The Mossos d'Esquadra confirmed yesterday what they had already announced on March 30 that they would do, and launched a DDoS attack -denial of service- to the servers of the RansomHouse group on the dark web. These servers contained 4.5 GB of data stolen from the Hospital Clínic de Barcelona, in the cyberattack on March 5. These data are only a living proof and a small part of everything that the hackers stole from the hospital's servers. Information that was also available since March 30, for anyone who accessed the Tor network with the appropriate browser, something that requires more courage than technical knowledge.
Anyone who has ignored the warning of Ramon Chacón, head of the General Criminal Investigation Commission of the Catalan police, who assured that "we will detect and prosecute and bring before a judge any person or institution that downloads or makes use of this data" , has had practically six days to get hold of them.
But since midday yesterday, if you try to access that Tor network server, the site appears as disabled, which shows the success of the Mossos d'Esquadra's action.
"The Mossos act as judicial police and for this reason they always do so under the supervision of a judge," says lawyer Albert Agustinoy, a partner at the Cuatrecasas law firm. "In addition, they have not intervened in an ordinary web page, but in one that was used to carry out criminal activity, and therefore, even under the principle of minimal intervention, this is a measure that they could take," he adds. Augustinoy. Despite being classified as a crime, this type of computer attack continues to be the most commonly carried out by hackers.
DDoS attacks are one of the most common techniques used by hackers and consist of trying to make a website unavailable by crashing it with malicious traffic. This type of attack consists of the actions of several computers that request access to information from a server in unison and in a coordinated manner, until the server's capacity to supply it is exceeded, which ends up blocking it and making access impossible.
Since the reform of the Criminal Code of 2011, carrying out this type of DDoS attack without authorization is not only illegal, but also constitutes a crime, by virtue of article 264.2 of this regulation, and therefore punishable with sentences of six months and up to to three years in prison. That article says that "anyone who by any means, without authorization and in a serious manner, deletes, damages, deteriorates, alters, deletes or makes inaccessible computer data, computer programs or other electronic documents, when the result produced is serious, will be punished with the imprisonment from six months to three years.
A cybersecurity expert consulted by La Vanguardia -and who requests anonymity- explains "that it is worth asking how the Mossos have done it, since in the event that they do not have the infrastructure to carry out an attack of this type, they will have had to hire it and pay for it with public money. Who? ”, he asks himself first of all. "I don't think that the Mossos have 10 million PCs around the world to be able to initiate DDoS. I also don't think you can enter Tor by falsifying the origin, so I don't see clearly how to escalate a DDoS from a single access point either. , Tor has little bandwidth, which makes it difficult to launch so many simultaneous requests," explains this expert.
But there is more. "Tor was created by DARPA (Defense Advanced Research Projects Agency) in order to have a private, secure, untraceable and, above all, non-destructible communication mechanism. It is used by the US Navy and Army in war zones, for example , which makes me doubt that it is really possible to launch a DDoS exclusively from Tor, unless they have been caught by a site in the physical world, "he adds.
The fact that it is not trackable or traceable means, basically, that it is practically impossible to know where the servers are physically located, and therefore -some jurists say- it could legally suppose a problem of territorial jurisdiction that, depending on how you look at it, would turn a Action like this is illegal, because a judge can only authorize these actions in Spanish territory. And then there are the side effects. "A DDoS attack always harms more actors than the one against which it is directed," explains the cybersecurity expert.
On the other hand, “DDoS is a brute force attack and if it is done well it cannot be stopped. But at the same time, it's getting harder and harder to get it right and effective, because servers are hidden behind content delivery networks (CDNs) that serve up a cached version of the content hosted on them. the servers, distributed in many parts of the world, which makes it difficult to take down the original servers, because it is impossible to know where they are. You can attack the CDN, but after a short time, if everything is configured correctly, you will be able to recover and be online again”, says this expert. “If these servers are on the Tor network, they are usually very simple pages that are not dynamic, that can be re-launched in a very short time, so a DDoS attack can successfully block access, perhaps for a very short period of time”, concludes this expert.
In this sense, Ramon Chacón explained the same day that RansomHouse made the stolen information public. Although they initially blocked two cybercriminals' servers on two different continents, they were ultimately unable to prevent part of it from being published. Chacón acknowledged that once the information reaches the dark web, where it is not indexed, it is impossible to eliminate it because it is impossible to locate the servers.
As the Mossos have explained, now what can be expected is that RansomHouse will continue to publish more data and that the game of cat and mouse between hackers and the police will continue.
