Loading

Monday, 17 April 2023
Transcript

Hackers Inc Four Corners episode


Topics: Cybersecurity, cyber-attacks

ARCHIVAL V/O: Cyber security experts scrambling to assess the scale of the attack.

ARCHIVAL V/O:  The cyber-attack on Latitude Financial held details held details of millions of Optus customers at risk.

JON DIMAGGIO: It's organised crime. It's a modern‑day version of the mob.

JOHN LYONS: Australia is under attack, and the enemy is anonymous.

SPEAKER 4: With all of these attacks, they are intense, they're stressful, it's hard not to feel anxiety.

KATHERINE MANSTED:  We might think it's one guy in a basement wearing a hoodie, but the reality is, it is a business operation. On some counts global cybercrime is the third biggest economy in the world.

JOHN LYONS: Every seven minutes a cyber-attack is reported in Australia, and businesses are paying tens of millions of dollars in ransoms.

JON DIMAGGIO: This hurts many people, businesses, a lot of businesspeople lose their jobs, stocks plummeting in their value, there's a lot of damage.

JOHN LYONS: This Four Corners episode cracks open the operations of cyber gangs targeting Australia.

SPEAKER 4: The structure you could scale. You look like any other software company, but you're actually just a criminal organisation.

JESS LONGBOTTOM: I think he's online now. So he's come back with, "Australians are the most stupidist humans alive and they have a lot of money for no reason, a lot of money and no sense at all." 

JOHN LYONS: We go to Ukraine to track them down, and discover we are battling a common enemy.

SPEAKER 6: So they hit Australia? 

SPEAKER 7: Yeah, these guys target Australia.

JOHN LYONS: The Australian Government warns we must all brace for more attacks.

CLARE O'NEIL: We're not powerless when it comes to cyber-attacks, we can hit back, and the instruction of the Australian Government now is, "You go, you rove the world, and find these people and you hurt them before they can hurt us." 

KATHERINE MANSTED:  So this is the place where our analysts are monitoring the networks of our customers for malicious activity that suggests that maybe it's the beginning of a ransomware attack.

SPEAKER: So as you can see we have two detections, two executions that were allowed and five were blocked.

KATHERINE MANSTED:  We'd be doing a couple of hundred major incidents a year.

SPEAKER 8: Often we'll wake up when there's a high security alert, like if there's something bad happening, you don't want to leave it till the next morning to respond to it.

KATHERINE MANSTED: It's a bit of a cat and mouse game really. The defenders get better, the cyber-crime ecosystem is incredibly resilient, they operate from offshore safe havens, Russia, for example, green lights, it's ransomware and cyber extortion actors provided they don't attack Russian targets.

JOHN LYONS: As Head of Intelligence for Cyber Security company, CyberCX, Katherine Mansted understands the inner workings of the criminal syndicates causing chaos in the lives of Australians.

KATHERINE MANSTED: What we're defending against is cyber extortion gangs, and they use a range of tools to achieve their objectives. One of those is ransomware, so they lock up the systems of their victims until those victims pay a ransom to unlock the systems, or hopefully find another way to get themselves back online.

The other thing they're doing, and they're doing this increasingly, is stealing information. You don't need ransomware for that, you walk into the system, you steal information, and you threaten to make it public unless the victim pays a ransom.

JOHN LYONS: In October last year Australia was hit by one of the largest data breaches in its history. CyberCX was part of the response.

KATHERINE MANSTED: Medibank was part of a string attacks against well-known popular household brands in Australia late last year that formed something of a wake‑up call.

JOHN LYONS: Authorities won't reveal details about the hack. We want to find out who was behind it.

JOHN LYONS: I'm on the way to meet a man who was working with Medibank when the hack was first detected. John McPherson used to work in international security overseas. He's home now and gets called in for major cyber incidents. We're hoping to find how the first few days after the hack unfolded.

JOHN MACPHERSON: I received a call quite late at night on 12 October, the night before it became public. The first priority was containing the attack and making sure that the systems were secure, after that, the very lengthy process of forensic investigation and trying to understand exactly what had happened, what the parameters of the attack were, began in earnest.

SPEAKER: How would you describe the mood of the team? 

JOHN MACPHERSON: I think with all of these attacks, they are intense, they're stressful, it's hard not to feel anxiety, but you have a good plan, you execute that plan.

