• Aussies losing $1m a day to Chinese, Russian hackers
• Aussie hacker mum uses ‘spidey sense’ to catch cyber crims

Experts say Australia has identified six key government-sponsored Advanced Persistent Threats (APT) cyber hacking groups, including four from China, which are seeking to steal defence, security and economic intelligence secrets.

One group, known as APT40 or Kryptonite Panda, has been identified as working directly for the Chinese government’s Ministry of State Security based on the island of Hainan.

Kryptonite Panda is the group which hacked the Parliamentary email systems, and experts say it is looking for intelligence on how Australia is reacting to Chinese expansion in the South China Sea, and President Xi Jinping’s Belt and Road Initiative.

So organised are the various hacking groups, they even work public service office hours, Monday to Friday.

Australian intelligence has identified a “blurring” where state-backed hackers work day shift stealing secrets, then moonlight after hours to commit cyber fraud, using their tradecraft to steal money from businesses and boost their meagre public service wages.

Western intelligence, and an anti-hacking group called Intrusion Truth, have profiled the hackers and tracked them, including via Uber accounts, as they move between Chinese Ministry of State Security (MSS) or People’s Liberation Army offices to universities and hacking sites.

Michael Sentonas, chief technology officer of global cyber-security firm CrowdStrike, said state-based actors targeted government and think tanks to gain information on military plans, trade wars and cutting-edge research.

“Obviously the Australian Government has talked about a defence plan, that would be interesting information get access to,’’ he said.

“What’s going on around the world with COVID-19, there’s a race for vaccines, a race for treatments, there are governments around the world that would love to understand where the public and private sector is in terms of research.’’

Mr Sentonas said China was one of several countries involved in espionage in Australia and that the hacking group Kryptonite Panda was particularly active.

“They’ve targeted, according to our research, Australia, Hong Kong, Malaysia, the Philippines and of course the US,’’ he said.

“We believe they’re affiliated with China, specifically the Ministry of State Security and we’ve been tracking them for approximately six years now and historically their focus has been on maritime security, political issues, across South-East Asia and in particular with a focus on the South China Sea.

“We believe based on what we’ve analysed in terms of their tradecraft, their operations are likely in support of intelligence collection surrounding China’s Belt and Road Initiative.’’

Mr Sentonas said while China was in the news in Australia, other countries had significant hacking capabilities.

“I always talk about the Big Four which is China, Russia, Iran and North Korea, their tradecraft, their techniques, what they’re looking for and what they’re trying to do are all different,’’ he said.

“There’s many different groups.

“We’ve seen other state-based adversaries, from a number of different countries, being very, very active with strong capability.’’

A UN report leaked in August last year showed that state-sponsored hackers from North Korea has stolen the equivalent of $2.8 billion through cyber-hacking, and were using the money to fund the hermit regime of Kim Jong-un, including funding missiles and weapons of mass destruction.

The Morrison Government’s upcoming 2020 Cyber Security Strategy is thought to provide a further boost to Australia’s cyber defence force, the Australian Signals Directorate, following concerns its current capabilities were still not adequate to properly support the Department of Defence in the event of a large-scale conflict.

Five Eyes intelligence partners the UK and US have contributed to the development of the new strategy, with the UK sending cyber experts to Canberra last year following the hack on parliament.

It’s thought the APT groups had targeted the Department of Defence itself, including the ASD, and spy agencies ASIO and the Australian Geospatial Intelligence Organisation, which analyses strategic military geographic information and capabilities offshore, in support of Australia’s national security interests.

“We’ve seen militarisation and disruptive technologies in our region,” one official said last week. “The disruptive technological changes that we’re seeing out there, the new threats, and certainly surveillance both terrestrial, from space, cyber, they all contribute to what is a very complex and increasingly technologically challenging environment.’’

It is also not easy to identify the cyber aggressor. Last year it was found Russian hackers working on behalf of the Kremlin’s FSB security service were piggybacking on an Iranian cyber-espionage operation to attack Five Eyes governments.

The Russian “Turla” group used the same tools and infrastructure as an Iranian State hacking group APT34 to cover its tracks and deploy its own malicious code against government agencies and businesses.

A plan for Internet Service Providers in Australia to block the attacks in a co-ordinated way is expected to be outlined in the 2020 Cyber Security Strategy to be detailed later this year.

Tom Uren, senior cyber analyst at the Australian Strategic Policy Institute, said state-sponsored hackers tended to work during the week.

He said this was also because their targets were also likely working during the week.

“There are all sorts of exceptions to this …. (but) it is an indication of state-sponsored activity when you see it correlating very strongly with work hours.’’

Australian cyber tsar Alastair MacGibbon said China carefully surveilled its own people and “not much would happen out of China that the Chinese government didn’t condone.’’

“When it comes to cyber security issues they have the Great Firewall of China … I’d consider it unlikely there are advanced groups that operate outside of the purview of the Chinese Government,’’ he said.

Originally published as Kryptonite Panda: Inside foreign hackers targeting Australia