Tight­en­ing the net around in­ter­na­tional on­line crim­i­nals

No easy so­lu­tion to a prob­lem that is wors­en­ing

The Weekend Australian - - INQUIRER - FER­GUS HAN­SON

As the world ad­justs un­com­fort­ably to the re­al­ity that the planet’s most dys­func­tional leader also has nu­clear weapons, it’s worth con­sid­er­ing some of the ways mur­der­ous regimes and crim­i­nal gangs are fund­ing them­selves in the 21st cen­tury.

A re­cent re­port from a South Korean state-backed in­sti­tute doc­u­mented the in­creas­ingly well-or­gan­ised ef­forts of the North Korean gov­ern­ment to hack for hard cur­rency.

The regime is widely be­lieved to be be­hind last year’s $US81 mil­lion cy­ber heist on the Bangladesh cen­tral bank, mak­ing it among the largest bank rob­beries in his­tory. As brazen as the theft was, it still con­sti­tuted only a rel­a­tively mod­est pro­por­tion of North Korea’s (puny) $US15 bil­lion gross do­mes­tic prod­uct.

How­ever, the amount stolen would have been many mul­ti­ples larger and a sig­nif­i­cant boost to the coun­try’s eco­nomic for­tunes if the thieves hadn’t mis­spelled “foun­da­tion” as “fan­da­tion” in the name of one of the groups it routed the money to. The typo prompted Deutsche Bank, which was in­volved in rout­ing the trans­ac­tion, to seek clar­i­fi­ca­tion from the Bangladesh bank, un­cov­er­ing the plot part way through.

But North Korea is never one to be shamed into mend­ing its ways. It is be­lieved to have 1700 state-spon­sored hack­ers, backed by more than 5000 sup­port staff, and they are busy steal­ing. Be­yond heists on cen­tral banks, they have been im­pli­cated in the theft of bank card in­for­ma­tion by hack­ing into ATMs to then with­draw cash or sell the in­for­ma­tion on the black mar­ket. They also have tar­geted on­line gam­bling sites to steal money.

The hack­ing-for-cash spree has not been lim­ited to rogue states. The chief ex­ec­u­tive of en­ter­tain­ment group HBO must have had a panic at­tack when he opened this email in his in­box: Dear Richard Ple­pler; I am Mr Smith and I have the honor to in­form you, on be­half of my col­leagues, that we suc­cess­fully breached into your huge net­work. We are glad to say that in a com­pli­cated cy­ber op­er­a­tion, in­fil­tra­tion to your net­work ac­com­plished and we ob­tained most valu­able in­for­ma­tions. (1.5 Ter­abyte)

This email was sent by hack­ers who stole a trove of un­re­leased tele­vi­sion shows, Game of Thrones scripts and sen­si­tive in­ter­nal com­mu­ni­ca­tions. The let­ter out­lined a sched­ule of re­leases for the stolen ma­te­rial un­less the $US6m ($7.5m) ran­som was paid. HBO re­fused to play ball (be­yond an ini­tial of­fer of $US250,000, re­port­edly in­tended as a stalling tac­tic) and the hack­ers re­sponded with a string of leaks that have in­cluded episodes of Curb Your En­thu­si­asm, Ballers, Room 104 and In­se­cure, along with yet-to-de­but shows Barry and The Deuce. The hack­ers claimed the com­pany was their 17th vic­tim and all but three had paid up, sup­pos­edly earn­ing them $US12m to $US15m a year.

In a sim­i­lar op­er­a­tion in June, South Korean web-host­ing firm Nayana paid a $US1m ran­som to un­lock com­put­ers af­ter bar­gain­ing the hack­ers down from $US4.4m. In a state­ment, Nayana’s chief ex­ec­u­tive said: “Now I am bank­rupt. Ev­ery­thing I’ve been work­ing on for 20 years is ex­pected to dis­ap­pear at 12.00 to­mor­row.”

Notwith­stand­ing the depre­da­tions of Kim Jong-un and his fel­low trav­ellers, crim­i­nals, rather than states, still ac­count for the vast bulk of ma­li­cious on­line ac­tiv­ity and the range of ran­som cases they con­duct varies widely in scale and ob­jec­tives.

At the more tra­di­tional end of the spec­trum are the bank rob­bers of the 21st cen­tury, those who at­tempt to steal money from bank ac­counts with tech­niques such as trick­ing users into click­ing com­pro­mised links in emails (“phish­ing” at­tacks) that lead vic­tims to a fake bank web­site to steal lo­gins and pass­words, or even in­stall mal­ware that will steal bank de­tails and pass­words. Banks are coy about dis­cussing how much money is stolen from them a year through these ef­forts, but losses and the costs of de­fence are sig­nif­i­cant. A Kasper­sky Lab re­port in June found the av­er­age cy­ber­se­cu­rity in­ci­dent in­volv­ing on­line bank­ing ser­vices cost $US1.75m.