JOHN LYONS: Six days after the attack, the hacker sent an ominous message directly to the Medibank CEO's phone.

[Excerpt]

"Hi, as your team is quite shy, we decided to make the first step in our negotiation. We found people with very interesting diagnoses."

[End of excerpt]

ANDREW WATSON: They were threatening to release a so‑called "Naughty list" which was a list of 100 people who had received various forms of highly sensitive medical treatments, so an outright threat of releasing the most damaging kind of material as a way of trying to extort money.

JOHN LYONS: For Clare O'Neil, Australia's first Cyber Security Minister, this was the second major breach in as many months.

CLARE O'NEIL: Oh, look, I just think it's just ‑ it is just a low act of a sub‑human type of person to take personal health information, the most private thing that you or I could have, and try to use that for money. It just disgusts me, and it does tell us that we are dealing with a particular type of scumbag here.

JOHN LYONS: The hackers doubled down, ramping up their threats.

[Excerpt]

"In the event of a negative outcome of the negotiations for us, we will do everything in our power to inflict as much damage as possible for you, both financial and reputational."

[End of excerpt]

JOHN MACPHERSON: They want you to panic and then pay. I think in the Medibank case the hacker seemed to enjoy the media and the notoriety. They seemed to think that the negative publicity would be a trigger for Medibank to pay a ransom, when in actual fact it's quite the opposite.

JOHN LYONS: After almost a month with back and forth with the hacker, in November Medibank confirmed that 9.7 million of its current and former customers had been impacted, and the hackers quoting Confucious published their ultimatum. They demanded almost $10m, or in 24 hours the stolen data would be released.

Finally, Medibank made the decision not to pay the ransom.

ANDREW WATSON: On 9 November, the so‑called "naughty and nice" list of customers' details were released.

JOHN LYONS: Lawyer, Andrew Watson, was watching the drama unfold. He's led many major class actions and knew how large the impact of this breach could be.

ANDREW WATSON: People have just been devastated by the circumstances of what's occurred. We've had people who have had procedures that have involved termination, who for obvious reasons, didn't want that public; we've had people who were the subject of drug and alcohol treatment who have been devastated by the fact that that might become known.

JOHN MACPHERSON: I think for some Medibank customers, it was obviously deeply upsetting; I think for others it wasn't a material issue. The important thing is Medibank's refusal to pay a ransom result in keeping Australian companies safe from future attacks, it makes it easier for companies in the future to refuse to pay criminals for data they've stolen.

JOHN LYONS: The Australian Federal Police were in charge of investigating the hack.

So you've got no doubt that that Medibank hack was sourced in Russia? 

SCOTT LEE: We've got no doubt that a number of cyber criminals who were involved in that attack were based in Russia.

JOHN LYONS: Can you tell us anything about the people behind it? 

SCOTT LEE: No, I can't go into that, John, given the ongoing investigation.

JOHN LYONS: As the crisis deepened, inside Medibank the team were scrutinising their system for any trace of the hacker.

What does a forensic team look for when it does its investigation? 

JOHN MACPHERSON: Forensic teams are sifting through terabytes of data and hundreds of millions of lines of code. They're looking for the traces that hackers leave in the system, so they're looking for computer logs; they're looking for the triggers of malware and viruses that they leave behind in systems; they're looking for traffic that leaves an organisation and travels overseas.

JOHN LYONS: The way the criminal groups operate makes tracking them all the more difficult. Gangs sell access to software that harms a network, and they control ransom negotiations with the victims. But it's hackers known as affiliates that make the initial breach.

KATHERINE MANSTED: An "affiliate" is a fancy word for people who buy into a ransomware or a cyber extortion model. I guess you could say it's a bit like a franchise, but instead of a businessperson buying access to the McDonald's brand and supply chain and particular innovation, an illegitimate cyber-criminal buys into a ransomware or a cyber extortion model. So they might rent the malware, the ransomware, they might get access to that group's Dark Web resources, their portals for leaking information, and they'll do all of that, of course, for a monetary incentive; they get to keep a big portion of the ransoms that they harvest.

JOHN LYONS: The gangs each develop their own ransomware, a type of malicious software. If there's a trace of that ransomware in an attack, it can be credited back to the gang.

