It has been reported that Australian organisations – including government and businesses – are currently being targeted by a sophisticated foreign ‘state-based’ hacker. The activity, generally thought to be Chinese, is targeting organisations across a range of sectors including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical structure. So far, there does not appear to have been any large scale breaches of people’s personal information. Australian experts react as the story unfolds.

Mark Pesce is an Honorary Associate in Digital Cultures at the University of Sydney.

“The twenty-first century will see more and more large-scale attacks on information infrastructure. Every attack teaches both attacker and defender more about how to launch and defend against such attacks. In the short run they’re destabilising, in the long run they tend to improve the quality of our information infrastructure, and make it more resilient. But they always show us where our defences are weak, and always exploit those weaknesses.”

——–

Professor Alana Maurushat is an expert in Cybersecurity and Behaviour in the School of Social Sciences, and Associate Dean International for the School of Computers, Data and Math Sciences at Western Sydney University.

“In cybersecurity, cyber-attacks commonly occur when targets are otherwise more thoroughly engaged with dealing with emergencies or during public vacations. Attack targets are otherwise pre-occupied dealing with the crisis or holiday in hand when their guards are down, and expert staff and leaders are otherwise occupied with more pressing matters.

This is a tactic as old as time. It comes as no surprise that a sophisticated ‘state-based’ sponsored cyber-warfare unit would be busily using this time to gain intelligence in its adversaries systems. And sometimes, cyber intelligence is also gathered within in the systems of its allies as well.

As more nations progress to have cyber offensive capabilities we can expect this to become business as usual. Australia too has cyber offensive capabilities. Nations don’t announce when or who they will target in cyber operations.

In many instances, the targets are across many sectors, and not just government institutions. Let’s be frank: Australia has recently poked the panda and this is very likely the retaliation. In India, the situation is worse where Chinese forces made the first aggressive move into India which has renewed the 1967 feud over the China-India disputed territory in the Galwan Valley.

Things have escalated over the past few weeks with casualties on both sides. India recently has called to move factories and businesses out of China and back to India. These physical and cyber attacks are deliberate, and they are occurring under the auspice of COVID-19.

Sadly, we appear to be entering into the era of a China Cold War where fear prevails over rational thought, where kindness in helping our neighbours is lessening, and above all, where tolerance is less each day.”

——–

Professor Asha Rao is Associate Dean of Mathematical Sciences at RMIT University. Her research interests include the mathematics of securing information, and risk management of information systems.

“As Australia pulls all stops to counter the massive state-sponsored cyber-attack, it is all the more clear that cybersecurity is a responsibility of not only governments at all levels, and industry, but also individuals need to be more cyber aware.

One of the gaps in our understanding of cybersecurity is the importance of our data. Many people think, ‘But my data is not very important.’ We need to be aware that our data can lead to someone assuming our identity and then using that to infiltrate at all levels.

A particularly vulnerable group at this time, are SMA (Small and Medium Enterprises). The Covid-19 situation has caused them to suddenly move online, as is the case with all of us working from home. With the lack of protection from Enterprise cybersecurity measures, it is important that we watch for incidents. Incidents that can be as simple as an email purporting to be from a friend, that asks you to click on a link because they need your help.

Be aware, be very aware!”

——–

Associate Professor Paul Haskell-Dowland is Associate Dean of Computing and Security at Edith Cowan University.

“The current attack facing Australian business and government entities appears to be at a substantial scale and one which is likely to have been state-sponsored.

Attribution is complex and politically challenging so it is unlikely the finger of blame will be pointed any time soon.

The information we have so far indicates a classic cyber-attack using known vulnerabilities to gain initial access and then using more comprehensive techniques to maintain access and obtain credentials from users and systems for further exploitation.

The incident raises key questions of how long this has been going on for, how far have they reached into systems and what their motivations are.

The ACSC has provided an advisory which indicates at least one of the techniques being exploited may have been known about for at least a year. It is quite possible that the adversaries involved have secured access to systems over a prolonged period and may have entrenched themselves in the IT environments. Risks of systems control (including critical infrastructure) and data exfiltration are of concern.

The recommendations being promoted include that of ‘patching systems’. This is critical and should be followed by all organisations.”

