Companies are hacking back against cybercriminals to try to prevent—or at least limit the damage of—Equifax-style disasters. One problem: It’s not all that legal.
Photo Illustration by The Daily Beast
The plan was to hack the hackers. Cybercriminals had targeted a global bank’s customers with phishing emails to break into their accounts. The legal option—waiting for law enforcement to investigate and perhaps apprehend the hackers—would have taken too long. So the bank was willing to try something else, and a team of security consultants offered to strike back.
The idea, one member of the team said, “was full breach. Collect intel on suspects; who possibly had been caught [by the hackers’ attacks],” and then destroy any stolen data. The Daily Beast granted anonymity to the source, who worked with the hacking team on behalf of the bank, to discuss sensitive industry practices. They did not name the bank.
The bank’s team broke into the hackers’ infrastructure on a selection of overseas servers, and found a list of who exactly the attackers had phished, as well as clues on their location.
Rather than attackers quietly stealing information from, say, Equifax, imagine if a group of counter-hackers caught them in the act? What if they then struck back—and deleted the siphoned data before more damage could be done?
This is the underground practice of hacking back, where private companies and individuals retaliate against hackers to protect their own networks or data, often breaking laws in the process. But despite being something of an open secret in the information security world, examples of what exactly happens behind the scenes of these hacking campaigns rarely make their way into the public, stifling the debate on whether this practice should be the norm.
Soon, hacking back may become legal too, if a piece of legislation proposed earlier this year by a Georgia congressman passes.
“Almost every large organization I consult with has some form of hack back going on,” Davi Ottenheimer, president of security consultancy FlyingPenguin, and who has engaged in the practice, told The Daily Beast.
Hacking back, sometimes known as active defense, covers a range of different techniques and tools. On the lower end of the spectrum, companies may booby-trap their files, so when a hacker steals and opens the documents they surreptitiously alert the victim. Other approaches involve probing a cybercriminal’s infrastructure for weaknesses or snippets of information that could reveal who is behind an attack.
At a more advanced level, hacking back can include remotely breaking into a target’s servers and wiping any data—as the consultants working for the global bank did—disabling the hacker’s malware, or even launching distributed-denial-of-service (DDoS) attacks to slow the criminal’s operations to a crawl or as a show of force.
Hacking back may help investigators with attribution: the task of finding out the identities of the attackers striking a company, or at least where they come from. Rather than just having to rely on forensic evidence hackers leave on a network, victims can glean more information from the hacker’s computers. Or instead of only examining footprints after a burglary, investigators can follow the getaway car and enter the criminal’s safe house.
In one case, someone found the hacker’s stockpile of stolen goods too.
Back in 2007, Chinese state-sponsored hackers targeted U.K. businesses in a wide-ranging espionage campaign. According to a letter the country’s domestic intelligence service MI5 issued to potential victims, the hackers were looking for financial information related to deals with Chinese companies.
A security researcher and his team found one of the hacker group’s servers used to store the data, such as spreadsheets, and this particular case revolved around an oil company in disputed waters. The Daily Beast granted the researcher anonymity to detail a sensitive incident.
“It was like an elephant in the room that the [attackers’ server] was hacked,” the researcher said. “Everyone was very clear on it being illegal and [that it] shouldn’t be done.”
The hack led to a “very uncomfortable discussion with U.K. intelligence,” the researcher added. The researchers knew the intel was sourced illegally, but also understood it was important to discuss it with the government.
Regardless, the data obtained was good, and went beyond just whatever documents the Chinese hackers had stolen. “The hack recovered some of the tools from the [hacker’s server] and the connecting IP addresses,” the researcher said. “But no one would admit to where it came from or how it came to be.”
Indeed, the illegality of hacking back is one reason why so few people or organizations admit engaging in the practice. Back in 2005, a network security analyst was fired from his company for striking back against hackers (he went on to win a lawsuit for wrongful termination).
In one recent case, encrypted email provider ProtonMail claimed in a tweet it hacked cybercriminals who were trying to steal its users’ login details. The company quickly deleted the tweet, and refused to comment further. And Ottenheimer, the consultant, declined to elaborate on what specific sort of hacking back he carried out.