RACHEL FALK: Cyber criminals can use and exploit, like a lure, a phishing lure, and you can click on that link, and then malware is uploaded, and they sit, and they wait, and they do reconnaissance, sometimes up to six months on your systems, work out what your valuable data is to you and how they can steal it.

JOHN LYONS: Medibank's negotiators had been engaging with the hacker for weeks.

[Excerpt]

"What organisation are you from?"

"In this case we'd better be anonymous, just a ransomware group." 

[End of excerpt]

JOHN LYONS: The hacker claimed to be affiliated with several well‑known cyber gangs, but the Medibank team was sceptical.

JOHN MACPHERSON: The hacker was not able to give any confidence that they were affiliated with a criminal group, so they were never able to demonstrate that they were part of a group who would do what they say they were going to do.

JOHN LYONS: Ultimately, the blog the Medibank hacker decided to leak the data on offered the best lead. Jeremy Kirk is a cyber analyst and agreed to take us through the evidence.

JEREMY KIRK: There's several clues as to "might be responsible", but nothing is 100 per cent, and when the Medibank data, the personal data started to be released, it was released on a blog site, and this is common for ransomware gangs to release stolen data on blogs in order to try to get the victims to pay.

This blog had a bit of a technical history, and it had kind of a tie to another ransomware gang called REvil, which was one of the largest ransomware gangs. So the belief is that the people who were responsible for the attack against Medibank may be linked to those people with the REvil ransomware gang, but again, nothing is 100 per cent, it's just a suspicion.

JOHN LYONS: So who is REvil? 

JEREMY KIRK: REvil, it stands for "ransomware evil", and it was one of the biggest and most successful sort of ransomware groups. It made at least $100m. It was similar to other ransomware gangs in that it was as a service, so other cyber criminals could sign up and use the ransomware. It conducted some of the largest ransomware attacks at the time and caused an enormous amount of damage to businesses and organisations.

JON DIMAGGIO: REvil sat at the top of that ransomware kingdom for a very long time.

JOHN LYONS: Jon Dimaggio the gang referred to as both REvil or REvil very well.

JON DIMAGGIO: One of the big things that they did and that they made famous was the double extortion model. What REvil did was they didn't just encrypt their victims' data, but they also stole the data, and they would post bits of it publicly on their website in order to embarrass victims and sort of entice them to pay the ransom.

JOHN LYONS: In 2020 the gang targeted several high-profile companies in the United States and turned their ransomware on celebrities.

JON DIMAGGIO: REvil went after the New York‑based legal firm that had strong ties to both politicians and the entertainment industry. As they looked through it they started to see very popular names, like Bruce Springsteen, Madonna, President Donald Trump, and there were others as well, and they began to believe that they would be able to get, you know, people like Madonna to pay them this vast amount of money, and then they jumped to the President of the United States. It's just amazing they would be that dumb to threaten the President of the United States, but they did. They really put their target on their own back when they did all of this.

SPEAKER 4: There were a few pivotal incidents in mid-2021. One was the attack against Colonial Pipeline, which was the big energy provider in the US, that wasn't REvil it was a group called Darkside, but the groups were kind of linked, and then there were a couple of affiliates for REvil that conducted attacks against JBS Foods which was the large abattoir, and those incidents really elevated ransomware to a national security concern, particularly in the United States.

KATHERINE MANSTED: The ransomware attack they did against JBS Foods, that was an example of how they could cause disruption that crossed borders, that caused operational disruption of a significant degree, and the ransom they demanded for that which was paid was about $11 million US.

JOHN LYONS: Jon Dimaggio was monitoring REvil every step of the way.

JON DIMAGGIO: Once I gained access to the crime forums, now they were there every day, and I could see the conversations they were having with other criminals and even participate in conversations.

JOHN LYONS: He even applied to join the gang, posing as a hacker.

JON DIMAGGIO: We got pretty far in the interview, but what they did at the end caught me off guard. They asked me about Russian folklore, and they asked things that I believe that they thought only a true native Russian would know, and you know, we weren't able to Google anything quick enough to figure it out, and that was the end of our interview. It's organised crime, it's an organised group of cyber criminals that work together and share money, and a modern-day version of the mob.

