Australia will set up a permanent operation comprising around 100 police and defence personnel to “hack the hackers”, with an immediate priority to target ransomware groups.
The personnel come together from the Australian Federal Police and Australian Signals Directorate under what is being termed a “joint standing operation”.
“This operation will collect intelligence and identify ring-leaders, networks and infrastructure in order to disrupt and stop their operations – regardless of where they are,” Attorney-General Mark Dreyfus and Minister for Cyber Security Clare O’Neil said on Saturday morning.
The operation will aim to “stop… incidents before they start”; in addition, “where incidents do take place… cyber criminals will be hunted down and their networks disrupted.”
The ASD has for several years said it has offensive capabilities to target and disrupt hackers, and use of these capabilities has occasionally been disclosed.
O’Neil said in a press conference from Melbourne that the permanent operation represented “a new model of policing”.
She said the two agencies had come together initially to coordinate a response to the Optus data breach. The announcement this morning formalises that arrangement.
"When Optus [was] hit, these two organisations started a new type of policing and a new partnership, and today we’re announcing that partnership will be formalised and made permanent,” O’Neil said.
“Around 100 officers across these two organisations will be a part of this permanent joint standing operation.
“Many of these officers will be physically, co-located, working from the Australian Signals Directorate.
“The joint standing operation will not simply be responding to crimes as they affect Australians; they will be hunting these gangs around the world and disrupting the activities of these people.
“The smartest and toughest people in our country are going to hack the hackers.”
O’Neil said the work of the two agencies on high-profile attacks against Optus and Medibank “will not be obvious to everyone”, owing to the covert nature of the work.
“But I want to tell you that they have had an enormous impact on preventing harm that would have occurred in these two attacks,” O’Neil said.
“They have prevented significant harm.”
O'Neil said Australia was "waking up from a cyber security slumber that we've been in."
"When I look at previous years, you saw in 2020 and 2021 major attacks which are quite similar to Optus and Medibank happen in countries around the world.
"Now, what I know the Attorney-General and I would've really liked to see is real energy and focus behind this problem since that time. I don't think we got that, but you have it now.
"It should be beyond a shadow of a doubt from Medibank and Optus that this is an extraordinarily important thing for the government to be focused on."
O'Neil suggested it was unlikely that investigations into high-profile attacks would lead to arrests and jail time, hence the focus on "disruption" instead.
"I think we need to shift away from the mindset here that the only thing that means success [from a law enforcement perspective] is having someone behind bars," she said.
"There is an enormous amount that can be done which doesn't look in that exact direction, and I'm not going to go into the specifics but this term 'disruption' is what we're here to talk about."
Post-attribution actions
The AFP yesterday attributed the Medibank ransomware incident to one or more attackers operating out of Russia.
Dreyfus did not rule out diplomatic action as a result.
He said the government is "looking hard at Russia's diplomatic profile in Australia, and all options remain under consideration."
However, he added that the government's "preference is to maintain diplomatic channels, but diplomatic profiles must always be consistent with our national interest."