Last Thursday, it was announced that the Dutch Police and the Dutch Public Prosecution Service, among others, took part in the most significant international operation against cybercrime: Operation Endgame. This operation struck a major blow by disabling a ransomware infrastructure. It also sought to clarify who became victims of this crime. It is now essential to inform these victims of the insecurity of their login credentials. The Dutch Institute for Vulnerability Disclosure (DIVD) plays an important role in this victim notification. DIVD is a voluntary organisation consisting mainly of ‘ethical hackers’ who scan the internet for vulnerabilities and notify organisations of them. Wouter Scherpenisse, PhD candidate specialising in cybersecurity at Erasmus School of Law, poses some questions about Operation Endgame to ethical hacker Max van der Horst. Van der Horst is also a guest lecturer in the Law & Technology master's programme at Erasmus School of Law and he works for DIVD.
Before we look at Operation Endgame, it is helpful to clarify for the reader what ethical hacking means. What do you mean by ‘ethical hacking’?
"Specifically in the context of computers, 'ethical hacking' is breaking into systems for legal and constructive purposes. Ethical hackers try to find the vulnerabilities in (digital) systems that cybercriminals exploit but with a code of conduct and the aim of reporting this vulnerability to the system's owner. This reporting process is also known as Coordinated Vulnerability Disclosure (CVD). At DIVD, a team of us scour the entire internet for such vulnerabilities with CVD as our goal. We do this according to some basic principles that ensure our work improves the world and does not unintentionally make it more unsafe. The Dutch Public Prosecution Service recognises this approach, and it can be described as follows:
- Societal need: our work is designed to prevent harm to the internet and its users, and we do not serve political, financial or personal purposes.
- Principle of proportionality: our investigation should not deteriorate the integrity and availability of online systems and serve the societal need with appropriate goals.
- Principle of subsidiarity: if there are multiple means to serve the societal need, we always choose the least impactful option."
And what does Coordinated Vulnerability Disclosure (CVD) mean?
"Coordinated Vulnerability Disclosure is exactly what the name implies: a coordinated way of reporting a vulnerability. This applies not only to a developer of vulnerable software but also to its users. The principle derives from so-called Responsible Disclosure, where a software or hardware developer was given time and space to resolve a vulnerability before it was published. For example, this time and space is needed to avoid making mistakes in the fix. However, another trade-off is that the longer one waits to implement the fix for a vulnerability, the more likely it is that cybercriminals will find it as well and start exploiting it. In the discussion around this trade-off, it became clear that the responsibility lies not only with the hacker, but also with the vulnerable organisation. For this reason, Responsible Disclosure was later changed to Coordinated Vulnerability Disclosure."
Operation Endgame is not the first incident in which the government involves you. Could you tell us about other incidents in which you collaborated with governments?
"We are in close contact with over 30 governments worldwide with whom we cooperate regularly. This is necessary as the internet does not respect national borders. We work with the Dutch government but also have good contact with the US, Belgian, Austrian, and UK governments. Governments normally have limited legal authority to search for vulnerabilities and need a basis to ask for this data. In this, there is little room for proactivity, creating a gap in addressing serious vulnerabilities. DIVD takes this responsibility by scanning globally for vulnerabilities and reporting them directly to the owners of vulnerable systems in the first instance. However, it is common for us to come across government systems and other critical infrastructures that are also vulnerable. In these cases, we proactively provide this data to the government in question so that they can respond.
A good example is a global ransomware attack on a specific type of virtualisation software. Every minute, the number of servers attacked increased. Together, a DIVD colleague and I tried to be faster in finding vulnerable systems than attacking criminals. We passed this data on to various governments. This is not only to share data proactively but also to decentralise addressing the vulnerability. When we started scanning, this global attack was not yet in the sight of the governments to which we ended up sharing data.”
The government involves you in sensitive matters. That shows great confidence in your work. Yet, in practice, it is not easy to convince organisations you want to support your good intentions. How do you deal with this?
“It is actually quite logical for organisations to be sceptical. So would I if I received an email out of the blue saying I am vulnerable and need to take action. I would also double-check whether it is a phishing email. Email is our biggest weapon but also our biggest problem. It is the best we have, but because it is also so widely used by criminals, it reduces its effectiveness. At DIVD, we try to address this by thinking carefully about our report text with communication specialists, extensively documenting and explaining what we do, giving additional information about what we found and when, and including external advice (such as that from a software developer). This gives a bit more confidence in a report text.”
Now, let us take another look at Operation Endgame. Could you briefly explain what was going on there?
"Operation Endgame is an international police operation that took down six key networks in international cybercrime. This is so far the largest operation of its type ever and has resulted in four arrests, 100 servers confiscated, and 2,000 rogue domains seized. One of the main suspects is believed to have earned 69 million euros by renting out criminal infrastructure to launch ransomware attacks. This is just the start, by the way, as the operation is far from complete!"
And what has been DIVD’s role in this operation?
“During the confiscation of the servers and taking down the networks, large quantities of stolen accounts were discovered. These included usernames or email addresses and their associated passwords. Given the existing legislation around privacy-sensitive information, the Police cannot approach citizens about this on their own. However, DIVD can. For this reason, the Police shared this data with DIVD so that we can approach the victims of these criminals to offer help. We are currently doing this for over 16 million people."
DIVD is a growing organisation. Where will it be in 10 years' time?
“Cybersecurity is becoming more and more important as time progresses. In a utopia, we would not be needed, but this does not seem to be within reach for the time being. However, we are moving with the times and encouraging further policy developments to make the (digital) world safer for everyone. We are and remain hackers: from our ideology, we will find the next problem to solve."
- PhD student
- More information
Click here to read more about Sectorplan SSH-Breed.