SPEAKER 4: So this is the way that ransomware gangs are often structured, there's a boss kind of at the top, or maybe a couple of different bosses, there's kind of a layer of middle management, and those middle managers then interface with the people who actually do a lot of the work. There's an HR function, which is responsible for recruiting other cyber criminals and people who want to be a part of it. There's coders who develop the malware, which is actually the malicious software that's infecting computers.

You'll have an offensive team as well, so once a company or organisation is infected with malware, they'll take over and go into that organisation, figure out where their sensitive assets and data are in order to steal that data and then also encrypt it, and then finally, after that has happened, they usually sent an extortion note to a company, which is where the negotiators come in, and they're responsible for trying to extract as much money as possible from the victim.

JOHN LYONS: We've seen over the years that some of the big drug gangs, the Medellin Drug Cartel, et cetera, came up with these sorts of corporate structures. Is this the cyber equivalent of the Medellin Drug Cartel.

SPEAKER 4: Yeah, absolutely. It's so they're looking for efficiency in any way, and that's what they've discovered, they've been able to get scale and efficiency, and attack more companies and organisations than ever before.

JOHN LYONS: So how do we know this is the sort of structure that some of these groups are implementing? 

SPEAKER 4: Yeah, so in early 2022, there were tens of thousands of chat messages leaked on the Internet that belonged to a group called the Conti ransomware group, and it was basically their entire communications for two years, and so it really just opened it up for researchers, like, okay, this is what it's like day‑to‑day in a cyber-criminal group.

JOHN LYONS: The leak that cracked open the inner workings of the Conti gang was revenge for the group's support of Russia's invasion of Ukraine. More than 60,000 internal messages revealing forensic detail Conti's negotiation strategies and HR disputes. They also provided insight into how other big cyber gangs, like REvil, operate.

JOHN LYONS: Going through some of these leaks, there's one from the manager, who says, "Your next salary depends on my good mood, and anybody who doesn't reply within three hours of me trying to contact them gets a strike against their name; two strikes and you're out." It's a pretty ruthless organisation? 

SPEAKER 4: Yeah, the managers were pretty frustrated with their employees, and they had high turnover as a result too. I mean clearly, you know, the chats showed, you know, management was upset with this, because they're trying to pressurise, you know, their employees to get more productivity out of them, which just happens to be, you know, productivity motivated by crime.

Here we have another one. "This month, three people were fined for absenteeism and various mistakes that led to losses. These findings will go to the bonus fund for employees of the month." So this is really strange, right, like these are normal sort of things that managers would deal with in normal companies, and here, this is a cyber-criminal organisation, right, that has an employee of the month.

JOHN LYONS: Chats reveal that Conti's leadership was particularly unhappy with their ransom negotiators, complaining, "We bargain like school children, gangsters don't behave like that." 

We've got a recording here from a woman from Conti ringing up a victim, pressuring them for money. Let's listen.

[Excerpt].

"Good day I heard that you speak English too. Look, I'm calling you from Conti ransomware group. Your company right now in negotiations with our group regarding data recovery".

[End of excerpt]

I find that chilling. This is a woman from a crime gang, essentially they're effectively holding a gun to the head of the firm, and it sounds like someone's ringing to say, "You haven't paid your electricity bill".

SPEAKER 4: Exactly, the calling is a very aggressive tactic to sort of calling and harassing organisations, and ransomware gangs do that, they pull out all stops to try and, you know, get that organisation to pay, including kind of running a call centre.

SPEAKER: Our researcher, Jess Longbottom managed to contact a hacker who worked with several cyber gangs. He also claimed he was part of REvil. He agreed to chat with us on the encrypted site, Telegram.

JESS LONGBOTTOM: So we were hoping to chat to him and find out a bit more about the group.

JOHN LYONS: And hopefully Medibank.

JESS LONGBOTTOM: Definitely. So I think he's online now. "Hi, how do you feel when you hack into a system?" He says, "Great. It's a feeling of being on top of the world, like nobody can touch you." 

JOHN LYONS: He claimed he travelled freely between Eastern Europe and the UK and had no fear of arrest. He said he loved targeting American companies.

Let's ask him about Australia.

JESS LONGBOTTOM: Look at this: "Yes, let me tell you something, Australians are the most stupidist humans alive." So pretty strong language there. "And they have a lot of money for no reason, a lot of money and no sense at all." 

