Cyber-attack on Austria was expected, nation-state adversary suspected

F-Secure's report listed Austria as the second top destination for cyber-attacks in H1 2019, leaping up from the fifth position in H2 2018

Austria's foreign ministry is slowly recovering from the targeted cyber-attack that happened over the weekend. However, the attack was waiting to happen, indicated an earlier research report by F-Secure.

F-Secure’s latest Attack Landscape report found that Austria was the second top destination for attacks in H1 2019, leaping up from the fifth position in H2 2018. 

The Austrian foreign ministry confirmed the attack on 4 January. No further updates are available on the present status, countermeasures or the source of attack, but the ministry press release said a state actor might be involved.

"Due to the severity and the nature of the attack, it cannot be ruled out that it is a targeted attack by a state actor. In the past, some European countries have been targeted for similar attacks," the press release said.

In the F-Secure report, Russia-Austria stood eight in the aggressor-to-target list. A request for comment by SC Media UK to a Russia-based cyber-security giant was turned down "due to the geo-political nature" of this development.

Interestingly, the cyber-attack happened on the day Austria's Green party announced its support for a coalition with the Conservatives. The current political situation in Austria could be related to this activity, but this is still speculation, said Tom Van de Wiele, principal security consultant at F-Secure. 

"It all depends on what the attacker is interested in. It could be to sway public opinions, spread disinformation, disrupt services or to change the narrative on certain events happening in the world. Or it could be more direct attacks aimed at infrastructure or the people part of an organisation, country or company for the purpose of theft or industrial espionage," he told SC Media UK.

"All of these examples need time and resources. So a lot of reconnaissance and intelligence gathering is performed 24/7 to ensure that when an attack has to be conducted, at least part of the preparation work has been carried out to help maximise the success of the attack."

Although the scale of attack indicates the involvement of state machinery, mercenaries could also be involved for their ground knowledge and "plausible deniability" if caught, Van de Wiele said.

"From what we have seen from past criminal gangs and nation states alike, there are no phases as part of the cyber kill chain that are mutually exclusive when it comes to doing things in-house or when outsourcing to mercenaries. The attacker has to make the trade-off between the risk of getting caught and "burning" their technical assets -- exploits and infrastructure -- versus the potential success of their attack while looking at the cost of preparing and performing the attack and its potential aftermath," he explained.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews