We know who the cyber attacker is: Jennings calls out China

It’s ‘very clear’ China is behind the cyber attack and that Scott Morrison is calling Beijing out, says Australian Strategic Policy Institute head Peter Jennings.

Joe Kelly, Geoff Chambers and Richard Ferguson

4 min read

11:12AMJune 19, 2020.

Updated 12:30PMJune 19, 2020

Chinese president Xi Jinping, left, and Australian PM Scott Morrison. Pictures: Getty/AAP

Australian Strategic Policy Institute executive director Peter Jennings told The Australian it was “very clear” that China was behind the cyber attack on Australia, and that Prime Minister Scott Morrison was calling Beijing out.

The PM has revealed early Friday that Australia is currently being hit by a major, state-backed cyber attack which is targeting all levels of government, political parties and private businesses.

“I think you’ve got to sort of go through a check list of factors, which is not just the capability issues that Morrison talks about but also the interest and intent,” Mr Jennings said in the wake of the PM’s press conference announcing the attack.

“The Russians could do it. The North Koreans could do it, but neither of them have an interest on the scale of this. They have no interest in state and territory government or universities,”

Peter Jennings, head of the Australian Strategic Policy Institute. Picture: Supplied

“So that leads me to conclude that the only country that has got the interest to go as broad and as deep as this and the only country with the sophistication and the size of the intelligence establishment to do it, is China. That’s very clear.

“I think you can sort of attribute 95 per cent of confidence to it being China.”

Mr Jennings said the Morrison government was “saying publicly to China ‘we know’ and in a sense putting a bit of pressure on them.”

“China will read this very clearly as Australia saying ‘we know’. They are very sensitive to public naming and shaming on this issue.”

Revealing the attack on Friday morning, the PM said “a state-based cyber actor” is undertaking the attack.

“Based on advice provided to me by our cyber experts, Australian organisations are currently being targeted by a sophisticated state-based cyber actor,” the Prime Minister said in Canberra.

“This activity is targeting Australian organisations across a range of sectors, including all levels of Government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure.

“We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the trade craft used.”

The cyber attack has yet to breach the personal data of Australians, but Scott Morrison says only a state-based actor with “significant capabilities” could undertake the attack.

He has refused to say China — who have been behind a number of large-scale cyber attacks in the past — are responsible for the attack.

“What I can confirm is there are not a large number of state-based actors that can engage in this type of activity and it is clear, based on the advice that we have received, that this has been done by a state-based actor, with very significant capabilities.”

Defence Minister Linda Reynolds is calling on all Australian businesses to update their protective software and secure their internet access as a major cyber attack targets Australian businesses.

Cyber Security Cooperative Research Centre chief executive Rachael Falk said cyber attacks were “growing in sophistitication”.

“Regrettably, this is a trend that will not stop. As you heard the PM say, this is a clear call for all Australians to be cyber aware and protected,” Ms Falk said.

“Focusing on attribution is a distraction from the big issue here, which is that the government, businesses and individuals have to be cyber prepared.”

PM asked if China is the 'state based actor' cyber attacking Australia

The Australian Cyber Security Centre has warned companies, institutions and governments to be alert and urgently enhance “the resilience of their networks” after confirming the “sustained targeting” of Australian organisations by a “sophisticated state-based actor”.

The ACSC said the “copy-paste compromises” were linked to the state-based actor’s heavy use of proof-of-concept exploit code, web shells and other tools “copied almost identically from open source”.

The cyber security agency said the actor had been “identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI”.

“Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability,” the updated cyber security advice said.

“The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases.

“The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations.”

The ACSC said they had identified the cyber attacks after “the exploitation of public-facing infrastructure did not succeed”.

“When the exploitation of public-facing infrastructure did not succeed, the ACSC has identified the actor utilising various spearphishing techniques.”

These included links to credential harvesting websites, emails with links to malicious files or with the malicious file directly attached, links prompting users to grant Office 365 OAuth tokens to the actor and use of email tracking services to identify the email opening and lure click-through events.

“Once initial access is achieved, the actor utilised a mixture of open source and custom tools to persist on, and interact with, the victim network. Although tools are placed on the network, the actor migrates to legitimate remote accesses using stolen credentials. To successfully respond to a related compromise, all accesses must be identified and removed,” the advice said.

“In interacting with victim networks, the actor was identified making use of compromised legitimate Australian web sites as command and control servers. Primarily, the command and control was conducted using web shells and HTTP/HTTPS traffic. This technique rendered geo-blocking ineffective and added legitimacy to malicious network traffic during investigations.

“During its investigations, the ACSC identified no intent by the actor to carry out any disruptive or destructive activities within victim environments.”

The ACSC is urging companies to implement measures including “prompt patching of internet-facing software, operating systems and devices” and the “use of multi-factor authentication across all remote access services” including web and cloud-based email, collaboration platforms, virtual private network connections and remote desktop services.