Mass cyber attack on Australia could only have come from China

Australia is under mass cyber attack from a foreign state targeting all levels of government, industry and critical infrastructure operators, with China believed the likely source.

Geoff Chambers, Joe Kelly and Simon Benson

3 min read

1:32PMJune 19, 2020.

Updated 2:04PMJune 19, 2020

Prime Minister Scott Morrison reveals a state-based cyber attack targeting Australian government and business on Friday. Picture: Mick Tsikas/AAP

Australia is under mass cyber attack from a foreign state targeting all levels of government, industry and critical infrastructure operators with China believed to be the likely source.

Scott Morrison this morning revealed that Australian organisations were actively being targeted by a “state-based cyber actor” but would not name the country believed to be behind the “malicious” cyber raid.

“What I can confirm, with confidence, based on the advice, the technical advice that we have received, is that this is the action of a state-based actor with significant capabilities,” the Prime Minister said.

“There aren’t too many state-based actors who have those capabilities.”

Australian Strategic Policy Institute executive director Peter Jennings told The Australian it was “very clear” that China was behind the cyber attack on Australia, and that Mr Morrison was calling Beijing out.

CyberCX chief strategy officer Alastair MacGibbon, a former head of the Australian Cyber Security Centre and national cyber security adviser to Malcolm Turnbull, said the state-based actor would have been identified through “techniques and procedures” used to carry-out malicious activity.

Mr MacGibbon said it was clear there had been a “concerted campaign carried-out by a sophisticated state-based cyber actor”.

He said the scale of the cyber attacks had prompted the government to “make it known to the offender that they’re dissatisfied and it’s reached Prime Ministerial level”.

Mr MacGibbon said Mr Morrison was using the cyber threat to “drive change and user behaviour”.

“What we need is longer-term systemic change. This is a wake-up call to people that own and operate private and public sector systems ... that they need to take cyber security seriously,” Mr MacGibbon told The Australian.

Mr MacGibbon said there was an onus on the private sector to help protect “Australia’s national interests”.

“People should have no doubt that cyber security still remains one of the greatest existential threats,” he said.

“There is no such thing as a completely secure computer. Our job is to reduce the risk and harm.”

‘Sustained targeting’

The Australian Cyber Security Centre has warned companies, institutions and governments to be alert and urgently enhance “the resilience of their networks” after confirming the “sustained targeting” of Australian organisations by a “sophisticated state-based actor”.

The ACSC said the “copy-paste compromises” were linked to the state-based actor’s heavy use of proof-of-concept exploit code, web shells and other tools “copied almost identically from open source”.

The cyber security agency said the actor had been “identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI”.

“Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability,” the updated cyber security advice said.

“The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases.

“The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations.”

The ACSC said they had identified the cyber attacks after “the exploitation of public-facing infrastructure did not succeed”.

“When the exploitation of public-facing infrastructure did not succeed, the ACSC has identified the actor utilising various spearphishing techniques.”

Cyber Security Cooperative Research Centre chief executive Rachael Falk said cyber attacks were “growing in sophistication”.

“Regrettably, this is a trend that will not stop. As you heard the PM say, this is a clear call for all Australians to be cyber aware and protected,” Ms Falk said.

“Focusing on attribution is a distraction from the big issue here, which is that the government, businesses and individuals have to be cyber prepared.”

‘State-based actor’

Revealing the attack on Friday morning, the PM said “a state-based cyber actor” is undertaking the attack.

“Based on advice provided to me by our cyber experts, Australian organisations are currently being targeted by a sophisticated state-based cyber actor,” the Prime Minister said in Canberra.

“This activity is targeting Australian organisations across a range of sectors, including all levels of Government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure.

“We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the trade craft used.”

The cyber attack has yet to breach the personal data of Australians, but Scott Morrison says only a state-based actor with “significant capabilities” could undertake the attack.