After stealing the confidential data of American and European companies, China's cyber spies are now training their sights on their country's latest key trading partner – Australia.
That's according to information from security firms FireEye/Mandiant and Context Information Security.
In a 13 October blog post, FireEye documents a series of recent targeted APT attacks by Chinese hackers on Australian mining and natural resources firms, and their advisory law firms - who hold confidential mergers and acquisitions information and sensitive intellectual property. It reports at least one case of data theft from an Australian firm.
The investigation found that, at the time of compromise, the majority of victim firms “were in direct negotiations with Chinese enterprises or had previous business engagements with Chinese enterprises”.
In the blog, FireEye/Mandiant Australian director of investigations, Mark Goudie, says: “We suspect this to be government-commissioned cyber threat actors targeting Australian firms with a specific agenda: to gain advantage and control of assets both in physical infrastructure and intellectual property.”
FireEye does not name the businesses attacked but says two main target areas are “clean energy” firms – a critical industry for China with its pollution problems – and iron ore producers, where China is a heavy importer from Australia.
The findings are supported by Context Information Security whose Australian head, Scott Ceely, told the Australian Financial Review (AFR) this week that it has seen a “dramatic resurgence” in attacks by the Chinese state-backed APT1 cyber espionage group.
Ceely said Context had recently alerted six Australian organisations to strategic ‘watering hole' attacks, including businesses and think tanks.
He told AFR most “state-sponsored” hacking in Australia was Chinese in origin, although Context had “detected some remnants of the Russians, who are always much better at cleaning up”.
Goudie at FireEye told AFR that the hackers are attempting to avoid detection and attribution by working Australian business hours – except their activity drops off sharply during Chinese public holidays.
He added: “There is a very strong correlation between an APT attack on an Australian entity and interacting with a Chinese state-owned enterprise.”
In its blog, FireEye/Mandiant warns the attacks may well spread to other industry sectors and government targets.
Goudie says: “Although this blog focuses on acts against large Australian mining and resources sectors, Mandiant has observed these APT actors often focusing their attention on other sectors such as defence, telecoms, agriculture, political organisations, high technology, transportation and aerospace, among others.
“The broader lesson and message - drawing from US and European experience with Chinese attacks - is that no-one is or will be exempt. For all Australian businesses and governments, it's time to fortify defences for a new era of cyber security.”
Commenting on the reports, UK information security researcher and author, David Lacey, an expert on APT attacks, said he was less surprised that the Chinese were targeting Australia, than that they had been spotted.
He told SCMagazineUK.com: “To me that comes as no surprise. It's more of the same really - why should Australia not be attacked? In fact I can't believe there only a couple of countries in the world attacking everyone.“
But Lacey added: “If it's been detected, it may not be the most sophisticated attack. I would expect that if you were launching an attack today you'd expect them to be bypassing some of the technologies that are in place.”
FireEye said China and Australia are currently negotiating a free trade agreement that is likely to be in place by the end of this year and that Australia has experienced unprecedented trade growth with China over the last decade.
“But this has created a double-edged sword,” Goudie blogged. “In the US and Europe, Chinese attacks on government and private industry have become a routine in local newspapers. Australia, it seems, is the next target.”