China takes cyber war to Australia

State hackers try to avoid detection by working Australian business hours - except Chinese public holidays.

China takes cyber war to Australia
China takes cyber war to Australia

After stealing the confidential data of American and European companies, China's cyber spies are now training their sights on their country's latest key trading partner – Australia.

That's according to information from security firms FireEye/Mandiant and Context Information Security.

In a 13 October blog post, FireEye documents a series of recent targeted APT attacks by Chinese hackers on Australian mining and natural resources firms, and their advisory law firms - who hold confidential mergers and acquisitions information and sensitive intellectual property. It reports at least one case of data theft from an Australian firm.

The investigation found that, at the time of compromise, the majority of victim firms “were in direct negotiations with Chinese enterprises or had previous business engagements with Chinese enterprises”.

In the blog, FireEye/Mandiant Australian director of investigations, Mark Goudie, says: “We suspect this to be government-commissioned cyber threat actors targeting Australian firms with a specific agenda: to gain advantage and control of assets both in physical infrastructure and intellectual property.”

FireEye does not name the businesses attacked but says two main target areas are “clean energy” firms – a critical industry for China with its pollution problems – and iron ore producers, where China is a heavy importer from Australia.

The findings are supported by Context Information Security whose Australian head, Scott Ceely, told the Australian Financial Review (AFR) this week that it has seen a “dramatic resurgence” in attacks by the Chinese state-backed APT1 cyber espionage group.

Ceely said Context had recently alerted six Australian organisations to strategic ‘watering hole' attacks, including businesses and think tanks.

He told AFR most “state-sponsored” hacking in Australia was Chinese in origin, although Context had “detected some remnants of the Russians, who are always much better at cleaning up”.

Goudie at FireEye told AFR that the hackers are attempting to avoid detection and attribution by working Australian business hours – except their activity drops off sharply during Chinese public holidays.

He added: “There is a very strong correlation between an APT attack on an Australian entity and interacting with a Chinese state-owned enterprise.”

Page 1 of 2