybercriminal syndicates will be remains an open question, as does the issue of whether other nations will follow suit. Also unclear is how far exactly law enforcement is willing to go to neutralize infrastructure that it perceives as being used in cyberattacks against Australian entities.
As it becomes more obvious that the majority of organizations are poorly prepared to defend themselves, I think it is justifiable for well-resourced governments to step in, says Richard Stiennon, chief research analyst at IT-Harvest. I fully expect hack-back legislation to pass in response to some devastating attack that is visible to lots of voters. But I do not expect it to have teeth or change the landscape much.
Australian prime minister Anthony Albaneses government on Nov. 12 announced a joint initiative between the Australian Federal Police and the Australian Signals Directorate to investigate, target and disrupt cybercriminal syndicates with a priority on ransomware threat groups.
The government
launched the initiative
following two major cyberattacks — one on
telecommunications company Optus
and the other on
health insurer Medibank
— that together exposed personally identifiable information (PII) and other sensitive information belonging to more than one-third of Australias total population of some 26 million people.
The cyberattacks were among the largest in scope in the countrys history and sparked considerable outrage and concern, especially after attackers began publicly leaking medical records (including abortion records) following Medibanks refusal to pay a demanded $10 million ransom. Some security researchers have pinned the blame for the ransomware attack on Medibank on Russias notorious REvil threat group.
The Australian counter-hacking operation will prioritize cyber threats perceived as presenting the greatest threat to national interests. It will focus on intelligence gathering, identifying cybercrime ring leaders and networks, so law enforcement can intercept and disrupt operations and actors regardless of where they are operating from. Media outlets including the
Guardian
quoted Australian home affairs minister Clare ONeil promising to day in, day out
hunt down the scumbags
responsible for the recent attacks.
The smartest and toughest people in our country are going to hack the hackers, the Guardian quoted ONeil as saying.
The strong language notwithstanding, its unclear how far exactly the Australian government will go — or can go — beyond what is already being done to disrupt cyber threats, especially those originating from outside its jurisdiction. Law enforcement and intelligence agencies in several countries, including the US, UK, and Australia itself, routinely are engaged in the kind of intelligence gathering and tracking down of cybercriminals that the Australian government said it would carry out under the new initiative.
It is my belief that the U.S. has been taking action in the cyber-domain since at 2010 when US Cyber Command was stood up, Stiennon says. Other countries like the Netherlands and Israel have also demonstrated their abilities to strike back at sophisticated attackers.
Such efforts have resulted in numerous infrastructure takedowns and arrests, indictments and convictions of cybercrime gang members and leaders over the years. Even major U.S. technology companies — often acting under the authority of court orders — have participated in these efforts: Examples include Microsofts participation in the
takedown of the Zloader botnet operation
and its more recent disruption of the
Seaborgium phishing operation
out of Russia.
Cybercriminal groups, despite the level of impunity they often operate under, are vulnerable to disruption, says Casey Ellis, founder and CTO of Bugcrowd. In my opinion this makes proactive hunting a viable pursuit, he says, pointing to examples like law enforcements takedown of the Conti and REvil group operations.
Since the sort of activity that the Australian government announced has been going on for quite some time now, Ellis says the recent announcement represents a doubling down on those efforts, designed to send a signal.
Cybercriminal groups are far less effective when they distrust each other or feel as though they are actively targeted, Ellis says.
US lawmakers have on a few occasions attempted — and failed — to pass bills that would offer some legal backing for organizations that hack back against cyberattackers. One notable example was H.R. 4036, the
Active Cyber Defense Certainty Act
(ACDC) of 2017, which would have allowed
hacking back as a defense measure
on an organizations own network under certain circumstances.
Another bill in 2021, titled
Study on Cyber-Attack Response Options Act
, would have required the US Department of Homeland Security to assess the benefits and consequences of amending the nations current computer abuse law to provide provisions for hacking back at attackers.
The initiatives failed amid controversy, largely around concerns that innocent entities could be caught in the crossfire.
Security researchers too have long advocated the need for caution around proactive efforts to disrupt criminal infrastructure — or to hack back against operators — because of the difficulties around attribution and collateral damage.
Innocent organizations, for instance, can get disrupted from the takedown of a hosting provider that a threat actor might have used to launch attacks. The ability for threat actors to launch attacks that appear to originate from somewhere else is another reason why critics have noted hack-back initiatives are dangerous.
In general, truly attributing an attack is quite difficult, says Erick Galinkin, principal researcher at Rapid7, a company that has been a staunch critic of hack-back bills such as ACDC. Attribution may be one of the hardest problems in all of cybersecurity.
There are a number of reasons for this, but among the main ones is that attackers are happy to use victims to target other victims. This means that when a victim hacks back, they may in fact be targeting another victim rather than an attacker, he says. Moreover, allowing private sector hack back is incredibly challenging from an oversight and accountability perspective — how could a determination be made about who took the first offensive action? he asks.
There are also potential legal landmines to consider.
A law
that Georgias state legislature passed in 2018 — but which the Governor later vetoed — contained a provision that in essence would have protected a company against legal liability if it conducted a hack-back operation against another entity so long as it was part of active defense.
As Rapid7 has noted, the term active defense as used in the bill could have been interpreted in any number of ways, leading to potential misuse and unintended consequences. Here is a hypothetical: Remotely
breaking into and searching another persons computers
to see if that person possesses stolen passwords that could potentially be used for unauthorized access, the company said.
The main con is that you dont want to get it wrong, especially when operating under government authority, Ellis from Bugcrowd agrees. This type of activity certainly has the potential to escalate into an international incident, he says. The upside is the opportunity to use the cyberattackers advantage against them, thereby leveling the playing field a little better.
Nonetheless, there could be a growing appetite for such measures, Galinkin says, as the Australian bill shows. Calls for bills such as the Active Cyber Defense Certainty Act and others may increase given the current cyber threat environment, but we as practitioners have a responsibility to continue to inform policymakers about the risks associated with allowing such activities.

Last News
▸ Microsoft introduces reward programs for Windows 8.1, IE11 preview security flaws. ◂ Discovered: 26/12/2024 Category: security	▸ Microsoft offers $100,000 for bug hunting. ◂ Discovered: 26/12/2024 Category: security	▸ NSA evaluates IT access control limits ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Australias Hack-Back Plan Against Cyberattackers Raises Familiar Concerns