Optus hacker could be kid in mum’s basement or Brazilian ‘hunters’: experts

The Optus hacker could be an amateur in their mum’s Sydney basement or even a Brazilian-based ‘vulnerability hunter’, cyber experts say.

Clarissa Bye

@clarissa_bye

2 min read

September 28, 2022 - 6:45AM

NSW

Don't miss out on the headlines from NSW. Followed categories will be added to My News.

THE culprit behind the massive Optus hack could be an amateur in their mum’s Sydney basement or even a “vulnerability hunter”, rather than a foreign nation state or criminal gang, cyber experts say.

As police and IT experts race to track down who is behind the massive breach, a top cyber safety expert from Western Sydney University says she believes it could even be the work of a small Brazilian “vulnerability hunting group” – experts who test for flaws in IT systems.

Professor Alana Maurushat, director of the Western Centre for Cybersecurity Aid and Community Engagement, said telltale clues in the messages posted online by the alleged hacker pointed to a Portuguese speaker.

“I think that this breach has been caused by a Portuguese-speaking vulnerability hunter - likely Brazilian and I would look to San Paolo as likely location,” she said.

“There are many linguistic translation clues in the communication.

Alana Maurushat, Professor of Cybersecurity and Behaviour at Western Sydney University.

“First, the word ‘sell’ and ‘sale’ are highly interchangeable.”

In the dark web post, the alleged hacker stated: “We will not sale data to anyone.”

ASPI’s International Cyber Policy Centre director Fergus Hanson said he felt it was likely the hacker was an amateur. Picture: Stuart McEvoy/The Australian.

Professor Maurushat said Portuguese speakers use full stops, not commas in large numbers, which was also a clue in the online message posted on Tuesday.

And another sign of a Portuguese speaker was that in their language sentences do not require subjects, she said, and there were two examples of that.

“Why a vulnerability hunter?” she said.

“Because the person/group retracted the ransom. Russia and Koreans would never retract a ransom.

“My money is 100 per cent on a vulnerability hunter behind this.”

The Australian Strategic Policy Institute’s International Cyber Policy Centre director Fergus Hanson said he felt it was likely the hacker was an amateur and possibly “based in their mum’s living room in Sydney” rather than Russia or Iran.

The $1 million amount asked for was a sign the hacker was not potentially aware of the enormous value of the data set, he said.

“It’s probably one of the most valuable sets of data that have been stolen from Australians and they’re asking for just $1 million?” he said.

Another indicator that the hacker or hackers were not overly sophisticated or professional was the timing of the extortion messages – one of which was put online before Optus even found out about the hack.

“That’s a very odd way to run an extortion,” Mr Hanson said.

“In a normal ransomware scenario, you would expect the cybercriminal to contact the company and let them know they have the data and demand a ransom.

“In this case, they seem to have been trying to sell it online to on the 17th of September and Optus didn’t let anyone know until September 22.

“Either Optus is not telling a straight story or they are amateur.

“That’s a very odd way to run an extortion.”

Mr Hanson said it did not make sense that a nation state would draw attention to a vulnerability in this manner.

“Also, the fact they seemingly have pulled out of the race, suggests they are in a jurisdiction where they are vulnerable, whereas someone in Russia or Iran would not care.

“But if they are based out of their mum’s living room in Sydney, they might be vulnerable.”