The prolific LockBit ransomware gang was subject to a DDoS attack that resulted in its data leak site being shut down temporarily, according to recent reports that emerged in mid-August 2022. Typically, it is threat-actors leveraging DDoS attacks as an easy, cheap and effective tactic, capable of causing enormous disruption and loss of business to victims. To witness a notorious cyber-criminal gang targeted in this way would likely have been satisfying to many who observe, and are impacted by, the damage groups like LockBit cause.
Reports of the DDoS attack came shortly after LockBit claimed responsibility for an attack on cybersecurity vendor Entrust in June, after which the gang failed to secure a ransom.
The company confirmed in July that threat actors had breached its network and exfiltrated data from its internal systems. Shortly after allegedly leaking data stolen from Entrust on August 19, LockBit’s leak site was disrupted by a DDoS attack, which it now appears to be recovering from.
Unsurprisingly, there are suggestions the two incidents are linked, with some surmising that the perpetrator of the DDoS strikes against LockBit were seeking revenge for the ransomware and/or preventing the stolen data from being leaked. However, at this time, there is no clear evidence showing who targeted LockBit.
“There is no tangible evidence that suggests Entrust was behind the retaliatory attack,” Tom Huckle, director of information security & compliance at BlueVoyant, told Infosecurity. “Despite the DDoS HTTPS requests seemingly pointing to the perpetrator being Entrust, this is merely circumstantial evidence and not definitive. This could be an unaffiliated company or individual working on behalf of Entrust, or it could be a rival to the LockBit gang using this as an opportunity to attack its infrastructure.”
Brian Honan, CEO of BH Consulting, concurred: “Just because a company’s name is mentioned as part of the message with the attack does not mean that company is actually behind the attack. As with all cyber-attacks, attribution is not as simple as it seems and more details and analysis are required to determine who is behind an attack.”
Nevertheless, it is likely that we will continue to see retaliatory attacks in the future, according to Victor Acin, labs manager at Outpost24, but this does not make them legitimate attacks.
Acin noted: “It is an understandable response to a cyber-attack, fight fire with fire, but that does not make it right. There’s a precedent of companies taking action against cyber-criminals after a breach; one of the most recent would be Nvidia’s. The company was breached in February this year by Lapsus$ and after the data was stolen, Nvidia allegedly struck back deploying ransomware encrypting the stolen data.”
Hack Backs
Clearly ‘hack backs’ are increasingly becoming a tool in the arsenal against threat actors. While we may be seeing a trend towards offensive cybersecurity and revenge attacks, those using these tactics must consider the potential implications of such approaches.
At the nation-state level the development of offensive cyber capabilities has become a serious consideration, with governments seeking to deter and, where necessary, strike back against cyber threat actors targeting critical infrastructure.
For example, the UK has recently created a National Cyber Force, which General Richard Barrons, former commander of Joint Forces Command, said provides a “new means of both deterring and punishing states that wish to do us harm.” Earlier in 2022, the UK’s Secretary of State for Defence, Ben Wallace, reportedly warned Russia of retaliatory cyber-attacks if the Kremlin targets British networks following Putin’s invasion of Ukraine.
For organizations with significant cybersecurity expertise and wishing to take offensive action, DDoS attacks represent a relatively easy option to disrupt attackers’ operations. Jake Moore, global cyber security advisor at ESET, told Infosecurity: “It is not unusual to see groups or even companies fight back with equally effective tactics such as a DDoS attack.”
“It is not unusual to see groups or even companies fight back with equally effective tactics such as a DDoS attack”
Cyber-criminal organizations are capable of being breached, just like anyone else. Honan said: “There is a mystic around cyber-criminal gangs that they are invulnerable to attack or are better able to manage their security than their victims. That is very often not the case. After all, they, like many other organizations, rely on the internet for their business and are therefore subject to the same risks and threats as everyone else.”
A Risky Move
There is significant concern among industry experts that a shift towards retaliatory cyber-strikes could exacerbate the cyber-threat landscape. This is particularly dangerous when such actions are taken by private individuals and organizations acting outside of specified rules and boundaries relating to offensive actions. “Fighting fire with fire is a dangerous yet powerful tactic, and although it can offer a form of defense, it can easily escalate the situation,” said Moore.
Honan said that hacking back in not something he would support or recommend that companies consider and shared: “While the analogy is often drawn between hacking back in the virtual world to physically retaliating against a burglar in your house or a mugger, I do not see the analogy being as clear-cut.”
“Firstly, attribution is extremely difficult, and many organizations do not have the appropriate skills, tools or infrastructure to positively identify the source of an online attack.” Even in cases where an organization has a high degree of confidence about the perpetrator of an attack, Honan emphasized it is far better to pass that information to law enforcement “so they can deal with the criminals in an appropriate way.”
In fact, hacking back may make the situation far worse for the original victims. BlueVoyant’s Huckle highlighted that it could result in further escalation from the attackers. He explained that instead of backing down, LockBit are raising the stakes by looking to upload all of Entrust’s data as a torrent, making it almost impossible to take down.
“Therefore, rather than have the data deleted as requested, it appears it will be available to everyone, forever,” Huckle said.
The Legal Situation
Organizations attempting to use cyber-attacks to hit back following breaches could find themselves on shaky legal ground cautioned the experts Infosecurity spoke to. Huckle did however highlight that a new bill is being debated in the US, the Active Cyber Defense Certainty Act, which would potentially legalize some offensive responses from private companies. However, “this is currently not the case.”
Honan warned: “As an organization, you may have no legal basis to hack back and could expose the company to legal risk as you could be committing criminal offenses in your actions to attack another system, regardless of whether that system is managed by criminals.”
Honan also believes such actions could negatively impact law enforcement investigations on cyber-criminal gangs, potentially preventing them from being brought to justice. “We have already seen some law enforcement operations impacted by some cybersecurity companies’ research activities,” he said. “In addition, should a hacking back operation unintentionally disrupt the operations of an innocent organization, this could result in diverting valuable and scarce law enforcement resources into investigating those issues from operations targeting criminals.”
Overall, the advice is for organizations to avoid going down the route of hack backs and instead work as closely as possible with law enforcement to try and bring the perpetrators to justice, even if this represents a long and frustrating road.
Nadir Izrael, Co-Founder and CTO, Armis Security, stated: “Retaliation does not work in cyberwarfare, just as it does not work in cases of terrorism. In fact, it often has the opposite effect and breeds more aggressive reactions.”
Ultimately, retaliatory cyber-strikes will not make justice more likely to be served and are instead likely to make the threat landscape more unstable.