Hack-back in the Real World


ProtonMail just recently (yet briefly) bragged about shutting down a phishing campaign that it was the target of by hacking back the phishing server. (link) The phishers had obtained access to the website of a graduate school in South Jakarta, Indonesia (sps-perbanas.ac.id "Sekolah Pascasarjana Perbanas") then placed their phishing pages in a new or unused subfolder. Phishers commonly look for insecure legitimate websites to host their fake login pages on to help avoid detection or categorization as a phishing site. ProtonMail somehow figured out how to obtain equivalent access and deleted the phishing pages from the server (apparently without affecting the rest of the site) to stop the campaign immediately, then ensured that "the owner of the site has gotten the assistance they need to secure their server."

Earlier this year, a member of the US Congress (Rep. Tom Graves) proposed the "Active Cyber Defense Certainty Act (ACDC)" to amend US law to allow private entities, with mandatory reporting requirements to law enforcement, to conduct certain forms of hack-back to attribute breaches to the responsible individuals and prosecute them.

Following this proposal, discussion online exploded in articles, posts, and Twitter comments, in large part incredulously declaring that it was a bad idea to allow hack-back and that third party systems would inevitably be hurt. I found it interesting that none of these denunciations' tales of woe included any examples of such a thing happening in the real world. If you want to know what will happen when people hack back, should you not start with what has happened when people do that exact thing? My timeline was filled with "If people tried hack-back, this would happen!" but you don't have to hypothesize. You can see what did happen in the myriad examples of hack-back in the real world. So below I assembled a list of publicly recorded hack-backs, with the results of each and reference to original sources. I have only included elements that I believe meet the definition of illegal activity under the Computer Fraud and Abuse Act; that is, unauthorized access to one or more computers, such as via exploit or other means, and have not included administrative actions or court orders against domains, IP blocks, etc.

Google Sheets link

It is relevant to point out that even though each of these actions was likely illegal, law enforcement does not seem to be motivated to prosecute these individuals and organizations who did hack-back; as far as I know none of them faced charges.

It is also relevant to point out that, contrary to how it was depicted in numerous online forums, the ACDC bill specifically does not allow destructive actions against any other entities' systems or data. That means that even under the ACDC, ProtonMail's actions in this case would not appear to be allowed, unless it had only affected their own data and no-one else's (not the functionality of the phishing site).

Hack-Back is Pervasive

The above table represents only the public descriptions of a few isolated examples in which individuals admitted to hacking back even though such actions are likely illegal. A much stronger picture emerges when anonymity is granted. A few years ago, a survey of 181 information security professionals found 36% admitted to "Retaliatory Hacking" or hacking back. Even under very conservative assumptions, extrapolating to all information security professionals, or even just all information security professionals with offensive skills/training/experience, there have likely been thousands if not tens of thousands of examples of hack-back in the real world.

Hack-back is not rare, it is a pervasive tactic commonly used by actors from individuals to companies to governments. It is a key component of many investigations and actions to identify perpetrators and thwart malicious activity. It has a strong documented track record of helping large numbers of victims without causing additional harm.

  1. No comments yet.
(will not be published)