In the early days of hacking, you knew you had been hacked because the hackers left something to be found to prove they had beaten your security.
Subscribe now for unlimited access.
or signup to continue reading
Nahshon Even-Chaim known as "Phoenix", was the first computer hacker to be convicted in Australia. He was the skilled and arrogant leader of a computer hacking group "The Realm", based in Melbourne. His preferred targets were American defence, space, and nuclear weapons research networks.
Phoenix was active from the late 1980s until his arrest by the Australian Federal Police in early 1990. He was ultimately sentenced to 500 hours of community service, with a 12-month suspended jail term.
The standard response when I was in Defence was "we have no evidence of our systems being compromised".
The sentence was light because the AFP had difficulty in getting statements from hacked organisations who didn't want to acknowledge they had been hacked. Had Phoenix been active in Israel he would have been given the choice of jail or working for the government's signals intelligence unit 8200.
Signals intelligence units (such as the Australian Signals Directorate) don't want targets to know they have been penetrated, and we in turn may not know if we have been penetrated by foreign signals intelligence services.
The standard response when I was in Defence was "we have no evidence of our systems being compromised".
We weren't saying that we hadn't been compromised - just that we didn't know whether they had been or not! (Fortunately, there is an air gap to protect Defence's most sensitive networks.)
Ever since the internet came into popular use in the 1990s it has been exploitable for nefarious purposes. I worked at the University of California at San Diego in 2003. UCSD had an impressive computer school and a large body of students from China. There were regular visits by hotshots from Silicon Valley telling students about the latest hardware and software developments.
Americans should therefore not have been surprised when, in 2009, Chinese hackers were able to hack into and download terabytes of data from the F-35 Joint Strike Fighter program. China thus avoided having to do much of the preliminary design research and had its version of the F-35 (the J-31) in the air within three years.
This year, Russian, Chinese, Iranian and North Korean hackers all employed new tradecraft to respond to global trends. It included: Russia's targeting of IT and cloud service providers; China's facilitation of hackers' access efforts; Iran's use of ransomware to blend disruptive operations with cybercrime activity, and; North Korea's use of cryptocurrency to maintain illicit revenue generation.
Ransomware attacks are now attracting much greater attention because there are so many of them and they are on the rise. According to predictions made by Cybersecurity Ventures, the global cost of ransomware attacks could increase from US$20 billion in 2021 to US$265b by 2031.
Targeted organisations obviously know when they have been hacked by a ransomware group because the group will tell them they have taken control of their network and demand a ransom for unlocking it and not publicly releasing sensitive data.
The ransomware ecosystem is vast and interconnected and comprises many criminal enterprises (at least 170) that are involved in ransomware operations.
Russia's Kaspersky Lab identifies the eight most active ransomware groups as Conti/Ryuk, Pysa, Clop, Hive, Lockbit2, RagnarLocker, BlackByte, and BlackCat.
Heimdal Security lists the most dangerous groups in 2022 as Clop, Conti, DarkSide, REvil (also known as Sodinokibi), and LockBit.
To date, ransomware groups and affiliates have been able to effectively circumvent actions that threaten their operations, with some "rebranding" and others "morphing" and "amoeba-ing". Despite new approaches taken by law enforcement, including attempts to seize ransom payments, ransomware attacks continued to increase (up 82 per cent in 2021). Prosecutions so far have been of "low-hanging fruit" - ransomware franchisees operating in accessible jurisdictions.
Trying to stop private sector organisations from paying ransoms is not practical when the ransoms are affordable and the cost of not paying them is so astronomical. (The cost to Medibank of not paying US$10 million could be over $130 million - as well as loss of reputation and the likelihood of protracted lawsuits.)
ASD should continually audit the cybersecurity of major public and private sector organisations to ensure that organisations are better prepared against cyber-attack.
The claim by Home Affairs Minister Clare O'Neil that the ASD and AFP working together will put ransomware groups out of business is optimistic. The core ransomware groups operate with state protection in jurisdictions where we have limited access and no prospect of law enforcement cooperation.
- Clive Williams is a visiting fellow at the ANU's Strategic and Defence Studies Centre. He worked in signals intelligence and communications security and was formerly director of security intelligence in Defence.