‘Dangerous to speculate’ over state-based cyber-attack on Australia without evidence and threat intelligence

News by Andrew McCorkell

Experts have warned of the dangers of jumping to conclusions after Australia's Prime Minister Scott Morrison confirmed government and institutions were targeted.

Australian Prime Minister Scott Morrison has said that the nation's government and institutions are being targeted by ongoing “sophisticated” state-based cyber hacks.

The cyberattacks were confirmed as widespread across "all levels of government" including in essential services and businesses.

But as some speculated as to the source, Morrison declined to identify a specific state actor while confirming that no major personal data breaches had taken place.

Matt Lawrence, director of detection and response at F-Secure said: “Some are pointing the finger at China for these cyber-attacks and, while we have seen some Chinese APT groups ramping up their attacks, we wait to see if the evidence is released publicly that confirms they are directly targeting Australia. Although it's reasonable to assume that such a country is being targeted by a range of cybercriminals and state-sponsored threat actors, it's dangerous to speculate further without appropriate evidence and threat intelligence.

"Whether the government is forthcoming with the information over time or not, especially where criminal actor groups with a financial gain objective are concerned, all organisations in the region should pay attention to their security posture and, in particular, their ability to detect and respond to attacks effectively.”

When asked to identify the source, the Australian PM said he would not make "any public attribution".

Experts have long linked various hacks in Australia to China, one of the few countries like Russia, North Korea and Iran who have no alliance, but have which capacity for these kinds of attacks.

Joseph Carson, chief security scientist at Thycotic said that the news of the sophisticated nation-state cyberattacks targeting Australia should set alarms of around the world.

Carson said: “However the lack of information released from the Australian Government also raises more questions than it answers.  Using words such as sophisticated without any context or nation-state actors without evidence of attribution reduces the confidence of the statements.

“It is critical to be clear on the cyberattack: on what stage it is at and what companies should know in order to detect and protect against such attacks. If the attack is indeed targeting both government and industry then we must know what techniques are being used so we can all work together to respond effectively.

“During such times, governments must work with industry to have a collaborative approach and response. Now is the time for Australia to strongly consider a Cyber Defence League such as the one that Estonia implemented after the cyberattack in 2007 so that cyber volunteers can bring their expertise to defend against cyberbullying.”

The attacks took place across many months and are increasing, the Australian PM said as he tried to increase public awareness while asking businesses to improve their security.

In 2019, Australia's parliamentary network was attacked, the Australian National University was hacked by a sophisticated operation which had accessed staff and student details, and the nation's main political parties and parliament were subject to a "malicious intrusion" earlier in 2019, which was also sourced to a "sophisticated state actor".

Eoin Keary, CEO and founder of Edgescan, said that it was “interesting” the attack had been highlighted, as nation-state attacks are not uncommon and occur on a continuous basis.

Keary said: “There is a general belief that government networks and systems, of which there are thousands, with network the scale of a huge enterprise, are underfunded and less secure than private corporation systems. Nation-state actors will hunt for anything which will give them a foothold across the full stack of a network.

“The challenge for governments is trying to stay on top of the constant flow of new vulnerabilities that are discovered on a daily basis. When securing systems at such a large scale, continuous visibility is of paramount importance in order to detect and mitigate weakness in a timely manner. Continuous testing and vulnerability detection is also key. The days of annual, once-off pen testing just don’t scale to defend against industrial level hacking by nation states or large cybercrime groups.”

Miles Tappin, vice president, EMEA at ThreatConnect agreed that notion of nation-state hacking is not a new phenomenon and in recent months there has been a drastic increase across the board.

Tappin said: “Many organisations and, indeed, governments have been under incredible pressure during the outbreak of Covid-19, and many nation-state actors have seen this as a perfect crisis to exploit.

“Despite not knowing full details of the culprits behind the cyber-attacks on Australia, one thing is certain. No organisation is exempt. The attacks have spanned across various sectors including government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure.

“Australia and other states worldwide need to use this as a stark reminder of the importance of protecting their critical infrastructure. It is paramount that organisations with any strategically useful information, whether in the public or private sector, prepare themselves to deal with highly sophisticated phishing, infiltration, and data leaking campaigns.

“Nation-states need to begin to move towards a more unified national approach to cybersecurity based on information sharing communities rather than a fragmented, secretive, organisation-by-organisation approach. This will be the only way that we can begin to think about defeating the rapidly-evolving weapons deployed by those who would do us harm.”

Dave Palmer, director of technology, Darktrace said nation-state cyber-attacks have been a reality for some time with an escalation in recent years as global tensions heat up and hacking techniques become more advanced.