JOHN LYONS: "Stupidest humans alive". There's such hostility from him towards the US and Australia.

JESS LONGBOTTOM: Yeah, it's quite incredible.

JOHN LYONS: I think we should ask him about Medibank.

JESS LONGBOTTOM: Yeah, okay. "Do you know who's behind the hack?"

JOHN LYONS: In the set‑up for the interview, we had not mentioned anything about Medibank, so we were surprised he answered our question so quickly.

JESS LONGBOTTOM: So he's come back in the shush, the shush emoji, and just an "XX", which I wonder ‑ I think that relates to Blog XX, which is the blog where the Medibank data leak was actually published.

JOHN LYONS: We asked if Blog XX and REvil were the same people? 

JESS LONGBOTTOM: Right, okay, the answer is, "Yes, however there is some new faces." Okay, wow, so he's saying that it's REvil and Blog XX, they're connected.

JOHN LYONS: Really interesting.

JESS LONGBOTTOM: Yep. "So is it correct that REvil was involved in the Medibank hack?" Ha. "Yes indeed." 

JOHN LYONS: So he's confirming, as much as we can trust him, that REvil was involved in Medibank, which is really interesting, because there's been so much speculation that they were —

JESS LONGBOTTOM: Exactly.

JOHN LYONS: — that to have him saying that really contributes towards the picture.

JESS LONGBOTTOM: And interesting, as lots of people said that the attack wasn't sophisticated enough to be REvil, so —

JOHN LYONS: I think we should put to him that the Medibank hack caused distress to millions of Australians and see what he says about that.

JESS LONGBOTTOM: Yep. Ha. "I could not care less" is his response. Wow.

SPEAKER: Completely without empathy or morality.

JESS LONGBOTTOM: Yeah, exactly. So much bravado.

JOHN LYONS: We sent our conversation with the hacker to Jon Dimaggio.

JON DIMAGGIO: My professional opinion is this sort of second rising of REvil that we've seen over the past year is not the original group. They simply have access to the infrastructure and to the REvil malware. In my opinion, someone else is using their malware today.

JOHN LYONS: To evade authorities gangs are morphing all the time, hackers come and go, but the ransomware they develop is still used.

KATHERINE MANSTED: We've seen, with some groups, once they create too much harm and fear, they get too big for their boots. That's when they're most likely to attract the attention of global law enforcement. After that, those groups have metastasised, they're affiliates have left the big bad ransom and cyber extortion gangs, and they've moved on to smaller gangs and applying their trade through smaller, lower‑profile groups. So the threat has changed; it hasn't necessarily diminished.

JOHN LYONS: Months later, the damage of the Medibank hack is still being uncovered.

ANDREW WATSON: Effectively every Medibank customer's details were placed on the Dark Web. Given the sensitivity of the data, it seems likely that Medibank should have been looking at a proper encryption protocol, or a deidentification protocol so that the data, even if hacked, would have been useless to the hackers.

JOHN LYONS: There was criticism of Medibank's storage of personal data. What's your opinion of that.

JOHN MACPHERSON: I think every organisation in Australia is now rapidly trying to assess how much data they hold, how secure it is, whether they need it or not, how long they've retained it for. I think it goes back to the question that as a nation we place too much value on collecting data, and not enough value on how we secure it and whether or not we actually need to keep it.

JOHN LYONS: Medibank is one of a string of hacks that has made cyber-crime a key priority for the Federal Government. In Australia a cyber-attack is now reported every seven minutes.

ANTHONY ALBANESE: For businesses these days, Cyber Security is as important as having a lock on the door. An increased awareness —

JOHN LYONS: Rachel Falk is on the panel developing the Government's new Cyber Security strategy.

ANTHONY ALBANESE: So all of us understand —

JOHN LYONS: One of the options being considered is starving the gangs of funds by making the payment of ransoms illegal.

ANTHONY ALBANESE: — from someone breaking into your house —

RACHEL FALK: Once you get the ransom note, the damage has been done by that point. You're either in paying ransom mode or reputation salvage mode. Remembering, it's a bit like the house always wins here, they always keep a copy of your data. You can then pay, and they will not release the data, allegedly will not release data on the Dark Web for sale, but you never know what's going to happen with the copy of the data that's stolen.

JOHN LYONS: What's your view on a company that's been hacked considering paying a ransom? 

