Did Australia just pay ransom to Optus hacker?

An online account believed to be behind the Optus data breach has unexpectedly backflipped on a threat to release millions of Australians’ data to the internet.

The purported hacker who demanded a ransom of $US1 million ($1.5 million) in exchange for Optus customer data posted on the forum that they withdrew the ransom demand and deleted the 11 million customers’ records.

“Too many eyes. We will not sale (sic) data to anyone. We can’t if we even want to: personally deleted data from drive (Only copy),” the user wrote on Tuesday.

The account apologised to 10,200 Australians whose records they had leaked just hours earlier, expressed “deepest apology” to Optus and wished the company well. 

Released data summary and batches of data indicate the hacker’s online account is legitimate.

Change of Heart or Ransom Paid?

One cybersecurity expert believes there is something fishy about the sudden turn of events: 

“The change of heart, especially after the brutal ultimatum [when a text file of 10,000 records were released] just doesn’t add up and I would say it is likely or, rather, almost certain that the ransom was actually paid under a secret deal,” said Elmin Selay, cybersecurity researcher and CTO of Cyberflare.

“I am not saying it was paid by Optus. It is rather more likely that the Australian government via unattributable channels of either its own security agencies or via U.S. agencies made the secret deal. I think they weighed all options and deemed it necessary as a one-off exception in the national interests. From the government’s perspective, a small cost to save lives. They must have offered certain guarantees to sweeten the deal”.

“Likely, the negotiations were ongoing before the 10,000 records were released but the hacker demanded more assurances/protection and showed how serious they were by releasing the records”

“The final apology message was likely agreed on, and was posted as provided. Its language is slightly different and has as many typos as a native speaker can make. Many other details reflect a different perspective, such as ‘Australia will see no gain in fraud, this can be monitored’. ”

“The official advice from the Australian government is that you should never pay the ransom – I want to make it crystal-clear that this is, statistically and under most circumstances, the best option as you are dealing with an unknown uncertainty”.

“However, the stark reality is that almost half of businesses in Australia and globally opt to pay. Likewise, governments notably make such a choice out of little other choice.”

“The government has some leeway here and they can achieve a win-win situation since they don’t pay the ransom or give assurances through official channels. If the negotiations or deal go south, they deny and stick to their official position. Hackers know this as well and they wouldn’t delete ‘the only copy’ as mentioned in their apology message. ”

The expert also says Optus’ claims about the sophistication of the attack don’t appear to be true as more details are emerging.

“Companies like Optus go through formal certification and standards compliance when it comes to the customer data. In addition, we are talking about enterprise systems and built-in data security.”

“This was not a sophisticated infrastructure attack. The format of the data released indicates they didn’t actually access any backend systems, customer databases or hack their way into or through any well-guarded systems. The structure points to RESTful services. This involves APIs – usually with token-based authentication for websites, apps and other systems to access and use the data they require.

“Based on the information publicly available so far, we can attribute this data breach to a basic API authentication failure due to a misconfiguration, a bug or negligence in validating either the user or the scope of the query”.

“What makes this particular attack so effective is that you don’t actually need any keys to decrypt data even if it was encrypted in the database and during the transmission. I see no valid point in discussing whether Optus had legacy systems, how data was stored or whether it was encrypted. At this stage the data is at a post-transmission state and already decrypted for consumption anyway”, he added.