‘Amateur hour’: Rivals mock Optus hacker
Despite the proclamations of Optus chief executive Kelly Bayer Rosmarin it was a sophisticated attack, hackers say the telco’s data breach was an amateur one.
The hacking community is less than impressed with Optusdata, the anonymous hacker who made away with the personal data of more than 10 million Australians, before radically backing down from a $1.5m ransom on Tuesday.
Terms such as “amateur hour”, “unprofessional” and ”stupid” are being used by hackers to describe their colleague Optusdata, whose avatar is a female cartoon with short purple hair.
They tell The Australian the breach was likely the work of an amateur, known in cyber security circles as a “script kiddie”, who uses automated scripts to attack computer systems and deface websites.
It’s the cyber equivalent of a teenage hooligan painting graffiti on a train station to impress their friends.
Optusdata made good on their threats when they released the records of 10,000 Australians early on Tuesday, on the online discussion forum BreachForums. The information was available as an unencrypted text document, containing Medicare details, drivers licence numbers and more. Just hours later the user deleted the data, apologising in a new post to both Optus and its customers in an apparent change of heart.
“Optus if your reading we would have reported exploit if you had method to contact. No security mail, no bug bountys, no way too message,” they wrote in broken English, possibly as a deflection.
“Ransom not payed but we dont care any more. Was mistake to scrape publish data in first place.
“Too many eyes. We will not sale data to anyone. We cant if we even want to: personally deleted data from drive (Only copy).
“Sorry too 10.200 Australian whos data was leaked.”
There’s no way of knowing at this stage whether Optusdata has in fact deleted the customer data. Optus executives maintain both privately and publicly they did not pay the $1.5m ransom.
Other BreachForums users were quick to criticise Optusdata for the about-face.
“That was a pretty stupid move to begin with tbh,” one user wrote. “Play stupid games win stupid prizes imo,” wrote another user, named PaulineHanson.
Despite the proclamations of Optus chief executive Kelly Bayer Rosmarin, hackers say the breach was an amateur one.
“There was nothing sophisticated about it,” Shubham Shah, who made a small fortune as a teenager hacking the likes of Uber and PayPal, told The Australian.
“It was an endpoint which someone forgot to apply authentication to, and we see this all the time unfortunately.
“The hacker’s decision to dump everything as quickly as possible versus as quietly as possible is interesting, but I guess it worked because they still got a lot before the alert.”
Shah, who works now as a cyber security consultant for Assetnote, says Optus should have had a so-called bug bounty program in place, which would have attracted “white hat hackers” – the good guys, in simple terms – to find and help fix Optus’s security issues in exchange for a financial return.
For Optusdata to be a mere teenager attacking a telco giant from their family basement would not be preposterous. Just last week, a 16-year-old was arrested in the UK on suspicion of being one of the leaders of the crime gang Lapsus$ which stole top secrets from Microsoft, Samsung and Nvidia, some of the biggest and most well-resourced tech companies in the world.
“It is possible that someone may have bumped into this security gap while scanning known domains, who are not part of an organised hacking group, and were acting alone,” Paul dos Santos, Director of Cybersecurity at StickmanCyber, said.
Chatter in cyber security circles suggests while the exposure became public last week, following an article in The Australian, the data was likely exposed by Optus for days if not weeks, with customer data spotted on the dark web on September 17.
“There is a possibility that there may have been other malicious actors who found that exploit, exfiltrated the data and will use it anyway in the future,” Mr dos Santos said. “At the end of the day, Optus, which demands 100 point identification and is entrusted to protect that 100 point data, had all that data exposed.”
The director of the Australian Strategic Policy Institute’s International Cybersecurity Centre, Fergus Hanson, said the most obvious possibility was the perpetrator was “a rank amateur” hacker “who’s realised they’ve got the AFP breathing down their neck and they’ve freaked out”.
He said it was also possible it was the work of a nation state actor “and they’re trying to cover their tracks”. A third possibility was a criminal gang, “but with the amount they asked for that just doesn’t seem to add up”.
Mr Hanson said it was curious there was a post on the dark web on September 17 purporting to offer data on 1.1 million Optus customers, yet Optus said it only learned about the breach on the 20th. “It just seems odd to me that someone would be selling off this data and no one at Optus would be aware that this has been posted on the dark web,” he said.
It was possible the AFP’s “Operation Hurricane” had been effective in scaring the perpetrator, who may have “got cold feet”, according Cyber Security Cooperative Research Centre chief executive Rachael Falk.
Ms Falk said the data, if it was encrypted, “somehow got decrypted along the way”.
She said the telco should also not have been storing details of the customers’ primary identity documents in the first place.
“Once they’d done subscriber ID checks, they did not need to keep the exact details of the passport and driver’s licence numbers,” Ms Falk said.
CyberCX chief strategy officer Alastair MacGibbon said: “Let’s be clear here. This was not a sophisticated attack. Criminals have taken advantage of an obvious security flaw. It was not hacked – the system actually functioned exactly as Optus designed it to.”
More Coverage
Social media has ‘changed childhood’ | WATCH LIVE
NSW Premier Chris Minns and SA Premier Peter Malinauskas have argued social media has ‘changed childhood’ ahead of the institution of a federal age limit.
Coinbase backs Melbourne marathon, offering runners $20 in Bitcoin
The crypto industry heavyweight says Australian regulators ‘don’t appear to be in a great hurry’ to recognise digital currencies as an alternative asset class that’s used by more than a quarter of the population.