Cyber spy agency on high alert over hack

Nation’s top cyber spy agency working with sensitive government agencies, departments after SolarWinds Russian hacking offensive.

Ben Packham

The attack used a compromised version of SolarWinds Orion to insert a backdoor into computer systems.

3 min read

10:01PMDecember 23, 2020.

Updated 5:20AMDecember 24, 2020

The nation’s top cyber spy agency is working with potential victims of the SolarWinds Russian hacking offensive, including some of the most sensitive government departments and agencies, to assess whether their networks have been breached.

The Australian can reveal the departments of Defence, Finance and Home Affairs, and the Australian Securities and Investments Commission are users of the network-management software infiltrated by the hackers.

Government tender records show the Australian Radiation Protection and Nuclear Safety Agency, the Bureau of Meteorology, trade promotion agency Austrade and the Department of Education, Skills and Employment are also SolarWinds clients.

It’s understood the Australian Signals Directorate, which also uses SolarWinds software, was unaffected by the attack.

But the agency declined to say if any government systems had installed the “trojanised” updates sent to SolarWinds users as far back as March.

“The ACSC continues to monitor the situation and is engaging with international partners and potentially impacted Australian organisations,” a spokesman for ASD’s Australian Cyber Security Centre said.

The SolarWinds cyberattack is one of the biggest in history, hitting at least 18,000 companies and government agencies including the US departments of State, Homeland Security, Commerce and the Treasury, and big tech firms such as Microsoft, Cisco and Intel.

Infiltrated organisations in Australia include NSW Health, Serco Asia Pacific, and mining giant Rio Tinto.

The attack, first identified by US cybersecurity company FireEye, used a compromised version of SolarWinds Orion — a widely used IT system management platform — to insert a backdoor into computer systems.

Australian-based malware expert Sergei Shevchenko, co-founder of cybersecurity company Prevasio, said the federal government departments and agencies had not shown up in logs he had decrypted revealing 445 affected organisations.

But Mr Shevchenko said all SolarWinds clients should assume they were vulnerable to second-stage attacks.

“The list that we have decrypted doesn’t include everything. It’s just a snapshot, with multiple records fragmented or missing. It’s not a guarantee that if you are not on the list that you are not affected,” he said.

“There were three trojanised updates that were supposed to be rolled out to the software.

“The bottom line is this. If you are a client of SolarWinds, if you run the software in a company, you have to do an instant response. Period.

“They need to look inside their network, look for evidence, look for telltale signs. It’s a good exercise anyway, but they have to do it. Because this software simply means that the attackers have backdoor access.”

Mr Shevchenko’s analysis of data logs revealed the malware transmits information on the infected system’s security software, allowing it to be turned off by the hackers in subsequent attacks.

“In the second stage, the attackers may choose (which systems to penetrate). They might say ‘we infected this network, how are we going to make the money?’.”

An Australian Cyber Security Centre spokesman said users of SolarWinds products should immediately install security patches, or isolate their servers from the internet.

“Australian organisations that have concerns, or believe they may have been impacted, should contact the ACSC for assistance,” he said.

The hack, which US Secretary of State Mike Pompeo attributed to Russia, is categorised as a “supply chain attack”, for its use of a trusted third-party vendor to install malware in an organisation’s network.

Thomas Bossert, a former security adviser to Donald Trump, said the size of the attack was “hard to overstate”. He said evidence suggested Russia’s SVR intelligence agency was responsible.

“The Russians have had access to a considerable number of important and sensitive networks for six to nine months,” he wrote in the New York Times.

The attack comes as the Morrison government moves to force key companies and institutions across the banking, finance, defence, communications, food, and higher education sectors, to strengthen cyber defences and co-operate with national security agencies. An exposure draft of the Security Legislation Amendment (Critical Infrastructure) Bill, released in November, includes new step-in powers allowing national security agencies to actively disrupt and repel cyber attackers.