Spy agencies sounded the alarm to the Prime Minister Scott Morrison last night to alert the nation to prepare for more cyber attacks that China is suspected of masterminding.
Government sources have confirmed that the trigger for today’s announcement was a warning from spy agencies that given the increasing tempo of attacks that companies and state governments needed to prepare and safeguard IT systems.
As a result, the Prime Minister rang state premiers last night alerting the leaders to the increased level of attacks and to expect more in the weeks ahead, not to advise them of a single attack that was imminent or under way.
While protocol demands that Mr Morrison does not formally identify China, nobody in the government is in any doubt about the chief suspect.
“I can confirm, with confidence, based on the advice, the technical advice that we have received, is that this is the action of a state-based actor with significant capabilities,” the Prime Minister said.
“There aren’t that many state-based actors that have those capabilities,” he added.
RELATED: Simple ways to avoid cyber attack
The recent activity has all the hallmarks of recent attacks that Australia’s cyber intelligence agency – the Australian Signals Directorate (ASD) – previously linked to China’s Ministry of State Security.
But those findings were never released publicly due to fears it would inflame a trade war with Beijing.
The Australian Strategic Policy Institute’s cyber security analyst Tom Uren said there was no question that China was the perpetrator of the attacks the Prime Minister described today.
“Of course it is China. There are a few countries that have the capability: Russia, China, US, UK, and perhaps Iran and North Korea, although they may not have the scale,’’ he tweeted.
“Only China in this list will have the appetite for such a broad approach.
“Compromising telecommunications for intelligence? Bad, but also standard practice for signals intelligence agencies. Framing whatever is happening as attacking critical infrastructure raises the importance.”
But given the attacks have been under way for weeks and months, Mr Uren said the intriguing question was why the Prime Minister had chosen to publicly raise the alert level now.
“It’s also interesting to think about what triggered this response by Scott Morrison,’’ he said.
“The frog has been boiling for years, so what made us jump?”
The answer to that question according to government sources was a specific warning from spy agencies that state governments and businesses needed to be put on high alert for further attacks and how to protect their business.
The official advice that the Defence Minister Linda Reynolds pointed Australian companies to states that state governments, medical researchers and essential services were now coming under sustained and regular attack.
“The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor,’’ the formal advice states.
“The title ‘Copy-paste compromises’ is derived from the actor’s heavy use of proof-of-concept exploit code, web shells and other tools copied almost identically from open source.
“Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability.
“When the exploitation of public-facing infrastructure did not succeed, the ACSC has identified the actor using various spear-phishing techniques.”
Spear-phishing is a targeted attempt to steal sensitive information such as account credentials or financial information for malicious reasons.
This spear-phishing has taken the form of: links to credential harvesting websites, emails with links to malicious files, or with the malicious file directly attached, links prompting users to grant Office 365, use of email tracking services to identify the email opening and lure click-through events.
Once initial access is achieved, the actor used a mixture of open source and custom tools to persist on, and interact with, the victim network.
“It is imperative that Australian organisations are alert to this threat and take steps to enhance the resilience of their networks. Cyber security is everyone’s responsibility,’’ the advice states.
“During the course of its investigations the ACSC has identified two key mitigations which, if implemented, would have greatly reduced the risk of compromise by the TTPs identified in this advisory.”
It suggested prompt patching of internet-facing software, operating systems and devices.
“All exploits used by the actor in the course of this campaign were publicly known and had patches or mitigations available,” the advice states.
“Organisations should ensure that security patches or mitigations are applied to internet-facing infrastructure within 48 hours. Additionally organisations, where possible, should use the latest versions of software and operating systems.”
It also suggested the use of multi-factor authentication across all remote access services.
If you have indications that your environment has been compromised, contact the Australian Cyber Security Centre by emailing email@example.com or calling 1300 CYBER1 (1300 292 371).