RACHEL FALK: Well, obviously it's a challenging situation in the boardroom, absolutely, and it will never be black and white.

CLARE O'NEIL: The Australian Government's really clear advice is that we would ask that Australian companies, organisations and individuals do not pay ransom, because this simply feeds the business model of cyber hackers.

[Excerpt]

So ransomware is one of the biggest cyber threats that we face as a country, and we're —

[End of excerpt]

We're not powerless when it comes to cyber-attacks. We can hack back at these people and use the same tools that they are using to hurt Australians, to hurt them. And the instruction of the Australian Government now to the Australian Signals Directorate, the cyber guns of the Australian Government and the Australian Federal Police, is, "You go, you rove the world, you find these people and you hurt them before they can hurt us." 

JOHN LYONS: It's the AFP's Cyber Command which is now tasked with going after or disrupting the cyber gangs.

CHRIS GOLDSMITH: Disruption is about frustrating their ability to operate and stopping their ability to operate.

SPEAKER: While we were at AFP Sydney headquarters, news breaks of another hack.

We've heard there's been a major cyber incident. The team's pretty tight‑lipped about what's happened, but what we do know is that a loans credit card and insurance company has been hacked, and more than 200,000 customer records stolen. The team's been briefed and on standby.

JOHN LYONS: Days later, Latitude Financial revealed the hack was much larger, with the data of 14 million former and current customers stolen.

SCOTT LEE: I think it's now the new normal. We are seeing the incidence of ransomware attacks becoming more prevalent, both in terms of the number, but also the scale and the sophistication and the impacts on our community.

JOHN LYONS: Do you think most Australians understand how nasty this new world is? 

SCOTT LEE: No, I don't. I think it's an evolving situation for all of us.

KATHERINE MANSTED: Increasingly there's been a shift to disruption, which is a way to get at these gangs before they can cause harm. The FBI and its global law enforcement partners and Australian law enforcement are getting better at this.

We've seen the FBI and other global law enforcement partners seize infrastructure, so these groups are forced offline. We've seen them infiltrate groups to get the decryption key so that when they engage in ransomware global law enforcement can come in and help those victims by giving them the decryption key rather than those victims having to pay a ransom.

JOHN LYONS: It was that arsenal that the Federal Bureau of Investigation used to bring down REvil, after the gang carried out one of the largest attacks in history.

JON DIMAGGIO: When Kaseya was attacked, what happened is they had about 1,500 downstream customers that REvil leveraged their software to infect with their ransomware, so instead of just having one large corporation now being held ransom, they had 1,500 companies being held ransom.

[Excerpt]

Unlike a lot of technology companies, Kaseya is pretty easy to understand.

[End of excerpt]​

JOHN LYONS: The hack‑affected companies in at least 18 countries, including Australia closing down supermarkets in Sweden and impacting kindergartens in New Zealand.

[Excerpt]

And discover how Kaseya can help you simplify your systems management task.

[End of excerpt]

KATHERINE MANSTED: So this was a really good example of REvil trying to maximise harm by hitting one organisation that provided services to thousands of others. They demanded a ransom in that case of $70 million.

JOHN LYONS: The attack came only weeks after President Biden called on President point of view tin to reign in Russia's cyber criminals.

[Excerpt]

JOE BIDEN: I did what I came to do.

[End of excerpt]

JOHN LYONS: The US made an arrest, and the gangs leak site went offline. Then in a surprise move in 2022 Russian intelligence raided 14 members of the group. But it wasn't the end of REvil's ransomware.

JON DIMAGGIO: The guys they arrested were all very young men, they were primarily affiliates, they were not the core members of the gang, they weren't the ransomware developers, they participant the ones supporting all these operations, they were simply the people that were the hired hackers. It doesn't stop the attacks. They can just come back under a new name and continue business as usual.

JESS LONGBOTTOM: Wow. I have been providing initial access to —

JOHN LYONS: The hacker we spoke to earlier told us the 14 members were now out of jail, and that he was supporting Russia's war effort by providing initial access to Ukrainian‑owned infrastructure.

JOHN LYONS: Jon Dimaggio was not surprised. He believes that the original masterminds behind REvil are hacking for Russia.

