The fallout of the recent Optus breach got me thinking about a common occurrence: seller’s remorse… Most of us have experienced it. You feel like you’re getting a good deal, and then bang!  You realize you could have got more for your money if you’d only just waited that extra day. Although this might be a normal feeling for the average citizen, there’s an additional dimension involved when a threat actor demonstrates remorse. Is this morality kicking in? Or, more likely, is this genuine fear of being captured by the feds? 

This second option might be at play with the recent Optus data breach. The suspected perpetrator advertised the stolen Optus data for an extortionate amount of money one day, then did a complete 180 a few days later. They withdrew the data set from sale to protect those affected by the breach, and apologized for their initial actions.

Here at Digital Shadows (now ReliaQuest), we have been closely following the fallout from the breach and the behavior of the threat actor involved. This led us to review past examples of similar changes of heart, in which threat actors attempted to sell data following a successful breach only to retract the offer after some sort of morality intervention or attempt to go “good”.

WHAT WE KNOW

On 22 Sep 2022, the Australian telecommunications company Optus announced it had been the victim of a cyberattack and was “investigating the possible unauthorized access of current and former customers’ information”. Although Optus claimed it had shut down the attack upon discovery, this did not stop those responsible from accessing all sorts of customer information, including: “names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s license or passport numbers”. Optus stressed that neither payment details nor passwords had been accessed.

While we don’t know the exact date the cyberattack occurred or the amount of time the threat actor had access to the target system, we do know that customer information was exposed. Those whose data was exposed should maintain increased awareness across their accounts for fraudulent or suspicious behavior.

I DEMAND THE SUM OF 1 MILLION BEGILLION DOLLARS

On 23 Sep 2022, a user going by the moniker “optusdata” announced on the cybercriminal forum BreachForums that they were responsible for the Optus breach. They promised to sell the customer data in two parts. The first part would be composed of data affecting 11.2 million users of the telecommunication provider, while the second part would reveal 10 million addresses. The threat actor issued a warning to Optus, attempting to extort USD 1 million to prevent the sale, and issued a deadline of one week from the date the thread went live. The announcement indicated the lucky buyer would receive a USD 700,000 discount for purchasing both parts, but a sale wouldn’t be sanctioned until Optus had been given the chance to reply. 

Unsurprisingly, due to the high asking price and the BreachForums administrator verifying the data, the thread garnered significant attention from the wider forum community. We’re not necessarily talking about forum members chomping at the bit to be the lucky buyer. It was more chatter about the high-profile victim, and the significance of such a high-value sale being conducted on the forum, which would likely result in the forum’s reputation in the cybercriminal world skyrocketing.

HOW MANY TIMES CAN I SAY I’M SORRY

No sooner had the threat actor announced the sale of the Optus data, they appeared to change their mind. A few days later, they updated their original post to say that the data was no longer for sale and that the only copy of the information in existence had already been destroyed. What’s more, the threat actor issued a direct apology to both the Optus customers implicated and the telecommunications company itself, admitting that scraping the data was wrong in the first place. They added that they would have reported the exploit they used to compromise the system if Optus had had a bug bounty program in place.

Interestingly, the threat actor indicated that their thread had attracted “too many eyes,” likely intimating that something else was afoot and spooked those involved. Although we can hazard a guess and say this was likely the result of law enforcement intervention, the move does raise a few eyebrows. It’s made us, and many other dark web watchers, wonder whether a threat actor can suddenly feel a bout of remorse when the reality of their criminal actions hit home. That got us thinking, which threat actors have also pulled similar maneuvers in the past, when the gravitas of an event they were responsible for suddenly hit the headlines?

SORRY SEEMS TO BE THE HARDEST WORD

Unsurprisingly, instances of threat actors showing remorse are few and far between, but we identified a few examples. The first is the infamous Conti ransomware group leaking thousands of files belonging to the UK-based jewelry store Graff back in October 2021. The group proudly exposed the files across the Internet, but quickly saw the error of their ways when it was revealed that information pertaining to members of the royal families of the UAE, Qatar, and Saudi Arabia was also leaked. This led the group to publicly apologize and promise to review its internal processes to avoid similar occurrences in the future. Ultimately, an embarrassing event for a group that obviously feared consequences from Arab states.

Another example is the Ziggy ransomware collective, which transitioned away from a life of crime in February 2021. In an effort to make a fresh start and prevent future law enforcement action due to their past criminal endeavors, they promised to refund ransoms paid by each of their victims. While the sentiment was appreciated, the actions appeared to come on the back of an unrelated international law enforcement operation investigating ransomware activity. So in a sense, Ziggy jumped, rather than waiting to be pushed. Similar circumstances concerning law enforcement disruption saw the ransomware-as-a-service group Fonix move away from cybercrime around the same time, proclaiming that their abilities should be used for good rather than bad. Cue the slow clap at this point!

While it would be nice to think such threat actors genuinely could show remorse, in reality, this is unlikely. Ultimately, acts of remorse in these instances usually boil down to self-preservation and fear of prison time. However, if this results in less customer data being exposed to the Internet, then so much the better. Just remember that these examples are a drop in the ocean, and some date back to early 2021. While the few may seek redemption, there are a whole lot more out there who are thriving on quick pay days and finding your data to sell for profit.

FOR ALL THE LATEST AND GREATEST

If you’d like to stay on top of the latest developments for similar data breaches, including criminal insights and actions, then why not access our considerable library of material by taking a free seven day trial of Searchlight.  You can additionally get a customized demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) to gain visibility of your organization’s threats and potential exposures.