16 Sep 2017
Tightening the net around international online criminals
As the world adjusts uncomfortably to the reality that the planet’s most dysfunctional leader also has nuclear weapons, it’s worth considering some of the ways murderous regimes and criminal gangs are funding themselves in the 21st century.
A recent report from a South Korean state-backed institute documented the increasingly well-organised efforts of the North Korean government to hack for hard currency.
The regime is widely believed to be behind last year’s $US81 million cyber heist on the Bangladesh central bank, making it among the largest bank robberies in history. As brazen as the theft was, it still constituted only a relatively modest proportion of North Korea’s (puny) $US15 billion gross domestic product.
However, the amount stolen would have been many multiples larger and a significant boost to the country’s economic fortunes if the thieves hadn’t misspelled “foundation” as “fandation” in the name of one of the groups it routed the money to. The typo prompted Deutsche Bank, which was involved in routing the transaction, to seek clarification from the Bangladesh bank, uncovering the plot part way through.
But North Korea is never one to be shamed into mending its ways. It is believed to have 1700 state-sponsored hackers, backed by more than 5000 support staff, and they are busy stealing. Beyond heists on central banks, they have been implicated in the theft of bank card information by hacking into ATMs to then withdraw cash or sell the information on the black market. They also have targeted online gambling sites to steal money.
The hacking-for-cash spree has not been limited to rogue states. The chief executive of entertainment group HBO must have had a panic attack when he opened this email in his inbox:
Dear Richard Plepler;
I am Mr Smith and I have the honor to inform you, on behalf of my colleagues, that we successfully breached into your huge network. We are glad to say that in a complicated cyber operation, infiltration to your network accomplished and we obtained most valuable informations. (1.5 Terabyte)
This email was sent by hackers who stole a trove of unreleased television shows, Game of Thrones scripts and sensitive internal communications. The letter outlined a schedule of releases for the stolen material unless the $US6m ($7.5m) ransom was paid. HBO refused to play ball (beyond an initial offer of $US250,000, reportedly intended as a stalling tactic) and the hackers responded with a string of leaks that have included episodes of Curb Your Enthusiasm, Ballers, Room 104 and Insecure, along with yet-to-debut shows Barry and The Deuce. The hackers claimed the company was their 17th victim and all but three had paid up, supposedly earning them $US12m to $US15m a year.
In a similar operation in June, South Korean web-hosting firm Nayana paid a $US1m ransom to unlock computers after bargaining the hackers down from $US4.4m. In a statement, Nayana’s chief executive said: “Now I am bankrupt. Everything I’ve been working on for 20 years is expected to disappear at 12.00 tomorrow.”
Notwithstanding the depredations of Kim Jong-un and his fellow travellers, criminals, rather than states, still account for the vast bulk of malicious online activity and the range of ransom cases they conduct varies widely in scale and objectives.
At the more traditional end of the spectrum are the bank robbers of the 21st century, those who attempt to steal money from bank accounts with techniques such as tricking users into clicking compromised links in emails (“phishing” attacks) that lead victims to a fake bank website to steal logins and passwords, or even install malware that will steal bank details and passwords. Banks are coy about discussing how much money is stolen from them a year through these efforts, but losses and the costs of defence are significant. A Kaspersky Lab report in June found the average cybersecurity incident involving online banking services cost $US1.75m.
At another extreme are some of the cases that target individuals. In “sextortion” cases, perpetrators have tricked women and girls into downloading malware on to their computers. This provides access to all the computer’s files including photos and videos. Compromising naked photos stored on the computer or obtained via the user’s webcam are then used to manipulate victims and force them to provide more naked videos and photos under threat of having the original photos uploaded to public websites or sent to parents.
In one case documented by the Brookings Institution, investigators in the US found a perpetrator with more than 15,000 webcam video captures, 900 audio recordings and 13,000 screen captures involving about 230 people, 44 of them minors, extending as far afield as New Zealand.
If this all sounds very wild west, that’s because it is. The situation has reached absurd proportions. If a criminal gang physically broke into an Australian business to steal from it, police would be called in and business owners would probably be confident the perpetrators would be brought to justice. When the same theft occurs online, the situation is very different. Large businesses may not report the theft for fear of reputational damage; highly specialised investigative skills are required so your local police officer is unlikely to be able to help; and if the authorities are called in, the business owner’s confidence that the perpetrator will be caught is likely to be very low.
There is no simple solution to this increasingly complex problem. It can be hard to trace these operations to their source, and if that source ends up being a country that won’t co-operate with Australian law enforcement officers, what can be done?
That bind is driving demands in some quarters for companies to take some measures into their own hands. In March, a Republican congressman from Georgia proposed a bill that would allow companies to take “active cyber defence measures” in response to persistent cyber intrusions. Without clear guardrails, allowing companies to engage in more active operations carries enormous complications. There is the risk they will incorrectly identify perpetrators, prompting them to go after the wrong group, then fail to anticipate second and third-order consequences.
The solution will probably require work across multiple fronts, some of it slow. The most immediate response is to improve defences so that we become unattractive targets. Companies and individuals should take steps to strengthen their cybersecurity to better deter intruders.
On June 30, the Australian government announced it would authorise offensive cyber operations against otherwise hard-to-reach offshore cyber criminals who target Australia. While this addresses a threat from jurisdictions where international law enforcement is ineffective, it is a long way from a cure for the broad spectrum and huge volume of intrusions facing Australia. Longer term, international law enforcement co-operation needs to be strengthened. Until there are real penalties for cyber-criminal groups operating offshore, they are likely to flourish in a fairly benign operating environment.
Also in the longer-term basket are efforts to pressure bad actors to reform. An example in this space was the 2015 effort, spearheaded by the US, to force China to end its rampant commercial cyber espionage. Since then a string of countries, including Australia, has reached similar bilateral agreements with China, as well as the G20. The jury is still out on whether it will comply but there are positive signs.
Like criminal activity in the real world, hacking for ransom online is here to stay. But the permissive environment can’t last.