At another ex­treme are some of the cases that tar­get in­di­vid­u­als. In “sex­tor­tion” cases, per­pe­tra­tors have tricked women and girls into down­load­ing mal­ware on to their com­put­ers. This pro­vides ac­cess to all the com­puter’s files in­clud­ing pho­tos and videos. Com­pro­mis­ing naked pho­tos stored on the com­puter or ob­tained via the user’s we­b­cam are then used to ma­nip­u­late vic­tims and force them to pro­vide more naked videos and pho­tos un­der threat of hav­ing the orig­i­nal pho­tos up­loaded to pub­lic web­sites or sent to par­ents.

In one case doc­u­mented by the Brook­ings In­sti­tu­tion, in­ves­ti­ga­tors in the US found a per­pe­tra­tor with more than 15,000 we­b­cam video cap­tures, 900 au­dio record­ings and 13,000 screen cap­tures in­volv­ing about 230 peo­ple, 44 of them mi­nors, ex­tend­ing as far afield as New Zealand.

If this all sounds very wild west, that’s be­cause it is. The sit­u­a­tion has reached ab­surd pro­por­tions. If a crim­i­nal gang phys­i­cally broke into an Aus­tralian busi­ness to steal from it, po­lice would be called in and busi­ness own­ers would prob­a­bly be con­fi­dent the per­pe­tra­tors would be brought to jus­tice. When the same theft oc­curs on­line, the sit­u­a­tion is very dif­fer­ent. Large busi­nesses may not re­port the theft for fear of rep­u­ta­tional dam­age; highly spe­cialised in­ves­tiga­tive skills are re­quired so your lo­cal po­lice of­fi­cer is un­likely to be able to help; and if the author­i­ties are called in, the busi­ness owner’s con­fi­dence that the per­pe­tra­tor will be caught is likely to be very low.

There is no sim­ple so­lu­tion to this in­creas­ingly com­plex prob­lem. It can be hard to trace these op­er­a­tions to their source, and if that source ends up be­ing a coun­try that won’t co-op­er­ate with Aus­tralian law en­force­ment of­fi­cers, what can be done?

That bind is driv­ing de­mands in some quar­ters for com­pa­nies to take some mea­sures into their own hands. In March, a Repub­li­can con­gress­man from Georgia pro­posed a bill that would al­low com­pa­nies to take “ac­tive cy­ber de­fence mea­sures” in re­sponse to per­sis­tent cy­ber in­tru­sions. With­out clear guardrails, al­low­ing com­pa­nies to en­gage in more ac­tive op­er­a­tions car­ries enor­mous com­pli­ca­tions. There is the risk they will in­cor­rectly iden­tify per­pe­tra­tors, prompt­ing them to go af­ter the wrong group, then fail to an­tic­i­pate sec­ond and thir­dorder con­se­quences.

The so­lu­tion will prob­a­bly re­quire work across mul­ti­ple fronts, some of it slow. The most im­me­di­ate re­sponse is to im­prove de­fences so that we be­come unattrac­tive tar­gets. Com­pa­nies and in­di­vid­u­als should take steps to strengthen their cy­ber­se­cu­rity to bet­ter de­ter in­trud­ers.

On June 30, the Aus­tralian gov­ern­ment an­nounced it would au­tho­rise of­fen­sive cy­ber op­er­a­tions against oth­er­wise hard-tore­ach off­shore cy­ber crim­i­nals who tar­get Aus­tralia. While this ad­dresses a threat from ju­ris­dic­tions where in­ter­na­tional law en­force­ment is in­ef­fec­tive, it is a long way from a cure for the broad spec­trum and huge vol­ume of in­tru­sions fac­ing Aus­tralia. Longer term, in­ter­na­tional law en­force­ment co-op­er­a­tion needs to be strength­ened. Un­til there are real penal­ties for cy­ber-crim­i­nal groups op­er­at­ing off­shore, they are likely to flour­ish in a fairly be­nign op­er­at­ing en­vi­ron­ment.

Also in the longer-term bas­ket are ef­forts to pres­sure bad ac­tors to re­form. An ex­am­ple in this space was the 2015 ef­fort, spear­headed by the US, to force China to end its ram­pant com­mer­cial cy­ber es­pi­onage. Since then a string of coun­tries, in­clud­ing Aus­tralia, has reached sim­i­lar bi­lat­eral agree­ments with China, as well as the G20. The jury is still out on whether it will com­ply but there are pos­i­tive signs.

Like crim­i­nal ac­tiv­ity in the real world, hack­ing for ran­som on­line is here to stay. But the per­mis­sive en­vi­ron­ment can’t last.

At­tacks are likely to per­sist and flour­ish in what a fairly be­nign op­er­at­ing en­vi­ron­ment is

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.