Palmer said: “Here we have a campaign with all the hallmarks of a sophisticated and coordinated attack with the aim of penetrating critical parts of government; there are persistent attempts over a long period of time to exploit both system vulnerabilities and human vulnerabilities with the use of spear-phishing.

“The potential impact of an attack on critical national infrastructure should not be understated. As smart buildings, cities and the Internet of Things become more common, vulnerabilities are growing, and state sponsored attackers are on the lookout for ways in. The lines between cyber and physical are blurring and this raises the stakes for all involved - increasing the likelihood of unintentional escalations and further complicating international relations.

“With such prospects, it is now the time to supercharge the cyber defence of the world’s critical digital infrastructure with advanced technologies. This will ensure that nations are resilient and can prevent data breaches or system compromise once attackers are inside – both at machine-speed and in real-time.”

Martin Jartelius, CSO, Outpost24 said: "We have seen a steady increase in government APT groups over the last decade. As can be seen from the widespread targeting of this group, it's important to remember that preventive security is important and that anyone in infrastructure, or services, for governmental entities are viable and likely targets for the groups. If you work in those sectors, your IT security may well be of national importance."

Scott McKinnel, country manager Australia and New Zealand, Tenable said that many breaches and attacks are accomplished by failing to do the basics - regardless of who the attacker is.

McKinnel said: “The vast majority of breaches and attacks today are the result of known but unpatched vulnerabilities. Threat actors don’t need to develop or pay for zero-day flaws in software. They can simply leverage publicly available exploit code for vulnerabilities that have patches available, honing in on a window of opportunity where organisations have yet to apply these patches.

“Now more than ever, organisations need to have a strong understanding of their systems and determine where they’re vulnerable. As a first step, organisations need to practice cyber hygiene, such as identifying critical risks and patching systems with common vulnerabilities favoured by criminals, blocking malicious sites and IP addresses, enforcing multi-factor authentication, implementing security awareness training and using encryption. These recommendations make it far harder for criminals to be successful.”

Sam Curry, chief security officer at Cybereason, said: "Prime Minister Morrison knows that this isn't the first time his country has come under cyberattack, as companies of all sizes in the public and private sector have gone through this drill many times over.

"We used to say loose lips sink ships, but today loose clicks can sink a company in any industry whether it be in the critical infrastructure, healthcare, retail or banking spaces. Hacking is a game of cat and mouse, and the mouse is getting bigger; it's very motivated to embarrass democracies and it is usually well-funded. Because the Australian government is regularly under cyberattack, and these incidents rarely make headlines, the timing of Morrison's announcement could spell an uptick and severity of the actions of a foreign state.

“Foreign actors are regularly testing the resiliency of networks in both the public and private sector and this is nothing new to Australia. How they respond is important and they are likely prepared. Australia, the United States and other democratic nations may not be facing a traditional enemy with guns and tanks on the battlefield, but they are constantly fighting a host of adversaries in the digital space. Unless we work with our international allies and devise a better strategy to confront this threat, it is far from certain that we will emerge victorious."

Tim Wellsmore, Mandiant Government Solutions, Asia Pacific said the announcement of the cyberattacks on Australian institutions is a concerning, but not unexpected, reminder of the level of serious cyber threat activity that occurs in the region.

Wellsmore said: “The Australian Prime Minister and Minister for Defence do not undertake these sort of briefings lightly, and the consistent message from them was that this was state-sponsored activity which raises the national security focus of the announcement. There is considerable geo-political tension occurring at the moment involving Australia and, from our experience, we know that state sponsored cyber threat activity directly replicates geo-political tensions so it would be plausible to assume this reported activity and announcement is connected.  

"FireEye is aware of the reported incidents and the type of exploitation of systems that are occurring and have seen only a few related impacts to our customer base.  However, we are seeing an increasing focus by both state-sponsored and criminal cyber threat actors on exploiting Common Vulnerabilities and Exposures (CVE’s) soon after they are announced publicly when victims systems are not patched quickly enough, and we deal with state-sponsored threats against our customers on a daily basis.

"The information provided in the Australian Government ACSC advisory on this issue is very detailed and provides good guidance and serves as a timely reminder to ensure organisations maintain vigilance in the cybersecurity programmes including the use of patching and multi-factor authentication in their networks.

"These threats will continue, and it is unfortunate that we continue to see an increase in cyber threat activity as our world becomes more technologically dependent."

Nick Savvides, director of strategic business at Forcepoint said the PM’s address is a timely reminder that cyber-security is a serious issue.

Savvides said: “We have entered a new era of business and government, where cyberattacks pose an existential threat to business and can cripple the machinery of government.

“The address acts also as a signal to the threat actors responsible that the government and some in the private sector are aware of the attacks, interestingly two specific controls, patching internet-facing systems (protecting the edge of networks), enforcing multifactor authentication for users (protecting the users), were specifically called out by the Defence Minister.