——–

Dr Diep Nguyen is Senior Lecturer at the School of Electrical and Data Engineering at the University of Technology Sydney

“The technical tactics behind the attack today, as also confirmed by ACSC, are sophisticated with significant capabilities from the attackers. However, it can be mitigated by frequent update/patching for the software and devices that we are using. This includes but not limit to updating operating system, applications but also be more alert and cautious with app, add-ons or plug-in installations (e.g., eliminate/remove/disable ones in web browsers, Offices, Tools, that we do not need, especially ones we suspect).

Additionally, part of this coordinated attack that relies on stolen credentials can be alleviated with the multi-factor authentication method (e.g., enable and use OTP One Time Password when we access our accounts). This helps prevent unauthorised access/collecting of our accounts and credentials.

In the future, I would say we probably should expect these types of attacks more often, especially coordinated ones, due to the popularity of low-end and more-difficult-to-secure devices, Internet of Things, Web, mobile devices. These devices, after being compromised, can also be leveraged to launch insiders’ attacks that can lead to more damages.”

——–

Associate Professor Joseph Liu, Director, Monash Blockchain Technology Centre, Faculty of Information Technology, Monash University.

“Cybersecurity is important now more than ever before. Governments and private organisations should not ignore the importance of it. In the past, some organisations may not have given much attention to cybersecurity until an incident actually took place. This rationale needs to change and more effort needs to be given to the prevention stage. Cybersecurity should be prioritised as the most important issue, as pointed out by our Prime Minister today, which is related to our national and even personal security.

Not a single method or mechanism can prevent or make our defence against cybersecurity successful. Different approaches should be deployed at the same time, including techniques from software security, network security, cryptography, hardware security etc.

eople usually think that using only one of these security mechanisms (e.g. a firewall) should be secure enough. In fact, it is not. We need to educate the community that cybersecurity works as a team, and should include a variety of security mechanisms at the same time.

Individuals are even at the risk of cybersecurity threats on a daily basis. Mobile phone details and personal information can be anywhere taken quite easily. Therefore the privacy of individuals and educating individuals of their own security risks is also important to address.”

——–

Associate Professor Frank den Hartog is from the School of Engineering and Information Technology at UNSW Canberra, and is affiliated with the UNSW Canberra Cyber Centre.

“International espionage is of all ages, and ‘state-based hacking’ is just its newest variety. We have seen such activity rising sharply over the past ten years. The PM’s warning contains nothing new in that respect.

However, national awareness of this has been relatively low so far, so his comments are very welcome and much needed.

That the PM talks about one particular state here is interesting though, as multiple states are generally suspected to execute such activities against Australia.

He did not name that state, but this is not (only) because of political reasons. Successful attribution to a state beyond reasonable doubt is often very hard in cyber, and we need to do more research in developing better tools for this.”

——–

Leah Mooney is a Cyber Security and Privacy Lawyer, Course Coordinator and Lecturer for Cyber Laws and the Rules of Evidence at the Institute of Cyber Investigations and Forensics at the University of the Sunshine Coast.

“Many Australian organisations will be implementing advanced monitoring and other cybersecurity measures in response to the Prime Minister’s warning of a sophisticated and organised cyber-attack by a foreign state threat actor.

But the last line of defence in an organisation’s cybersecurity is almost always its people.

Just as Australians are practising personal hygiene to reduce the spread of coronavirus, we need them to practice ‘cyber hygiene’ and become their own personal ‘human firewall’ in response to this latest cybersecurity threat.

It is therefore crucial that individuals take personal responsibility for implementing best practice cybersecurity measures in their online environment.

This may mean choosing strong passwords, the timely ‘patching’ of device software and refraining from clicking on links or attachments in unexpected communications. By practising good cyber hygiene, Australians can become a ‘human firewall’ against phishing and other scams.”

——–

Associate Professor Vallipuram (Muthu) Muthukkumarasamy is from the School of Information and Communication Technology at Griffith University.

“It was well known that cyber attacks increased with COVID-19. This is mainly due to the fact that almost everything moved to online within a short span, exposing significant vulnerabilities.

This is applicable across public and private organisations, and all levels of governments. Of course, the economic crisis has also added fuel to the fire and has caused cybercriminals and state actors to focus more on exploiting the weakness in the hasty online transformation.”

——–

Professor Richard Buckland is Professor in CyberCrime Cyberwar and Cyberterror at the School of Computer Science and Engineering UNSW.

“A pattern of attacks over an extended period has been announced. Details are still emerging from the government. ACSC has released a good technical summary. Below is based on what is currently known.