JON DIMAGGIO: They are supporting the war in Ukraine. Think about it: even as affiliates, they're some of the best hackers in the world, so I 100 per cent believe that has how Russia is utilising them; they're helping the Russian intelligence services, creating malware, and facilitating attacks against the Ukraine to sort of better the mission of Russia.

JOHN LYONS: As the war in Ukraine loomed, Dimaggio says Russia's cyber criminals were given an ultimatum: "Hack for your country, or your assets will be seized, and you'll go to jail." 

KATHERINE MANSTED: We know that these crime gangs have always had a pretty cosy relationship with Russian intelligence and security agencies. We've seen those leveraged during the Russian/Ukraine war, we've seen in particular some groups that have come out and said, "Our allegiance is to Russia, and we will engage in activities to support Russia's cause and to undermine Ukraine." 

JONATHAN HOLMES: In Ukraine, cyber-attacks are about more than just money; they're about life and death. We've come to Kyiv to track the Russian cyber gangs targeting Australia. We're on the way to the agency responsible for protecting Ukraine, including against cyber-attacks. Robert Potter, co‑founder of Australian cyber security company, Internet 2.0, is taking us there.

ROBERT POTTER: So we're heading up to SBU headquarters. The SBU is the primary domestic intelligence agency of Ukraine.

JOHN LYONS: It's like our ASIO? 

ROBERT POTTER: Yeah, it's equivalent to our ASIO, or MI5.

JOHN LYONS: Security is tight. The SBU would be one of Moscow's top targets.

The man we've come to meet is Illia Vitiuk, the country's senior cyber intelligence officer.

JOHN LYONS: That's me.

ILLIA VITIUK: Thank you very much, unfortunately [indistinct].

JOHN LYONS: I'm sure you don't go around handing out cards too often, yeah, in your job? 

Australians know about the invasion, the physical war, but are there now two wars going on? 

ILLIA VITIUK: They combine cyber-attacks with psychological, special psychological information operations, and they do combine cyber-attacks with [indistinct] attacks. Cyber-attacks accompanied, missile attacks on our energy sector since October, so they tried to destroy [indistinct] infrastructure of power plants and distribution companies, simultaneously with cyber-attacks to cause more damage and to make people suffer even more.

JOHN LYONS: What can Australia learn from Ukraine's experience with Russian hackers? 

ILLIA VITIUK: No other country in the world has faced what Ukraine has faced in cyber domain, first of all, and the experience we have how to withstand when your enemy is more powerful is crucial. We're invented and used different kinds of algorithm techniques, tools that have proved the effectiveness, and we are ready to share this knowledge and this experience with the world.

JOHN LYONS: In another part of the city, Internet 2.0 is working to strengthen Ukraine's cyber defence. The other founder, David Robinson has just arrived.

DAVID ROBINSON: You can imagine we can see the international cyber war on our dashboards all over the world. In the Russians, for example, were hacking one of the computer next works we're protecting, the systems can detect, flag, that Russian cyber-attack using algorithms, using lots of pieces of technology all in the cyber security industry in order to identify, flag and then view that threat, and then we can basically block it.

JOHN LYONS: The team's security engineer, Rafig Jabrayilov, has already got to work. Here he's monitoring Russian cyber-attacks.

So when someone in Russia makes an attack, you can see that here? 

RAFIG JABRAYILOV: Yes.

JOHN LYONS: In real time? 

RAFIG JABRAYILOV: In real time with the live data we can see their iPad [indistinct], we can detect their rough estimated locations.

JOHN LYONS: It's a never‑ending battle, isn't it? 

RAFIG JABRAYILOV: Yes, it's basically a cyber war going between engineers and attackers, so as you say, it's never‑ending, and as much as they are employing their skills, we need to do it twice, three times more to be ahead of them.

KATHERINE MANSTED: It is the first war in history between two major cyber powers, Russia and Ukraine. We've never seen this before. And right from the beginning of the conflict cyber has been an ever‑present dimension of that conflict.

JOHN LYONS: Katherine Mansted has analysed how effective Russia's combination of traditional and cyber warfare has been.

