Australian Government and Business Under Sustained Cyber Attack
Updated: Jun 20, 2020
Prime Minister's Announcement
At a special media conference today, the Prime Minister - with the Defence Minister - announced that Australian organisations were actively being targeted by a “state-based cyber actor” but would not name the country believed to be behind the “malicious” cyber attacks - for many of us in the protective security community who have been investigating and mitigating the effects of such attacks for several years, this is certainly nothing new; and unfortunately, hardly a surprise.
“What I can confirm, with confidence, based on the advice, the technical advice that we have received, is that this is the action of a state-based actor with significant capabilities,” the Prime Minister said "There aren’t too many state-based actors who have those capabilities.”
“This activity is targeting Australian organisations across a range of sectors, including all levels of Government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure."
“We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the trade craft used.”
Australian Strategic Policy Institute executive director Peter Jennings later told The Australian newspaper it was “very clear” that China was behind the cyber attack on Australia, and that Prime Minister Scott Morrison was calling Beijing out.
I think you’ve got to sort of go through a check list of factors, which is not just the capability issues that Morrison talks about but also the interest and intent,” Mr Jennings said in the wake of the PM’s press conference announcing the attack.
“The Russians could do it. The North Koreans could do it, but neither of them have an interest on the scale of this. They have no interest in state and territory government or universities,” he went on to say “So that leads me to conclude that the only country that has got the interest to go as broad and as deep as this and the only country with the sophistication and the size of the intelligence establishment to do it, is China. That’s very clear.
To conduct such sustained and sophisticated attacks, state-based actors utilise techniques and tactics deemed in the security world as Advanced Persistent Threats.
What are Advanced Persistent Threats?
Advanced persistent threats - commonly known as an APT - are cyber based attacks in which an unauthorised user gains access to a system or network and remains there for an extended period without being detected.
Such attacks are particularly dangerous for businesses and enterprise, as attackers have ongoing access to sensitive company data.
Advanced persistent threats generally do not cause damage to company networks or devices. Instead, the goal of advanced persistent threats is most often data theft and espionage.
As has been widely reported within Australia and overseas, APT attacks are becoming increasingly common as cyber criminals look to more sophisticated measures to achieve their goals. APTs have caused several large, costly data breaches and are known for their ability to remain undetected for long periods.
Advanced persistent threats do not take a general, broad approach; instead, they are carefully planned and designed with the goal of attacking one specific company or organisation and are different from many traditional threats
such as viruses and malware that exhibit the same behaviour consistently, and are repurposed for attacking different systems or companies. APTs are highly customised and sophisticated, designed specifically to get around the existing security measures in place within a company.
Deployment of malware is critical to the success of an advanced persistent threat. Once the network is breached, malicious code has the capability to hide from certain detection systems, navigate the network from system to system, obtain data, and monitor network activity.
The ability for attackers to control an advanced persistent threat remotely is also key, enabling criminals to navigate throughout the organisation’s network to identify critical data, gain access to the desired information, and initiate the extrapolation of data.
APTs are usually sponsored by nation states and/or foreign intelligence services. Major state sponsored cyber attacks such as Operation Olympic Games (also known as known as Stuxnet), Saudi Aramco and attacks against Estonian critical infrastructure highlight the threats and risks associated with state sponsored offensive cyber capabilities. In April 2018, the then Australian Defence Minister detailed that approximately 400 Australian businesses may have been targeted by suspected state-sponsored cyber attacks. These attacks were part of a widespread cyber campaign that affected millions of computers worldwide.
Further, recent media reporting also suggests a significant cyber campaign by foreign sponsored hackers against the Australian government and commercial entities - known as Operation Cloud Hopper - by a group identified as an Advanced Persistent Threat 10 (APT10). Two members of this group were recently indicted by the FBI for these attacks.
APTs use a variety of techniques to gain initial access to a network. Attackers may use the internet to deliver malware and gain access, physical malware infection, or even external exploitation to gain access to protected networks.
US company FireEye outlines six steps of a typical APT-based attack:
1. The cyber criminal, or threat actor, gains entry through an email, network, file, or application vulnerability and inserts malware into an organisation's network. The network is considered compromised, but not breached.
2. The advanced malware probes for additional network access and vulnerabilities or communicates with command-and-control servers to receive additional instructions and/or malicious code.
3. The malware typically establishes additional points of compromise to ensure that the cyber attack can continue if one point is closed.
4. Once a threat actor determines that they have established reliable network access, they gather target data, such as account names and passwords. Even though passwords are often encrypted, encryption can be cracked. Once that happens, the threat actor can identify and access data.
5. The malware collects data on a staging server, then exfiltrates the data off the network and under the full control of the threat actor. At this point, the network is considered breached.
6. Evidence of the APT attack is removed, but the network remains compromised. The cyber criminal can return at any time to continue the data breach.
APT attackers are increasingly using smaller companies (including ICT managed service providers) that make up the supply-chain of their ultimate target as a way of gaining access to targeted organisations. They use such companies, which are typically less well defended, as steppingstones.
In many cases, trusted connections are used to gain initial access. This means attackers may use employees’ or business partners’ credentials obtained through phishing attacks or other malicious means.
This assists attackers in the critical goal of remaining undetected long enough to map the victim’s systems and devise a strategic plan of attack to harvest sensitive and private data; whether business, client or staff information.
Despite data loss, the major danger of APT attacks is that even when they are discovered, and the immediate threat appears to have defeated, the attacks may have left multiple backdoors open that allow them to return when they choose.
Additionally, many traditional cyber defences - such as antivirus and firewalls - will not always protect against these kinds of attacks.
How Can We Help?
In order to effectively safeguard and limit successful APT or other cyber attacks, it is essential that a holistic approach to security is adopted by business, large or small.
This includes a combination of the following: strong security culture; the conduct of risk assessments to identify gaps in systemic, physical or technical defences; training and awareness; developed and periodically tested response and recovery plans; and security hardware and software measures.
To learn more about our cyber security solutions, please click here