Australian PM Warns Of ‘Sophisticated’ Cyber Attack By ‘State-Based’ Actor

The Prime Minister of Australia, has Scott Morrison publicly announced that his country is currently the target of a “sophisticated” cyber attack.

And the Aussie PM warned that an unnamed foreign government is behind it, with the finger of suspicion firmly pointed at China.

In February 2019 Scott Morrison had warned of ‘nation state hack’ of Australian political parties and parliament. He said at the time the cyber-attack was carried out by a “sophisticated state actor” – the polite way of saying that a nation state had carried out the hack.

British expertise

But now Australia is being attacked again.

Scott Morrison reportedly confirmed that he has spoken to Prime Minister Boris Johnson about the last attacks. It is known that the UK is readying its own specialist cyber force that will target terror groups and hostile nation states.

Indeed, ever since 2013, the UK MoD has allowed convicted hackers to join the UK’s Joint Cyber Reserve Unit (JCRU), but the reality is the UK’s cyber teams and capabilities (both offensive and defensive) have been growing for years.

In September 2018 the British Government announced it was expanding the UK’s offensive cyber-war capabilities by approximately fourfold with a new cyber warfare unit – amidst increased threats from the likes of Russia, North Korea and Iran.

The exact nature of the UK’s offensive cyber weaponry is a closely guarded secret, but in a submission to a report December 2017 by parliament’s intelligence and security committee, GCHQ said the capabilities of its cyber unit extended to “the high end of counter state offensive cyber capabilities”.

It should be remembered that Australia is one member of the ‘Five Eyes’ group.

The five eyes relationship sees the United States, UK, Australia, Canada and New Zealand share intelligence information between them.

Australia targeted

According to Sky News, Australia’s Scott Morrison said the attacks against his country have have targeted all levels of the government – as well as political organisations, essential service providers and operators of other critical infrastructure.

“We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting,” he reportedly said at a news conference.

Morrison however stopped short of naming the country responsible for this “malicious” activity, but warned: “There are not a large number of state-based actors that can engage in this type of activity.”

He also stressed there is no evidence of a “large-scale” breach affecting people’s personal information.

The prime minister said he was making the threat public to raise awareness – and said the frequency of attacks has increased “over many months.”

Sky News reported that last month the Aussie government’s cyber agency, Australian Cyber Security Center, warned that “malicious cyber adversaries” were taking advantage of key staff at critical infrastructure working from home during the pandemic.

Businesses and organisations in Australia are being urged to ensure any web or email servers are fully updated with the latest software and the use of multi-factor authentication.

“It is reprehensible that cybercriminals would seek to disrupt or conduct ransomware attacks against our essential services during a major health crisis,” agency head Abigail Bradshaw reportedly said.

The agency also reported “malicious cyber actors” were trying to “damage or impair” hospitals and emergency response organisations outside Australia.

China suspicion

Although the Australian Prime Minister did not name China publicly, the finger of suspicion is firmly pointed at that country.

Australia has a strained relationship with China at the moment, not helped by the fact that it has pushed for an international inquiry into the source and spread of coronavirus.

China responded by banning beef exports from Australia’s largest abattoirs, and it has warned its citizens against visiting the country.

Earlier this week, Sky News reported that Australia’s foreign minister accused China of using the anxiety around the pandemic to undermine Western democracies by spreading disinformation online.

This resulted in China accussing Australia of disinformation.

Spearphishing attacks

Security experts warned that countries must remain alert to these types of threats, even during the global Coronavirus pandemic.

“It is vital that it is not just Australian organisations that are on alert to this threat, as the whole world must take steps to enhance the resilience of their networks,” explained Jake Moore, cybersecurity specialist at ESET

“Although this is not a direct result of Covid-19, there is an assumption that increased working from home enables such attacks to operate more easily,” said Moore. “The attackers used various spearphishing techniques including links in their cleverly designed emails to target their prey.”

“Spearfishing has a remarkably high success, rate due to the believability factor,” warned Moore. “The bad actors do their homework perfectly and launch convincing and plausible individual emails on their victims. Multiple hit rates increase the velocity of the attack too. Once the initial access was achieved, the bad actor would have used an array of custom tools to interact with the targeted network.”

Another expert noted that the attackers targetting Australia are using a variety of attack vectors.

“Cyber-attacks come in all forms, and the attacker defines the rules of their attack,” said Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Centre). “In this case, the attacker has chosen to disrupt business and governmental activity in Australia.”

“Ignoring speculation on the origins of the attack, its usage of multiple attack vectors makes it more sophisticated than you might experience with a standard phishing or ransomware attack,” said Mackey. “The Australian Cyber Security Centre has identified the primary attack mode as an attempted exploitation of the Telerik UI ASP.Net vulnerability covered in CVE-2019-18935 which if successful provides the ability to remotely execute code on the now compromised web server.”

“From a defender’s perspective, having an attacker able to identify softer targets such as those in public facing development and test systems should be particularly concerning as these systems are often deployed outside of normal IT constraints and protections,” said Mackey. “They are also likely not subject to production monitoring and may not have a rigorous patch management program in place.”

“An attack such as we’re seeing illustrates that attackers can discover weaknesses in organisations of all sizes,” said Mackey. “Having a comprehensive inventory of software assets is a cornerstone of most patch management strategies, but if that inventory doesn’t include all assets, including test systems, how they might be connected to a public network or if there are any latent vulnerabilities, then these coverage gaps can be exploited – it just takes additional sophistication.”

