Authorities fight back against charity hackers

Posted on 26 Mar 2024

By Matthew Schulz, journalist, Institute of Community Directors Australia

Hacker Data Cybersecurity shutterstock 356278754
A global joint police effort disabled the world's biggest ransomware gang, which was behind a massive hack of Australian charities.

International authorities claim to have “destroyed the online backbone” of a ransomware group that stole data from 70 Australian charities.

The Australian Federal Police (AFP) cooperated with counterparts in 13 other countries to crack down on the LockBit ransomware group under Operation Cronus.

Authorities took control of the LockBit sites to turn the tables on the hackers, using those dark web sites to announce the counter-hack.

Police also arrested several suspects, froze LockBit Bitcoin accounts, shut down servers and websites, and took charge of ransomware infrastructure, such as LockBit’s “StealBit” platform.

The LockBit group targeted Australia’s Pareto Phone charity telemarketing group to devastating effect in August last year. That attack saw the information of nearly 50,000 charity donors from the nation’s leading charities leaked onto the dark web.

Affected charities included WWF Australia, the Australian Conservation Foundation and Plan International Australia. Many charities were infuriated that Pareto Phone allegedly retained customer data for years more than it should have.

Lockbit 2e53d7d023
Authorities posted this image on LockBit's internal site to demonstrate they'd taken control of the hackers' systems.

Global effort to bring down hackers

Scott Lee
AFP assistant commissioner Scott Lee

Operation Cronus was led by Europol, the UK’s national crime agency’s cyber division, the US Justice Department and the FBI. As well as the AFP, police in France, Germany, Switzerland, Japan, Sweden, Canada, the Netherlands, Finland, New Zealand, Poland and Ukraine were involved.

AFP assistant commissioner Scott Lee said the global taskforce’s investigation was a major breakthrough.

“This investigation has not only taken down the world’s most prolific ransomware group, but also damaged the group’s reputation and credibility beyond repair.

“We have obtained a vast amount of data from investigations so far and will continue to follow all leads and bring those responsible to justice,” Mr Lee said.

The AFP provided a link to the No More Ransom portal which would enable victims to decrypt data that used the LockBit encryption method.

Europol released these details of the wide-ranging operation.

The US Department of Justice in its media release described LockBit as “one of the most active ransomware groups in the world”, saying it had targeted more than 2,000 victims and received more than $184 million in ransom payments.

US Deputy Attorney General Lisa Monaco said the operation had “destroyed the online backbone of the LockBit group, one of the world’s most prolific ransomware gangs”, but would continue to pursue its criminal affiliates across the globe.

Related investigations over the past 18 months led to the jailing of a Russian-Canadian dual citizen this month.

Mikhail Vasiliev was caught in his garage trying to extort three Canadian companies by encrypting computer systems and demanding hundreds of thousands of dollars.

Authorities named Vaisiliev and four other Russian nationals as targets of the LockBit investigation.

Despite the action, reports suggest that LockBit criminals have already re-emerged using new encrpytors and servers.

Phone Call Centre i Stock 938430346
The Pareto Phone telemarketing operation shut down after the massive breach.

Pareto Phone breach probe continues

Australia’s privacy watchdog, the Office of the Australian Information Commissioner (OAIC), is continuing an investigation into the Pareto Phone breach, which it launched in late October.

The investigation appears likely to be completed by late this year, and is expected to examine complaints by several charities that Pareto Phone held onto customer data for years after the information should have been deleted, in breach of privacy laws.

The OAIC is now working with the liquidators of Pareto Phone, given the telemarketing company collapsed owing $17.3 million soon after the hack, when most of its clients abandoned it.

OAIC data breach report Feb 2024
The OAIC's latest breach report outlines the nation's most vulnerable sectors.

The OAIC’s latest data breach report, released last month, showed breach notifications were up 19% in the six months to December 2023, with Australia’s health sector by far the worst affected. The report showed that malicious attacks remain the most common form of breach, and comprise two-thirds of all breaches. A separate study by Infoxchange suggested 12% of NFPs suffered a cybersecurity incident in the past year.

Australia Information Commissioner Angelene Falk used the latest report to reiterate the dangers of outsourcing personal data handling to third parties.

Ms Falk said the OAIC had witnessed a high number of multi-party breaches, most as a result of a breach of a cloud or software provider.

“Organisations need to proactively address privacy risks in contractual agreements with third-party service providers,” Ms Falk said.

Fundraising Institute Australia (FIA), the Australian Securities and Investments Commission (ASIC), and the Australian Charities and Not-for-profits Commission (ACNC) have also warned organisations in recent months to be more careful when dealing with third-party operators that have access to personal data.

Earlier this month, the Australian Signals Directorate (ASD) released a guide to cybersecurity for charities and not-for-profits. It forms part of a bank of resources available to the sector, including ICDA’s cybersecurity self-assessment tool, released last year.

The ASD’s guide provides suggestions on preventing attacks and preparing for them too.

More news

Become a member of ICDA – it's free!