Chinese hackers attack local media group

Chinese state-affiliated hackers have targeted a major Australian media company, stealing passwords and data using a publicised vulnerability.

Ben PackhamFOREIGN AFFAIRS AND DEFENCE CORRESPONDENT

@bennpackham

2 min read

7:35PMFebruary 09, 2022

CyberCX chief strategy officer Alastair MacGibbon, a former ACSC head, says the company’s investigators were confident in attributing the attack to China. Picture: Roy Van Der Vegt

Chinese state-affiliated hackers have targeted a major Australian media company, stealing passwords and data using a publicised vulnerability within hours of the software flaw being revealed.

The nation’s biggest cybersecurity company, CyberCX, said the attackers moved swiftly to exploit the Log4j vulnerability in December last year, gaining access to the company’s IT systems before it had a chance to patch the affected software.

CyberCX said those responsible for the attack used “tradecraft consistent with Chinese state-sponsored actors” to gain access to the company’s mobile devices management software.

The company – which was not News Corp and understood not to be Nine Entertainment – was initially notified of the security breach by the Australian Cyber Security Centre. The attack occurred on December 10 – the same day the Log4j vulnerability was publicised, sparking a rush by users around the world to close the potential backdoor.

CyberCX chief strategy officer Alastair MacGibbon, a former ACSC head, said the company’s investigators were confident in attributing the attack to China.

“They used what we call customised web shells. We know the Chinese state uses a lot of these web shells,” Mr MacGibbon said.

“They stole data. They weren’t looking to lock phones or hold their data for ransom. And we have seen this same threat actor in other investigations we have done.

“And then when you compare that with what is publicly known about the tools and tradecraft, we have a high confidence in saying it is a Chinese state-affiliated actor.”

The Log4j vulnerability, unearthed in a piece of Java software code, was one of the most serious ever seen, sparking millions of attempted cyber attacks.

CyberCX investigators believe the Chinese attackers had developed a thorough understanding of the target application, MobileIron, enabling them to quickly exploit the Log4j flaw when it became known.

Mr MacGibbon said the speed with which the hackers moved to exploit the Log4j vulnerability showed how aggressive they had become.

“There used to be a time when a vulnerability was exposed and it was days, weeks or months before someone used it,” he said.

“Now it is a matter of hours. That shows how agile they are, how hyper competitive this space is, and how quickly they use opportunities. As soon as this vulnerability was public, they just pounced.”

The hacking incident predated a cyber attack on News Corp identified on January 20 and linked to Chinese espionage activities that affected The Wall Street Journal, the New York Post, and British newspapers The Times and The Sun.

Nine Entertainment was also the victim of a major cyber intrusion in March last year, which bore the hallmarks of a ransomware attack but was not accompanied by a demand for payment.

Mr MacGibbon said media companies were attractive targets for Chinese state-sponsored hackers because they received and analysed information that had intelligence value.

The ACSC – part of spy agency the Australian Signals Directorate – said it was aware of the cyber attack but declined to comment on whether China was responsible.

“Australia publicly attributes malicious cyber activity when it is clear and in the nation’s interest to do so,” an ACSC spokesman said.

“The Australian government condemns malicious cyber activity, including by cybercriminals, states and state-sponsored actors.

“No sector of the Australian economy is immune to the impacts of malicious cyber activity. All organisations should be alert to international threats and take action to strengthen their cyber security defences.”

The Australian government rarely publicly names the countries behind cyber attacks.