Forget the Hollywood stereotype of the lone hacker living in his mother’s basement and plotting his revenge against the world. Today’s cyber criminals are organised, sophisticated and sometimes state-sponsored.
US officials have confirmed the world’s worst kept secret – that hackers tied to the Chinese government were responsible for the massive Microsoft Exchange hack earlier this year, thought to be one of the largest cyber attacks in history.
Hackers contracted by China’s Ministry of State Security are believed to have gained access to the email systems of tens of thousands of private users and public entities, including schools, hospitals and city councils.
Microsoft blamed the attack on state-sponsored hackers operating out of China at the time, but it’s taken until now for the US and its global allies – including Australia, the UK and the EU – to formally accuse and publicly condemn China for the attacks.
Of course, the Microsoft Exchange breach is just part of a recent uptick in cyber crime, which has seen a 200 per cent increase in reports of ransomware to the Australian Cyber Security Centre in recent months.
So how did cyber crime become such serious business, and who’s behind the malware that’s enabling it?
The rise of ransomware
Ransomware – a form of malware that encrypts the victim’s files, enabling the attacker to demand a ransom for their return – has come a long way since the early days of the AIDS Trojan in 1989.
The first known instance of ransomware, the AIDS Trojan hid files on the user’s hard drive and only encrypted their names, not the files themselves. It displayed a message demanding a payment of US$189 to the ‘PC Cyborg Corporation’ in return for the repair tool – which was actually completely unnecessary, because the decryption key could be extracted from the code of the Trojan itself.
Dr Joseph Popp was identified as the author of the AIDS Trojan and charged with blackmail. A Harvard-trained evolutionary biologist who collaborated with the AMREF Flying Doctors and consulted for the WHO in Kenya, Popp had actually organised a conference for the Global AIDS Program the same year he created the AIDS Trojan, and later promised to donate the profits from the AIDS Trojan to fund actual AIDS research. (He was ultimately declared mentally unfit to stand trial.)
Much like low-rise jeans, trucker hats and velour tracksuits, it wasn’t until the early-to-mid 2000s that ransomware really began to take hold. Trojans known as GPCode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive began using more sophisticated encryption schemes – by June 2008, GPCode was using a 1024-bit RSA public key, which would have taken computers at the time roughly two million years to crack.
The decentralised and anonymous nature of Bitcoin made the digital currency an instant favourite with cyber criminals, which led to the creators of CryptoLocker (no relation) collecting roughly US$27 million with their ransomware. A string of copycat variants with names like CryptoLocker 2.0 and CryptoBlocker followed, all with roughly the same MO – the victim would have three days to pay a bitcoin ransom, or the files would be deleted.
These early ransomware techniques all relied on the desire of victims to get their files back to motivate them to pay the ransom. But the current ransomware technique du jour, ‘double extortion’, puts a twist on the formula. In a double extortion attack, the criminals don’t just encrypt the victim’s data, but they also copy it to a server of their own.
That way, even once the victim pays the ransom to decrypt the data, the criminals still have their copy, and can demand a second ransom – a double extortion, if you will – by threatening to leak it publicly.
Ransomware group REvil were the first to use the double extortion tactic in June 2020, when they began auctioning off data stolen from a Canadian agricultural production company that refused to meet their ransom demands. But since then, a number of ransomware groups have adopted the tactic.
Gangs of New Dork
Particular ransomware strains have traditionally been associated with particular ransomware groups, who would dissolve after a few big scores and then re-emerge with a new name.
But now, according to a recent report by cyber risk analytics provider CyberCube, these groups have evolved into cyber ‘cartels’ that operate much like the mafia, collaborating as affiliates to infiltrate their targets’ networks. They share resources, pass on stolen data and attack information, and have even developed a Ransomware-as-a-Service model, sharing their wares with lone scammers in return for a slice of their profits.
Under the Ransomware-as-a-Service model, newcomers to the ransomware scene don’t need to have the know-how to develop their own malware, so even the most technically challenged cyber criminal can get amongst it. They’re not likely to pull off big scores on their own, but the relatively small amounts they extort from individuals add up – a new Australian Institute of Criminology report estimated the total annual economic impact of cyber crime at $3.5 billion in Australia alone, with $1.9 billion lost by individual victims.
High-profile cyber gangs include:
- The aforementioned REvil (also known as Sodin), the gang that developed the double extortion technique. REvil recently hit Acer with a US$50 million ransom demand, before attacking UnitingCare Queensland, rendering IT systems used by hospitals and aged care facilities inaccessible. REvil is said to have evolved from GandCrab, which claimed to have raked in more than US$2 billion in ransom payments.
- DarkSide, which extorted a US$4.4 million ransom from one of the United States’ major fuel pipeline operators, the Colonial Pipeline Company.
- DoppelPaymer, known for targeting government organisations around the world. They published US voter data stolen from Georgia and extorted US$500,000 from Delaware County, Pennsylvania.
- Maze, which extorted more than US$400,000 from the University of Utah after threatening to leak student data in a double extortion attack.
- RYUK, which targeted a string of hospitals in the US amidst the COVID-19 pandemic before closing operations in 2020 and re-emerging as Conti. Conti then targeted New Zealand’s Waikato Hospital and Ireland’s Department of Health.
