Australian governments and businesses are being targeted by a “sophisticated state-based cyber actor”, Prime Minister Scott Morrison has revealed, as the wait for a new cybersecurity strategy continues.
Speaking from a prepared statement at a hurriedly called press conference early Friday morning, Mr Morrison revealed that a range of Australian industries and government departments and agencies had been the subject of sustained and ongoing attempts of cyber intrusion.
The Prime Minister may not be saying it publicly, but the industry certainly is, pointing to China as being behind the attacks.
Later guidance revealed that these attacks are using already known vulnerabilities with readily available fixes, with Australian businesses advised to install the patches and implement two-factor authentication.
“This activity is targeting Australian organisations across a range of sectors including all levels of government, industry, political organisations, education, health, central service providers and operators of other critical infrastructure,” Mr Morrison said.
“We know it’s a sophisticated state-based cyber actor because of the scale and nature of targeting and trade craft used.”
The statement was light on actual detail and was not based on a specific recent cyber incident, but rather ongoing cyber threats based on known vulnerabilities with patches available. When asked about the “attack”, Mr Morrison said he “wouldn’t use that word”.
It is unclear why the government chose now to reveal its concerns, with Mr Morrison repeatedly saying it was to “simply raise awareness”.
Security guidance by the government’s intelligence agencies simply advised Australian organisations to patch their devices and implement two-factor authentication.
The state premiers and Opposition Leader Anthony Albanese have been briefed on the ongoing risks, while the Australian Cyber Security Centre and private cybersecurity firms have been working together to combat them, Mr Morrison said.
The Opposition has been ramping up its attacks on the government for its apparent neglect of cybersecurity policy, with shadow assistant minister for cybersecurity Tim Watts speaking in Parliament this week on the issue.
While confirming that it was a state-based actor behind the attacks, Mr Morrison would not reveal what country the government believed to be responsible, but speculation quickly turned to China.
“The threshold for attribution on a technical level is extremely high. Australia doesn’t engage lightly in public attributions, and if we choose to do so it’s always done in the context of what we believe to be in the interests of our nation,” he said.
“There are not a large number of state-based actors that can engage in this type of activity and clearly based on the advice we’ve received that this has been done by a state-based actor with very significant capabilities.”
Centre Alliance senator Rex Patrick said the government should publicly attribute the attacks.
“This looks like cyber warfare. The government should be upfront and tell the Australian people who the attacker is,” Senator Patrick tweeted on Friday.
Shortly after the press conference, Australian Strategic Policy Institute International Cyber Security Centre’s Tom uren said “of course it is China”.
“There are a few countries that have the capability: Russia, China, US, UK and perhaps Iran and NK, although they may not have the scale. Only China in this list will have the appetite for such a broad approach. What was the point of ScoMo’s press conference? Internal and external signalling,” Mr Uren tweeted on friday.
The Australian Signals Directorate issued more detail on the type of attacks being leveled at Australian organisations, primarily consisting of links to fake websites designed to steal user details, links to malicious files and the use of email tracking services to identify when these emails had been opened.
“The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure,” the ASD guidance said.
The attacks have seen a “heavy use” of proof-of-concept exploit code, web shells and other tools copied almost identically from open source, the spy agency said, with a focus on the use of remote code education vulnerability in unpatched versions of Telerik UI.
“The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases,” the ASD said.
“The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations,” it said.
Importantly, ASD said all of the attempted attacks related to known vulnerabilities with patches already available.
“All exploits utilised by the actor in the course of this campaign were publicly known and had patches or mitigations available,” the agency said.
Mr Morrison said there had been no large-scale data breaches of Australians’ personal info found as part of these ongoing cyberattacks.
In the statement, Mr Morrison touted the Coalition’s 2016 Cyber Security Strategy and ongoing investments in the space. But that strategy’s four-year life has come to an end, and it’s unclear when the 2020 update will be revealed, several months after consultation on it concluded.
On Friday, Mr Morrison said the new strategy will be released in “coming months”, and it will include “significant further investments”. The government does not have a dedicated cybersecurity minister despite this being a key part of the 2016 strategy, with Home Affairs Minister Peter Dutton being responsible for the space.
Shadow assistant minister for cybersecurity Tim Watts has said the government is neglecting the cybersecurity space, putting Australians at risk.
“In the face of these evolving threats, Australian cybersecurity policy lacks political leadership. There’s no longer a dedicated role for cybersecurity in the executive, which means there’s a diffusion of responsibility for cybersecurity throughout multiple departments,” Mr Watts said in Parliament on Wednesday.
“Despite growing threats, Home Affairs minister Peter Dutton has left cybersecurity at the bottom of his in-tray. It’s been ten months since the Morrison government began consultations on the new Cyber Security Strategy.
“Labor hopes that the new cybersecurity strategy is released very soon, and we hope that it shows the substance and imagination that your national cyber-resilience deserves. We should have learned a few lessons in crisis preparedness now, but on cybersecurity the government remains detached, ignorant or indifferent. We can’t afford to respond to a crisis only after it’s happened.”