Skip to content

Search the site

The “Hacking Back” Hullabaloo

Sophos’ CISO to The Stack on its firewall kernel implant: “We were aware we were taking unusual steps”

Ransomware has cost billions in damages and extortion payments in recent years, as well as considerable emotional strain for those dealing with the fallout. The CEO of almost every victim has no doubt thought – either briefly and wishfully, or at great and furious length – “can’t we hit these b******s back where it hurts and screw with their systems too?”

Most realise swiftly after this rush of blood to the head, is that a) This would be illegal in almost every jurisdiction and that b) Cybercriminals and nation state threat actors alike use compromised systems belonging to unwitting third-parties to launch their attacks; even a well-resourced enterprise cybersecurity Red Team may struggle to track advanced actors. “Hacking back” would likely lead simply to collateral damage. 

Yet as both ransomware incidents continue to play out and cyber-espionage by nation states and their proxies become more egregious (Russia’s FSB has gone “a bit feral” as MI6 Director Richard Moore recently put it, and China’s hackers are notorious for having little time for the “gentleman’s game” approach) the idea of aggressively “hacking back” has raised its head again; both in the private and government sectors.

(The latter, of course, already engages in intelligence-related offensive cybersecurity, but it is typically not a bluntly reactive nor destructive tool.)

NSA security boss: Attackers put in time to know network, devices better than defenders

And a brace of private sector cybersecurity reports this month have put “hacking back” (a term many disparage as meaningless; more on that below) back in the spotlight with both Sophos and Unit42 detailing their work against adversaries including, in the former example, the use of “targeted kernel implants deployed to the attackers’ research devices” to gain more information on their behaviours and campaign and for the latter, "files obtained from the rogue endpoints and subsequent investigation." (Both these two incidents essentially involved the "re-breaching" of compromised products sold by the vendor in question.)

To Ken Dunham, Director, Cyber Threat at Qualys Threat Research Unit: Hacking back is complicated. For example, the removal of a botnet may appear 'good' on the surface, but might have unintended consequences, such as crashing a critical system or triggering malware payloads that you didn't realize were in place, resulting in damage to infected systems.” 

Whilst recognising that “hacking back is now commonly part of every nation-state toolset for cyber warfare offensive and defensive capabilities in 2024” he noted to The Stack that “in the world of CTI and penetration testing, we require in a "rules of engagement” (ROE) document legal permission with parties being assessed the rights to go beyond scanning to attempted authentication, authorization, and access. It's important to note that even scanning a military network in some countries is a crime and may result in a formal response, which is why ROE must identify clearly targets of attack (e.g. IP and domain) in scope to avoid mistakes…”

See also: Zscaler is using 3 TRILLION customer logs weekly to train AI

Of Sophos’s campaign, the company's CISO Ross McKerchar told The Stack that Sophos had “worked closely with our legal counsel, industry partners and agencies around the world throughout this to ensure that our responses were the best technical and legally grounded responses to the threat…” and when asked whether he though Sophos’s activity constituted “hacking back” responded that there “isn’t a black and white definition on the term hacking back. It means different things to different people…”

“The kernel implant provided EDR-like capabilities designed to withstand evasion and eviction.  EDR technologies monitor activity at the kernel level and analyze it to identify potentially malicious behavior. 

Sophos CISO McKerchar added: “It’s important to understand that these were compromised devices that were creating exploits targeting Sophos devices. This was a calculated and targeted response to that.  While we were aware we were taking unusual steps here, our guiding principle was to protect our customers to the best possible extent…” 

See also: Sophos attackers breached intelligence agency, wrote code to survive firmware updates

Aaron Bishop, Founder and CEO of Novous backed that effort, telling us: “I applaud the efforts and visibility that Ross and the X-Ops team have made. Defending a company’s customers and employees from persistent, state-sponsored attacks is paramount, and understanding an attacker’s tactics, techniques, and procedures (TTPs) is essential to achieve that.”

He added: “Breaching an attacker’s infrastructure - even with good intentions - raises ethical and legal concerns. Compromising adversarial systems to gather intelligence could be considered ‘hacking back’. 

“However, in the case of Sophos, they’re not doing anything malicious; they're monitoring with legitimate interest and preventing attacks -   nothing that can’t be covered with a good EULA and Service & Diagnostic Monitoring agreement. This ‘hack back’ approach can provide some invaluable insights into how and where attackers plan to strike, potentially preventing massive security breaches, and the Sophos report proves that.

Hacking back? "An amateur phrase"

Andrew Thompson, Head of Research and Discovery at Google Threat Intelligence, posted on X: “The fact that people are referring to creative intelligence collection activities as ‘hack back’ further illustrates the huge divide between those operating at the highest level and everyone else.

“I have implored serious people to stop using the phrase ‘hack back’... It's an amateur phrase that lacks sufficient nuance... Maybe that's the point though. If you use that phrase, you aren't serious,” Thompson added.

 One “unserious” person using that phrase in recent weeks was former NSA Cybersecurity Director Rob Joyce, who posted on October 30 that “I hear hack back as a solution to intrusions, and disagree. Compromised machines in friendly/ neutral countries will be targeted, risking harm to innocents. The diplomatic implications are already severe. Hack back is inherently a governmental function. Cyber doesn’t stop cyber” he added somewhat cryptically, presumably warning the private sector off. 

"Please identify a single demarche..."

The immediate response from a former intelligence agent turned academic, JD Work: “Please point to a single case of collateral damage in the last three decades of unilateral private sector initiated countercyber operations that was even noticed. Let alone weighed in equivalent impact to targeted threat activity suppressed or disrupted. Please identify a single demarche resulting from negative reaction to intervention…” 

Joyce did not reply.

Sophos’s CISO’s reference to working with “agencies around the world throughout this” meanwhile suggests that explicit or implicit signoff by three-letter agencies for counter-offensive cyberoperation is favoured. 

The number of truly “unilateral” private sector-initiated countercyber operations that went unnoticed or not tacitly approved by government stakeholders beyond requesting malicious IP takedowns is debatable.

Have views? Share away

So is compromising an attacker's infrastructure to understand tools, tactics and procedures considered "hacking back? By most, insofar as the term has any validity? It can certainly “blur the lines” notes Sysdig’s Crystal Morin, “while it’s not technically hacking back in the conventional sense, it’s still a high-stakes decision. Ultimately, understanding TTPs is invaluable, but gaining that insight by breaching adversarial systems risks escalation if not done carefully and with legal guidance…” she wrote.

And just maybe, sign off from a three-letter friend that just might have also been a victim of the folks you are trying to hack back against. 

Sophos, after all, had found malware on an unnamed intelligence agency’s Sophos firewall during “routine threat hunting” in 2023. In that latter incident, the attackers had “inserted a hook into the firmware upgrade process [that] wrote the backdoor into the temporary partition used for the new firmware before the device rebooted, allowing it to survive firmware upgrades…to bypass integrity checks, the attacker also swapped out the binaries that verify the cryptographic signature in the firmware.” 

That might, just might, have upset someone enough to sanction a response by Sophos; one that has certainly triggered a lot of industry debate. 

Join peers following The Stack on LinkedIn

Latest