“This indicates that attackers likely operated sophisticated targeted phishing campaigns to capture usernames and passwords from victims and were possibly in possession of 0-day vulnerabilities against systems or used older vulnerabilities on systems that are difficult to patch.”

Toni Vitale, head of data protection at JMW Solicitors LLP, said no country is immune to such attacks and in the UK the National Cyber Security Centre announced at the end of 2019 that it has defended British organisations against more than 300 state-backed cyber-attacks over the last 12 months.

Vitale said: “As in Australia the UK central government was the main focus of the attacks but other sectors such as academia, IT, managed service providers and transport and health were also attacked. The NCSC actively take down fraudulent websites which are used by nation-states to gather intelligence and finance their craft.”

Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Centre), said that cyber-attacks come in all forms, and the attacker defines the rules of their attack.

Mackey said: “In this case, the attacker has chosen to disrupt business and governmental activity in Australia. Ignoring speculation on the origins of the attack, its usage of multiple attack vectors makes it more sophisticated than you might experience with a standard phishing or ransomware attack.

The Australian Cyber Security Centre has identified the primary attack mode as an attempted exploitation of the Telerik UI ASP.Net vulnerability covered in CVE-2019-18935 which if successful provides the ability to remotely execute code on the now compromised web server. If this attack mode isn’t successful, the attacker attempts to exploit remote execution vulnerabilities in IIS, SharePoint and Citrix ADC and Citrix Gateway.”

Ghian Oberholzer, regional vice president of TechOps APAC, Claroty added: “The most alarming element of the multi-faceted cyber-attack launched on Australian organisations is the risk it poses to Australia’s critical infrastructure - the very services on which society depends including our water supply, power grids and telecommunications systems.

“Cyber-attacks on businesses are damaging enough, but the impacts of a successful attack on any of these critical services could be catastrophic, such as shutting down the electricity grid. Critical infrastructure often eludes the public’s attention as a major source of cyber risk, but it remains highly susceptible to targeted attacks, as past experience shows.”

Michael Sentonas, global chief technology officer, CrowdStrike said that Ecrime activity the company investigates is up more than 330 per cent since the start of the year over the same period from last year, adding that and the lines between e-crime and nation-state attacks are blurring due to the increased sophistication of Dcrime actors.

Sentonas said: “Having a frontline perspective of the rampant threat activity in Australia that occurs every day, including the number of high profile breaches in recent months, demonstrates the country is not as prepared as we would like to believe. It is positive that this issue is being raised, and governments and organisations must now take action and harden their defences against an advanced pool of adversaries.”

Jake Moore, cybersecurity specialist at ESET added: “It is vital that it is not just Australian organisations that are on alert to this threat, as the whole world must take steps to enhance the resilience of their networks. Although this is not a direct result of Covid-19, there is an assumption that increased working from home enables such attacks to operate more easily.

“The attackers used various spearphishing techniques including links in their cleverly designed emails to target their prey. Spearfishing has a remarkably high success, rate due to the believability factor.

“The bad actors do their homework perfectly and launch convincing and plausible individual emails on their victims. Multiple hit rates increase the velocity of the attack too. Once the initial access was achieved, the bad actor would have used an array of custom tools to interact with the targeted network.”

In addition to the scale and sophistication of the attacks and the tools used, another main source of attribution is motivation. China objected strongly to Australia's calls for an independent inquiry into the origins of Covid-19 -  Chinese state media described Australia as “gum stuck to the bottom of China’s shoe” and doing the work of the US  - and this provides the backdrop for those who suggested that it is likely behind the attacks.

Not everyone was as reticent at pointing the finger at China, but while he stopped short of advocating an offensive cyber response, Robert Hannigan, chairman of BlueVoyant International and former GCHQ director was in no doubt about responsibility.  In an email to SC Media UK he commented: “The technical details of the attack issued by the Australian Government point to China as a likely state actor. Although the techniques and vulnerabilities exploited are not new, the scale, sophistication and targeting are consistent with Chinese cyber-attacks against the Australian parliament, and other organisations and companies in many democratic countries.

“Chinese state cyber-attacks of this type are not new but have progressed from large scale and low sophistication to high grade, carefully targeted attacks in recent years. China still harvests intellectual property from the private sector on an industrial scale, but the sophistication of its targeted attacks against states is increasingly alarming.

“We need to collectively find ways of raising the cost of cyber-attacks by China and other states. That starts with calling them out but should lead to concerted economic and diplomatic sanctions.

“Offensive cyber capabilities have niche uses but in general the best responses to wholesale cyber-attacks of this kind will be economic and political sanctions. Although we need offensive cyber capabilities, investment in better cyber defences and cybersecurity across the economy is the top priority and always will be.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews