EXPERT REACTION: Major cyber attacks on Aussie governments and business
Opinion piece/editorial: This work is based on the opinions of the author(s)/institution.
Prime Minister Scott Morrison has this morning announced Australian organisations, including governments and businesses, are currently being targeted by a sophisticated foreign "state-based" hacker. According to Prime Minister Scott Morrison, “the activity is targeting organisations across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical structure.” So far, there does not appear to have been any large scale breaches of people’s personal information, according to the PM. Australian experts respond.
Organisation/s: Australian Science Media Centre
These comments have been collated by the Science Media Centre to provide a variety of expert perspectives on this issue. Feel free to use these quotes in your stories. Views expressed are the personal opinions of the experts named. They do not represent the views of the SMC or any other organisation unless specifically stated.
Cyber attacks are now organised and sophisticated and sometimes state-sponsored (though it is hard for us to trace back the link). Cybercriminals are taking every opportunity to launch the attack. As the PM mentioned, this is nothing new but is becoming more frequent.
It is important to share the incident in real-time without delay. We should protect the victims but at the same time encourage the victims to share the information to reduce the damage to society.
Although technology can help protect systems, it is important to raise users' awareness. Reports have shown that 70-90% of cyber incidents are related to human errors. It is important to provide education to raise awareness. And this needs collaboration between science and social sciences disciplines.
Current cybersecurity awareness programs need to be advanced so that individuals can absorb the message.
The technical tactics behind the attack today, as also confirmed by ACSC, are sophisticated with significant capabilities from the attackers. However, it can be mitigated by frequent update/patching for the software and devices that we are using. This includes but not limit to updating operating system, applications but also be more alert and cautious with app, add-ons or plug-in installations (e.g., eliminate/remove/disable ones in web browsers, Offices, Tools, that we do not need, especially ones we suspect).
Additionally, part of this coordinated attack that relies on stolen credentials can be alleviated with the multi-factor authentication method (e.g., enable and use OTP One Time Password when we access our accounts). This helps prevent unauthorised access/collecting of our accounts and credentials.
In the future, I would say we probably should expect these types of attacks more often, especially coordinated ones, due to the popularity of low-end and more-difficult-to-secure devices, Internet of Things, Web, mobile devices. These devices, after being compromised, can also be leveraged to launch insiders' attacks that can lead to more damages.
I commend the ACSC for its prompt public alert of this threat to Australian critical infrastructure. It is a good strategic move as it helps in two ways: firstly, to alert all Australian infrastructure asset owners and stakeholders in a very timely manner so that there will be a prompt national effort towards patching vulnerable servers, resulting in a reduced risk profile for Australia from this attack, and secondly, to act as a deterrent and to inform the attacker that Australia knows about this threat.
Attribution is a very hard problem due to the way the internet is designed. An attacker can launch an attack from computers in Country A which in turn control the computers of Countries B and C to target and interact with the victim’s computers in Country D. Attributing back to Country A (and the exact individuals involved) is a hard research problem which computer scientists and cybersecurity researchers are constantly trying to solve.
As mentioned in the ACSC Advisory, 'the actor was identified making use of compromised legitimate Australian web sites as command and control servers', and 'This technique rendered geo-blocking ineffective and added legitimacy to malicious network traffic during investigations.' This means that since the attacker was able to use the infected organisation’s own computers as a listening, observing or reconnaissance base for intel or further threat possibilities.
Current cybersecurity detection techniques are unable to detect such traffic since the network traffic sent from the infected computer is from the organisation and hence trusted by the organisation. Since current tools like ‘geo-blocking’ and other techniques are ineffective, I am glad that ACSC were able to detect this. So, well done to the teams at ACSC. However, in the longer term and to support such detection at scale, this presents a research and innovation priority for our nation’s industry and academia.
In cybersecurity, cyber-attacks commonly occur when targets are otherwise more thoroughly engaged with dealing with emergencies or during public vacations. Attack targets are otherwise pre-occupied dealing with the crisis or holiday in hand when their guards are down, and expert staff and leaders are otherwise occupied with more pressing matters.
This is a tactic as old as time. It comes as no surprise that a sophisticated 'state-based' sponsored cyber-warfare unit would be busily using this time to gain intelligence in its adversaries systems. And sometimes, cyber intelligence is also gathered within in the systems of its allies as well.
As more nations progress to have cyber offensive capabilities we can expect this to become business as usual. Australia too has cyber offensive capabilities. Nations don't announce when or who they will target in cyber operations.
In many instances, the targets are across many sectors, and not just government institutions. Let's be frank: Australia has recently poked the panda and this is very likely the retaliation. In India, the situation is worse where Chinese forces made the first aggressive move into India which has renewed the 1967 feud over the China-India disputed territory in the Galwan Valley.
Things have escalated over the past few weeks with casualties on both sides. India recently has called to move factories and businesses out of China and back to India. These physical and cyber attacks are deliberate, and they are occurring under the auspice of COVID-19.
Sadly, we appear to be entering into the era of a China Cold War where fear prevails over rational thought, where kindness in helping our neighbours is lessening, and above all, where tolerance is less each day.
These attacks, whether they be from cybercriminals or foreign intelligence services, are a sophisticated, multi-headed, persistent pandemic of threat that is not going away anytime soon. The latest rise in the intensity of attacks further demonstrates the dire need for good cybersecurity hygiene to protect yourself, your family and your business in cyberspace.
In the same way that we have adapted our behaviours to COVID-19 and how we work, rest and play it is paramount we do the same for cybersecurity. Patching/updating systems, strong protections such as passwords, anti-virus and backup and being vigilant of the behaviour of others in cyberspace is just as critical to our economic survival as addressing the current pandemic.
Australia has been under continual cyber-attack over the past few years, with the volume of attacks rising. The word from our cyber guardians in Canberra is that while the numbers of attempted intrusions are increasing, the number of successful intrusions is decreasing.
The Prime Minister's video press release on this current attack is interesting in that it refers to, but does not name the country most likely to be behind the attack. The list of possibles is not controversial (China, Russia, North Korea, Iran).
Instead the PM projects confidence that Australia is capable of dealing with the threat, while at the same time letting the world know that we know what is going on and that we can deal with a determined, coordinated attack, from wherever it comes. As a cybersecurity lecturer, I am aware that Australia has advanced capabilities in the cybersecurity area.
A pattern of attacks over an extended period has been announced. Details are still emerging from the government. ACSC has released a good technical summary. Below is based on what is currently known.
The Prime Minister’s announcement doesn’t seem to be in response to a single recent or urgent event, instead it describes a pattern of successful attack and compromise over a period of time.
Attack methods reported so far are not sophisticated and make use of long known weaknesses and attack methods. What is unusual is the scale. Would have taken considerable resources to carry out. The attacker could not have expected to remain undetected.
Source of the attack is hard to attribute at the moment as seems attackers have been careful to use public domain tools and exploits and to host command and control servers within Australia.
For the public there is no need to panic. So far there is no information suggesting a single crisis problem unfolding which needs an emergency response. The real lesson from the announcement is that Australian defences are too weak. The Government has been working quite seriously for a number of years to improve Australian Cyber capability – but so many organisations have been caught by this that it is clear that adoption of best practice and understanding of cyber risks at an organisational level is still seriously inadequate.
How are attackers getting in?
Attackers have reportedly compromised systems by exploiting known vulnerabilities, often in Microsoft products. These vulnerabilities had already been fixed (e.g. by Microsoft), indeed in a number of cases they were fixed last year, but the organisations caught this way had not updated all their vulnerable software and so had not had the problems patched. It is somewhat embarrassing that we have been caught out by something so simple and long known to be important to get right.
In a number of cases where the attackers were not able to find technical weaknesses to exploit they have compromised systems by tricking staff with targeted scam emails. This is called 'Spear Phishing' and is usually very effective, far more than the easy to detect bulk 'Phishing' scam emails with which we are all familiar.
Amongst the take-away lessons from this announcement are that:
- Government has capability to detect cyber attacks.
- Despite years of warning many organisations are still sorely lacking in the level of their cyber defences.
- Staff need to be treated as cyber vulnerabilities, and resources be devoted to effectively train them to detect and resist social engineering.
- In general we need a greater national focus on cyber security and in training and developing our citizens, business leaders, and future cyber professional.
- Cyber security has ceased to be a technical or business problem. It is now a core part of life for everyone. Helping all Australians become more cyber-capable is now as important as teaching us about sunscreen or seat belts.
It was well known that cyber attacks increased with COVID-19. This is mainly due to the fact that almost everything moved to online within a short span, exposing significant vulnerabilities.
This is applicable across public and private organisations, and all levels of governments. Of course, the economic crisis has also added fuel to the fire and has caused cybercriminals and state actors to focus more on exploiting the weakness in the hasty online transformation.
Many Australian organisations will be implementing advanced monitoring and other cybersecurity measures in response to the Prime Minister’s warning of a sophisticated and organised cyber-attack by a foreign state threat actor.
But the last line of defence in an organisation’s cybersecurity is almost always its people.
Just as Australians are practising personal hygiene to reduce the spread of coronavirus, we need them to practice 'cyber hygiene' and become their own personal 'human firewall' in response to this latest cybersecurity threat.
It is therefore crucial that individuals take personal responsibility for implementing best practice cybersecurity measures in their online environment.
This may mean choosing strong passwords, the timely 'patching' of device software and refraining from clicking on links or attachments in unexpected communications. By practising good cyber hygiene, Australians can become a 'human firewall' against phishing and other scams.
The announcement by Prime Minister Scott Morrison follows on from an advisory issued by the Australian Cyber Security Centre yesterday of an attack referred to as the 'Copy-paste compromises'.
This alludes to the use of publicly available proof-of-concept code targeted at a variety of vulnerabilities on web sites and web servers of Australian companies.
The decision of the PM to announce this at this time is a reflection of the heightened tensions between Australia and China, who although not named as the 'state-based actor' involved in these attacks, is heavily implied.
The advice given by the ACSC to Australian companies is to implement standard cybersecurity safeguards, in particular keeping software up-to-date, removing unused public-facing software and to implement two-factor authentication.
International espionage is of all ages, and 'state-based hacking' is just its newest variety. We have seen such activity rising sharply over the past ten years. The PM’s warning contains nothing new in that respect.
However, national awareness of this has been relatively low so far, so his comments are very welcome and much needed.
That the PM talks about one particular state here is interesting though, as multiple states are generally suspected to execute such activities against Australia.
He did not name that state, but this is not (only) because of political reasons. Successful attribution to a state beyond reasonable doubt is often very hard in cyber, and we need to do more research in developing better tools for this.
We don't attribute attacks unless it is in our interest to do so. The Department of Foreign Affairs and Trade cyber Engagement strategy released in 2017 states as much.
What we are seeing here today is an announcement from the Prime Minister which states we are under cyber-attack from nation state actors with no specifics. There is reason for this. The Prime Ministers statement is vague enough to remind us to reinforce our cyber hygiene but, specific enough to target diplomatic relations as a likely proportionate response to ongoing diplomatic affairs.
Modern warfare has changed. We are unlikely to put boots on the ground. Instead, we send packets online and use other means to cause damage. It’s all part of a wider strategy called Grand Strategy or Hybrid Warfare.
The Prime Minister's announcement today, is a proportionate response to remind those that would cause us harm that Australia is aware and we won’t stand idle.
Cybersecurity is important now more than ever before. Governments and other private organisations should not ignore the importance of it. In the past, some organisations may not have given much attention to cybersecurity until an incident actually took place. This rationale needs to change and more effort needs to be given to the prevention stage. Cybersecurity should be prioritised as the most important issue, as pointed out by our Prime Minister today, which is related to our national and even personal security.
Not a single method or mechanism can prevent or make our defence against cybersecurity successful. Different approaches should be deployed at the same time, including techniques from software security, network security, cryptography, hardware security etc. People usually think that using only one of these security mechanisms (e.g. a firewall) should be secure enough. In fact, it is not. We need to educate the community that cybersecurity works as a team, and should include a variety of security mechanisms at the same time.
Individuals are even at the risk of cybersecurity threats on a daily basis. Mobile phone details and personal information can be anywhere taken quite easily. Therefore the privacy of individuals and educating individuals of their own security risks is also important to address.
The Prime Minister has announced that a range of Australian business and government sectors are under cyber-attack. He said, 'We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used'.
Who is under attack? Government, Health and Critical Infrastructure.
What is at-risk? 1) Data held by those organisations; 2) Their operations.
Details about who is operating these attacks and which organisations are under attack are not yet available. The mention of a state-based actor suggests another country is conducting or sponsoring the attack. The current advisory from the Australian Cyber Security Centre labels the attacks as ‘Copy-paste compromises’ meaning that the attackers are using code almost identical to that available publicly. Therefore, the remedy is likely already known, which is reassuring. No specifics of the targets are provided, but Government, Health and Critical Infrastructure are mentioned.
What could be at-risk? First, data, in the case of Government and Health organisations. Second, day-to-day operations in the case of Critical Infrastructure and Health. What this means is that someone might be trying to acquire the personal information of Australians, or to disrupt the operation of infrastructure such as electricity or gas providers.
The current attack facing Australian business and government entities appears to be at a substantial scale and one which is likely to have been state-sponsored.
Attribution is complex and politically challenging so it is unlikely the finger of blame will be pointed any time soon.
The information we have so far indicates a classic cyber-attack using known vulnerabilities to gain initial access and then using more comprehensive techniques to maintain access and obtain credentials from users and systems for further exploitation.
The incident raises key questions of how long this has been going on for, how far have they reached into systems and what their motivations are.
The ACSC has provided an advisory which indicates at least one of the techniques being exploited may have been known about for at least a year. It is quite possible that the adversaries involved have secured access to systems over a prolonged period and may have entrenched themselves in the IT environments. Risks of systems control (including critical infrastructure) and data exfiltration are of concern.
The recommendations being promoted include that of ‘patching systems’. This is critical and should be followed by all organisations.
Until we know specifics, i.e. which 'state based actor' it is, how it is being done, and how it is different to ongoing malicious activity, I’m sceptical this is one big attack. I suspect coordinated cyber attacks have simply escalated in frequency and scale during the pandemic.
As Australia pulls all stops to counter the massive state-sponsored cyber-attack, it is all the more clear that cybersecurity is a responsibility of not only governments at all levels, and industry, but also individuals need to be more cyber aware.
One of the gaps in our understanding of cybersecurity is the importance of our data. Many people think, 'But my data is not very important.' We need to be aware that our data can lead to someone assuming our identity and then using that to infiltrate at all levels.
A particularly vulnerable group at this time, are SMA (Small and Medium Enterprises). The Covid-19 situation has caused them to suddenly move online, as is the case with all of us working from home. With the lack of protection from Enterprise cybersecurity measures, it is important that we watch for incidents. Incidents that can be as simple as an email purporting to be from a friend, that asks you to click on a link because they need your help.
Be aware, be very aware!
The twenty-first century will see more and more large-scale attacks on information infrastructure. Every attack teaches both attacker and defender more about how to launch and defend against such attacks. In the short run they’re destabilising, in the long run they tend to improve the quality of our information infrastructure, and make it more resilient. But they always show us where our defences are weak, and always exploit those weaknesses.
Media contact details for this story are only visible to registered journalists.