- Avaddon, which stole health records and other sensitive information from AXA Insurance. This was supposedly in retaliation for AXA announcing it wouldn’t cover companies that fell victim to cyber attacks.
- Hafnium, the Chinese group identified by Microsoft as the perpetrators of the Microsoft Exchange attack.
Cyber gangs are one thing – but it now appears that at least some of these gangs are on the payroll of rogue governments, and operating at their behest.
The United States took the unprecedented step of formally attributing the Microsoft Exchange attack to hackers affiliated with China’s Ministry of State Security this month, and charging four Chinese nationals – three security officials and one contract hacker – for their role in it.
Pulling no punches, US Secretary of State Anthony Blinken directly accused China of fostering an ecosystem of criminal contract hackers to carry out state-sponsored activities and extort businesses for their own financial gain.
“These contract hackers cost governments and businesses billions of dollars in stolen intellectual property, ransom payments, and cyber security mitigation efforts, all while the Ministry of State Security had them on its payroll,” Blinken said.
The US was joined by allies Australia, Canada, Japan, the United Kingdom, New Zealand and the European Union in calling out the Chinese government.
The working theory is that hackers working at the behest of Chinese intelligence learned about Microsoft’s vulnerability in early January. When they learned that Microsoft intended to patch or close the vulnerability shortly, they shared it with other China-based groups, helping them hack Microsoft like a sinister version of Clippy the Office Assistant. This effectively escalated the attack from your typical espionage operation to a smash-and-grab raid.
By the time Microsoft closed the vulnerability in March, about a quarter of a million email systems around the world had been exposed, and at least 30,000 had been compromised, including schools, hospitals, cities and pharmacies.
According to a memo released by the White House, hackers linked to China are still “aggressively” targeting US and allied defence and semiconductor firms, as well as medical institutions and universities, with the intent of stealing their data.
This isn’t the first time China has been linked to these sorts of shenanigans. Australia’s decision to name and shame China comes after Prime Minister Scott Morrison warned that a state-based actor was behind a series of cyber raids on hospitals, councils and state-owned utilities in June 2020 – but although Australian security agencies believed China was behind those attacks, Morrison stopped short of identifying them then.
One nation that’s probably happy to see China under the spotlight is Russia, which has tended to get the most attention for these types of attacks. DarkSide, the group that extorted a US$4.4 million ransom from the Colonial Pipeline Company in the US, is believed to be based in Russia, although it’s unclear if they’re actually state-sponsored or if Russia simply serves as a ‘safe haven’ for hackers.
Russian hackers are generally considered to have a looser connection to official Russian intelligence agencies than their Chinese counterparts, although sanctions were recently placed on Russia for the infamous ‘Sunburst’ attack on US software company SolarWinds.
The attack affected thousands of governmental and private organisations around the world, and while its full impact is yet to be calculated, it’s been reported to have cost cyber insurance firms at least US$90 million.
While China and Russia get the bulk of the publicity, they’re far from the only governments to have been involved in malicious cyber activity. But when nations are involved, the line between cyber crime (bad) and espionage (good?) often becomes murky.
After being accused of cyber crime by most of the free world, China responded with an official statement that called the US “the world champion of malicious cyber attacks”.
“It is well known that the US has engaged in unscrupulous, massive and indiscriminate eavesdropping on many countries, including its allies,” the statement read.
“Australia also has a poor record, including monitoring the mobile phone of the president of its biggest neighbour country, not to mention acting as an accomplice for the US’ eavesdropping activities under the framework of the Five Eyes alliance.
“What the Australian government has done is extremely hypocritical, like a thief crying ‘stop the thief’,” the statement continued.
At roughly the same time that the US accused China of the Microsoft Exchange attack, a new investigation dubbed “the Pegasus Project” revealed the extent of Israeli technology firm NSO Group’s involvement in targeting thousands of heads of state, activists, journalists and dissidents around the world.
Their Pegasus spyware, which is licensed to foreign governments by the Israeli Ministry of Defence, is said to have enabled human rights violations on a global scale, including the murder of reporter Jamal Kashoggi by agents of the Saudi government with a bone saw in the Saudi Arabian consulate – a scenario that sounds like a cross between Clue and Cards Against Humanity.
Pegasus infects iPhones and Android devices, allowing operators to extract messages, photos and emails, record calls and secretly activate microphones and cameras.
Of course, you don’t have to be a head of state, a CEO or a crusading reporter to be concerned about cyber crime. The purpose of these attacks is to steal data – and if you’ve ever been a customer or a client of a targeted organisation, then that includes your data.
For instance, the intent of the Microsoft Exchange attack might have been to gather intelligence, but there was little rhyme or reason to who was targeted. The method was simply to hack as many people and organisations as possible in a short time frame and make sense of the data later.
So while Xi Jinping may not harbour a personal vendetta against you, the collateral damage of an attack like this could see your personal data and private records leaked for the world to see, leaving you open to identity theft, phishing attacks, or worse.
The rise in cyber crime, then, is everyone’s problem – no matter who turns out to be behind it.
Recognised by Forbes as one of the 20 Best Cybersecurity Startups to Watch in 2020, Cryptoloc has developed the world’s strongest encryption technology and the world’s safest cybersecurity platform, ensuring clients have complete control over their data. For more information, visit cryptoloc.com.