Australian organisations are currently being targeted by “a sophisticated state-based cyber actor,” according to Prime Minister Scott Morrison.
Morrison said in a statement the attacks were aimed at all levels of government, industry, political organisations, education, health, essential service providers, and operators of other critical infrastructure. “We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used,” said Morrison. “The Australian government is aware of and alert to the threat of cyber-attacks.”
He said that the Australian Cyber Security Centre (ACSC) had already published a range of technical advisory notices in recent times, to alert potential targets and has been briefing States and Territories on risks and mitigations. “Regrettably, this activity is not new – but the frequency has been increasing,” said Morrison. “Our objective is to raise awareness of these specific risks and targeted activities and tell you how you can take action to protect yourself.”
Nature of the attack
The ACSC detailed the nature of the attack in a statement, saying that it involved the “actor’s heavy use of proof-of-concept exploit code, web shells and other tools copied almost identically from open source.”
The statement from the ACSC revealed that “the actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure — primarily through the use of remote code execution vulnerabilities in unpatched versions of Telerik UI. Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability.
“The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases. The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations.”
When the exploitation of public-facing infrastructure did not succeed, according to the ACSC, it has identified the actor utilising various spearphishing techniques. This spearphishing has taken the form of:
- links to credential harvesting websites
- emails with links to malicious files, or with the malicious file directly attached
- links prompting users to grant Office 365 OAuth tokens to the actor
- use of email tracking services to identify the email opening and lure click-through events.
Once initial access is achieved, the actor utilised a mixture of open source and custom tools to persist on, and interact with, the victim network. Although tools are placed on the network, the actor migrates to legitimate remote accesses using stolen credentials. To successfully respond to a related compromise, all accesses must be identified and removed.
In interacting with victim networks, the actor was identified making use of compromised legitimate Australian web sites as command and control servers. Primarily, the command and control was conducted using web shells and HTTP/HTTPS traffic. This technique rendered geo-blocking ineffective and added legitimacy to malicious network traffic during investigations.
During its investigations, the ACSC identified no intent by the actor to carry out any disruptive or destructive activities within victim environments.
Steps for protection
Morrison said organisations who might be concerned about their vulnerability to sophisticated cyber compromise can take three simple steps to protect themselves.
One is to patch their internet-facing devices promptly, ensuring any web or email servers are fully updated with the latest software. Another is to ensure that they use multifactor authentication to secure your internet accessible infrastructure and cloud-based platforms. Third is to become an ACSC partner to ensure that they get the latest cyber threat advice so they can take the earliest possible action to protect themselves online.
“The risks are present and will continue to be present,” said Morrison. “The government encourages organisations, particularly those in the health, critical infrastructure and essential services, to take expert advice, and implement technical defences to thwart this malicious cyber activity.”
Putting the attacks in context
Commenting on the cyberattacks, Michael Sentonas, Global Chief Technology Officer, CrowdStrike, said: “Consistent with the Prime Minister’s statement, CrowdStrike has observed a significant increase in cyber attacks in recent months. E-crime activity we investigate is up over 330% since the start of the year over the same period from last year, and the lines between e-crime and nation state attacks are blurring due to the increased sophistication of e-crime actors.
“Having a frontline perspective of the rampant threat activity in Australia that occurs every day, including the number of high profile breaches in recent months, demonstrates the country is not as prepared as we would like to believe. It is positive that this issue is being raised, and governments and organisations must now take action and harden their defenses against an advanced pool of adversaries.”
The Australian Policy Research Institute (ASPI) issued a lengthy commentary on the attacks. Tom Uren, Senior Analyst at ASPI, believes that “Although Morrison carefully avoided naming a culprit, his language was far tighter than in the past and he noted that ‘there aren’t too many state-based actors who have those capabilities’. The government is in no doubt about who’s responsible, and is foreshadowing the possibility of directly naming them.
“From a geopolitical point of view, it can only be China. Although many countries have cyberespionage capabilities, very few have it at the scale the government described. And only China has an extensive recent history of cyberespionage across all the sectors that the prime minister mentioned, coupled with the motivation to focus on Australia.
“From a business sector point of view, understanding whodunnit after the fact is a waste of time. Better to spend the effort fixing security. But understanding the motivations of those who might want to compromise you beforehand is useful in prioritising security effort. From a government point of view, understanding who is conducting particular cyber activity is key. We can’t respond at all if we don’t know who to respond to,” he commented.