Nation-state attacks

Another expert noted the increase in nation-state attacks over the past ten years.

“We have seen a steady increase in government APT groups over the last decade,” noted Martin Jartelius, CSO at Outpost24. “As can be seen from the wide targeting of this group, it’s important to remember that preventive security is important and that anyone in infrastructure, or services, for governmental entities are viable and likely targets for the groups. If you work in those sectors, your IT security may well be of national importance.”

Another expert agreed that organisations need to ensure they are carrying out basic cyber hygiene to ensure their protection.

“Many breaches and attacks are accomplished by failing to do the basics – regardless of who the attacker is,” said Scott McKinnel, country manager Australia and New Zealand at Tenable. “The vast majority of breaches and attacks today are the result of known but unpatched vulnerabilities.”

“Threat actors don’t need to develop or pay for zero-day flaws in software,” said McKinnel. “They can simply leverage publicly available exploit code for vulnerabilities that have patches available, honing in on a window of opportunity where organisations have yet to apply these patches.”

“Now more than ever, organisations need to have a strong understanding of their systems and determine where they’re vulnerable,” said McKinnel. “As a first step, organisations need to practice cyber hygiene, such as identifying critical risks and patching systems with common vulnerabilities favoured by criminals, blocking malicious sites and IP addresses, enforcing multi-factor authentication, implementing security awareness training and using encryption.”

Another expert noted that hackers are very motivated to embarrass democracies and the time of the timing of Morrison’s announcement could signal that the attacks against Australia are increasing in severity.

“Prime Minister Morrison knows that this isn’t the first time his country has come under cyber attack, as companies of all sizes in the public and private sector have gone through this drill many times over,” said Sam Curry, chief security officer at Cybereason.

“We used to say loose lips sink ships, but today loose clicks can sink a company in any industry whether it be in the critical infrastructure, healthcare, retail or banking spaces,” said Curry.

“Hacking is a game of cat and mouse, and the mouse is getting bigger; it’s very motivated to embarrass democracies and it is usually well-funded,” said Curry. “Because the Australian government is regularly under cyber attack, and these incidents rarely make headlines, the timing of Morrison’s announcement could spell an uptick and severity of the actions of a foreign state.”

“Foreign actors are regularly testing the resiliency of networks in both the public and private sector and this is nothing new to Australia,” said Curry. “How they respond is important and they are likely prepared.”

“Australia, the United States and other democratic nations may not be facing a traditional enemy with guns and tanks on the battlefield, but they are constantly fighting a host of adversaries in the digital space,” Curry concluded. “Unless we work with our international allies and devise a better strategy to confront this threat, it is far from certain that we will emerge victorious.”

Critical infrastructure

Another expert noted the risks these types of attacks represents for a nation’s critical infrastructure.

“The most alarming element of the multi-faceted cyber-attack launched on Australian organisations is the risk it poses to Australia’s critical infrastructure – the very services on which society depends including our water supply, power grids and telecommunications systems,” noted Ghian Oberholzer, regional VP of TechOps at Claroty.

“Cyber-attacks on businesses are damaging enough, but the impacts of a successful attack on any of these critical services could be catastrophic, such as shutting down the electricity grid,” said Oberholzer.

“Critical infrastructure often eludes the public’s attention as a major source of cyber risk, but it remains highly susceptible to targeted attacks, as past experience shows,” Oberholzer added. “Earlier this year Israel’s wastewater treatment plants suffered a series of co-ordinated attacks. Fortunately, there was no significant damage. In 2015 an attack on Ukraine’s power grid left 230,000 people without power for up to six hours.”

“Today’s announcement by the Prime Minister illustrates the need for sophisticated cyber security practices, policies, and technology to protect our critical infrastructure,” said Oberholzer. “Australia cannot afford to suffer catastrophic damage to its critical infrastructure at the best of times, and thanks to Covid-19 these are far from the best of times.”

Tense times

Another expert noted the timings of the attacks in a time of considerable geo-political tensions.

“The announcement on the cyberattacks on Australian institutions is a concerning, but not unexpected, reminder of the level of serious cyber threat activity that occurs in our country and our region,” said Tim Wellsmore of FireEye Mandiant.

“There have been a significant number of high profile incidents reported in Australia in recent times, and this adds another report of significant cyber threat activity to the mix,” said Wellsmore.

“The Australian Prime Minister and Minister for Defence do not undertake these sort of briefings lightly, and the consistent message from them was that this was state sponsored activity which raises the national security focus of the announcement,” said Wellsmore.

There is considerable geo-political tension occurring at the moment involving Australia and, from our experience, we know that state sponsored cyber threat activity directly replicates geo-political tensions so it would be plausible to assume this reported activity and announcement is connected,” he added

“FireEye is aware of the reported incidents and the type of exploitation of systems that are occurring and have seen only a few related impacts to our customer base,” said Wellsmore. “However, we are seeing an increasing focus by both state sponsored and criminal cyber threat actors on exploiting Common Vulnerabilities and Exposures (CVE’s) soon after they are announced publicly when victims systems are not patched quickly enough, and we deal with state sponsored threats against our customers on a daily basis.”

Meanwhile a Toni Vitale, head of data protection at JMW Solicitors warned that “no country is immune to such attacks” and that “training staff to be vigilant to cyber-attacks is key” to defeating this attacks.

Do you know all about security? Try our quiz!