Attack methods reported so far are not sophisticated and make use of long known weaknesses and attack methods. What is unusual is the scale. Would have taken considerable resources to carry out. The attacker could not have expected to remain undetected.

Source of the attack is hard to attribute at the moment as seems attackers have been careful to use public domain tools and exploits and to host command and control servers within Australia.

For the public there is no need to panic. So far there is no information suggesting a single crisis problem unfolding which needs an emergency response.

The real lesson from the announcement is that Australian defences are too weak.

The Government has been working quite seriously for a number of years to improve Australian Cyber capability – but so many organisations have been caught by this that it is clear that adoption of best practice and understanding of cyber risks at an organisational level is still seriously inadequate.

How are attackers getting in?

Attackers have reportedly compromised systems by exploiting known vulnerabilities, often in Microsoft products. These vulnerabilities had already been fixed (e.g. by Microsoft), indeed in a number of cases they were fixed last year, but the organisations caught this way had not updated all their vulnerable software and so had not had the problems patched. It is somewhat embarrassing that we have been caught out by something so simple and long known to be important to get right.

In a number of cases where the attackers were not able to find technical weaknesses to exploit they have compromised systems by tricking staff with targeted scam emails. This is called ‘Spear Phishing’ and is usually very effective, far more than the easy to detect bulk ‘Phishing’ scam emails with which we are all familiar.

Amongst the take-away lessons from this announcement are that:

  • Government has capability to detect cyber attacks.
  • Despite years of warning many organisations are still sorely lacking in the level of their cyber defences.
  • Staff need to be treated as cyber vulnerabilities, and resources be devoted to effectively train them to detect and resist social engineering.
  • In general we need a greater national focus on cyber security and in training and developing our citizens, business leaders, and future cyber professional.
  • Cyber security has ceased to be a technical or business problem. It is now a core part of life for everyone. Helping all Australians become more cyber-capable is now as important as teaching us about sunscreen or seat belts.”

——–

Professor Craig Valli is Director of the ECU Security Research Institute

“These attacks, whether they be from cybercriminals or foreign intelligence services, are a sophisticated, multi-headed, persistent pandemic of threat that is not going away anytime soon. The latest rise in the intensity of attacks further demonstrates the dire need for good cybersecurity hygiene to protect yourself, your family and your business in cyberspace.

In the same way that we have adapted our behaviours to COVID-19 and how we work, rest and play it is paramount we do the same for cybersecurity. Patching/updating systems, strong protections such as passwords, anti-virus and backup and being vigilant of the behaviour of others in cyberspace is just as critical to our economic survival as addressing the current pandemic.”

Craig has not declared any conflicts of interest.

He is contactable on +61 8 6304 5109, +61 447 853 517 or c.valli@ecu.edu.au

——–

Professor Ryan Ko is Chair and Director of Cyber Security at the University of Queensland.

“I commend the ACSC for its prompt public alert of this threat to Australian critical infrastructure. It is a good strategic move as it helps in two ways: firstly, to alert all Australian infrastructure asset owners and stakeholders in a very timely manner so that there will be a prompt national effort towards patching vulnerable servers, resulting in a reduced risk profile for Australia from this attack, and secondly, to act as a deterrent and to inform the attacker that Australia knows about this threat.

Attribution is a very hard problem due to the way the internet is designed. An attacker can launch an attack from computers in Country A which in turn control the computers of Countries B and C to target and interact with the victim’s computers in Country D. Attributing back to Country A (and the exact individuals involved) is a hard research problem which computer scientists and cybersecurity researchers are constantly trying to solve.

As mentioned in the ACSC Advisory, ‘the actor was identified making use of compromised legitimate Australian web sites as command and control servers’, and ‘This technique rendered geo-blocking ineffective and added legitimacy to malicious network traffic during investigations.’ This means that since the attacker was able to use the infected organisation’s own computers as a listening, observing or reconnaissance base for intel or further threat possibilities.

Current cybersecurity detection techniques are unable to detect such traffic since the network traffic sent from the infected computer is from the organisation and hence trusted by the organisation. Since current tools like ‘geo-blocking’ and other techniques are ineffective, I am glad that ACSC were able to detect this. So, well done to the teams at ACSC. However, in the longer term and to support such detection at scale, this presents a research and innovation priority for our nation’s industry and academia.”