Those hacking back may be in violation of the United States’ notorious Computer Fraud and Abuse Act, or, depending on what exactly the hackers do, may also breach wiretapping legislation and face criminal prosecution themselves. And if the servers or other pieces of infrastructure are based overseas, hackers working for victimized companies may break foreign laws too.
U.S. Department of Justice has considered prosecuting individuals for hacking back, according to information obtained by The Daily Beast, and those who cause things such as data loss are more likely to face charges.
Hackers going after crooks have also interfered with law enforcement investigations. In a case described to The Daily Beast, someone probed cybercriminals’ infrastructure, but the crooks noticed they were being watched, and moved their operations elsewhere. However, the U.S. government was also conducting surveillance on the hackers—now, the feds’ investigation was blown.
“I know of five companies that have hacked back,” E.J. Hilbert, a former FBI agent focused on cybercrime, told The Daily Beast. Hilbert declined to name the companies, but said two were government contractors, another two were in the retail sector, and the fifth was a manufacturing firm.
Hilbert said all five companies retaliated to try and understand what exactly hackers managed to steal during a breach. But all the companies had trouble locating the system the hackers used to transmit the data in the first place, he added. Hackers often use other people’s computers or servers to launch attacks from. So when the victim of a breach retaliates, they may not be targeting the hacker’s computer, but striking back against an arguably innocent system. It’s like returning fire in a gunfight and a stray bullet hitting a passerby.
“Given that most attacks do not come straight from the attackers’ computers, rather they are routed through systems that have been compromised along the way, a hack back could do damage to innocent systems without ever reaching the bad guys,” Hilbert said. Eventually, all five companies gave up out of fear of getting caught, Hilbert added.
In Hilbert’s experience, many companies talked about hacking back but did not have the offensive capability to do so. Perhaps in response to that gap, a number of firms do quietly provide hack back services, such as the consultant who worked on behalf of the global bank. Other companies, though, are more explicit in their marketing.
U.K. cybersecurity firm Pervade offers software for private companies to more easily launch DDoS attacks, in which servers bombard a target with so much traffic that it crawls to a halt. The company also provides basic SQL-injection, which can be used in certain circumstances to steal data. Pervade claims customers for these tools include companies in the gaming, hedge fund, and health sectors.
“Simply sitting on the ropes and taking a battering day after day is not sustainable as the level of attacks continues to rise,” John Davies, managing director of Pervade, told The Daily Beast.
More companies may start offering hack back services as multiple countries look into legally allowing companies to retaliate.
Earlier this year, Republican congressman Tom Graves proposed legalizing parts of hacking back with the Active Cyber Defense Certainty Act (ACDC). The idea would be for companies to be able to learn more about attackers’ tools, stop ongoing hacking campaigns, or gather information that could potentially identify the hacker.
Some members of the Israeli government are also exploring the possibility of legalizing hacking back. As part of an upcoming research paper, Michael Sulmeyer, the Belfer Center’s Cyber Security project director at the Harvard Kennedy School, recently organized a meeting with Israeli officials to discuss the issue. Employees from several U.S. cybersecurity companies also attended, according to Jen Ellis, vice president of community and public affairs at cybersecurity company Rapid7, who was at the meeting. The employees attended in a personal capacity.
“I think they were a little surprised by the response they got,” Ellis said, referring to the Israeli government officials. Ellis said the U.S. companies and other experts present were unanimously against hacking back, while the Israelis leaned in favor.
“I’m pretty convinced that the current arrangement of merely asserting that hacking back is illegal, so therefore do nothing—I do not think that is a sustainable approach,” Sulmeyer told The Daily Beast.
“Something’s going to have to change,” he added.
Instead of just legalizing hacking back outright though, Sulmeyer said more could be done to work with organizations and bodies that can already interrupt traffic, and who may be able to deny service to hackers, such as internet service providers.
But according to proponents of hacking back, authorizing the practice could make it much safer.
“By bringing it into the sunlight, we would be able to assess the risk squarely rather than behind closed doors and pretend it doesn’t exist,” Ottenheimer, the president of the security consultancy who has hacked back, said.
“We are missing an opportunity to regulate something that is already happening,” he added.
Regardless, companies will continue to strike back, in the shadows, whether lawmakers push for change or not.
“It was effective,” the consultant who hacked for the global bank firm said.