KATHERINE MANSTED: From the outset, Russia has made an attempt to coordinate its cyber and its conventional effects. It hasn't always been successful, and in fact towards the beginning of the war it did better in this, perhaps because it had more time to plan and coordinate. On one day in the first week we had a missile strike on a broadcasting tower. We also had a cyber-attack against a broadcasting company, as well as a broader information campaign. Russia said it was going to disable Ukraine’s “disinformation system." It was targeting people on social media; it even was targeting the elderly via phone calls. All of that was about creating chaos.

JOHN LYONS: So Ukraine launched its counter‑offensive and then in October hit the Crimea Bridge. How did Russia respond to that? 

KATHERINE MANSTED: So we enter a new phase in many respects in Russia's conventional cyber and information war. On the conventional front it's hitting civilian targets again. Ukraine's looking into a winter, and it's going after energy assets, sending millions of Ukrainian citizens into blackout. It's also hitting water assets. And that's mirrored, in many respects, in a cyber realm.

JOHN LYONS: What implications does this have for the next major military conflict? 

KATHERINE MANSTED: Every cyber defender, and every cyber attacker around the world will be looking at this conflict so closely, and they will be learning the lessons from Russia/Ukraine. Russia has not always done as well as it could have at precisely coordinating cyber and kinetic effects. In the next war I would expect we'll see adaptation and an even closer interlinkage between those two domains.

JOHN LYONS: When there's a cyber-attack in Ukraine, the response will come from this room. It's the nerve centre of the country's cyber defence, and the team reports directly to President Zelenskyy.

[Excerpt].

SPEAKER: You can see Ukraine and Europe, and you can see the different key groups, so they're just tracking numbers of attacks.

JOHN LYONS: So these are the different sectors that have been targeted, yeah? 

SPEAKER: Yeah. And these are the different attack tools being used.

[End of excerpt].

JOHN LYONS: While looking at the least of the different groups attacking Ukraine, I see REvil.

SPEAKER: REvil is the one that heads the Medibank attack.

JOHN LYONS: So they hit Australia? 

SPEAKER: Yeah, these guys target Australia.

JOHN LYONS: The power cuts for a moment. Not uncommon here. While the system's rebooted, the head of Ukraine's Cyber Security centre issues a warning.

SERHII PROKOPENKO: My prediction for this year is that it is US, Australia, European Union countries who will be targeted, more, even more than Ukraine.

JOHN LYONS: So you think there will be more attacks on countries like Australia.

SERHII PROKOPENKO: Yes, give support to —

JOHN LYONS: Who support Ukraine, because they're not getting the results they want in Ukraine, so they'll move on to other places, and it will be partly revenge for supporting Ukraine?

SERHII PROKOPENKO: Yes.

SPEAKER: Some of those names that came up on their board today are names that we're familiar with, launching attacks on Australia. What does that say to you? 

SPEAKER: It shows that we're part of the same environment. They're studying the same bad guys that we are. What they really are, are Russian organised crime groups being protected by the Russian Government, and in some ways becoming increasingly ideological in their support of the Russian Government, and that that exchange of "You give us safe haven, we'll give you a cut" is now "We will also target the ideological enemies of the Russian Government." 

JOHN LYONS: In recent weeks, the big cyber-attacks on Australia keep on coming.

[Excerpt]

SPEAKER: Crown resorts says it's working with police —

SPEAKER: One of Australia's biggest property giants has been attacked by cyber criminals.

SPEAKER: The cyber-attack on Latitude Financial has now become —

SPEAKER: The hack of Latitude Financial is now larger than Medibank.

[End of excerpt]

KATHERINE MANSTED: Ultimately, what we see from these groups is they tend to be pretty good at out‑manoeuvring law enforcement. They will phoenix to avoid pressure, so when the heat is on from global law enforcement they will disband their group. They'll lie low for a bit, then they'll pop up again. Maybe they'll rebrand, for example, and we've seen that over and over again. So unfortunately it's going to be really hard for us to break the business model of cyber extortion.

JOHN LYONS: As a nation, Australia is bracing to fight this ever‑changing war against enemies who hide behind screens and know neither boundaries nor morals.

CLARE O'NEIL: What's at stake is everything. When you think about the life that we live online at the moment, consider what things will look like in 2030 where our fridge and our electricity in our homes, and our air conditioning, and our car; everything is going to be connected to the internet. So we are going to have to get a handle on this problem well before then. I want cyber hackers to know that we are on to them, and that we are watching them online, and that we will come and hurt them if they come anywhere near our country.