Australia has formally attributed the Microsoft Exchange software cyber-attack to China, joining Five Eyes allies and others in condemning what they say is a state sponsored attack which affected an estimated 30,000 organisations globally.
The public attribution is rare but not unprecedented, with Australia having previously named Iran, China, North Korea, and Russia for other cyber attacks.
The latest explicit attribution to China – Australia’s first since 2015 – was not accompanied by sanctions, but experts say it could be a precursor to them if attacks continue.
On Tuesday, Home Affairs Minister Karen Andrews said Australia had worked with allies to gain a “very high” confidence that China’s Ministry of State Security exploited vulnerabilities in the Microsoft software to target thousands of networks and computers around the world, including in Australia.
She said these vulnerabilities were used to “exploit the private sector for illicit gain”. Beijing has rejected the claims, accusing Australia of hypocrisy.
Ms Andrews said the attribution was made because it was in Australia’s interest to do so but acknowledged there would be repercussions from Australia’s biggest trading partner.
“We are aware that there are serious implications for any attribution that is made to any nation, but we also will not compromise our position on sovereignty, and national security,” Ms Andrews said.
“And in this instance, along with our partner nations, we needed to call out this malicious cyber attack.”
While no sanctions were announced, Ms Andrews said China won’t get away with the attack “scot-free” because it has suffered serious reputational damage from the attribution.
Australia has previously attributed cyberattacks to Iran, North Korea, and Russia, as well as to China in 2011 and 2015. But the government resisted naming China as the nation behind a wave of cyber incidents last year and an attack on the Parliament in 2019, despite security agencies reportedly believing Beijing was the culprit.
The federal government’s cyber advisory panel last year recommended there should be clearer consequences for malicious actors found to be targeting Australian businesses and governments. The industry panel, dominated by telco and led by Telstra chief Andy Penn, said there should be more of a willingness to publicly attribute these attacks.
Public attribution is used sparingly because of the difficulties in proving a nation state is directly responsible and because attacks typically need to cross a cyber “red line” to warrant it, according to Australian Information Security Association chair Damien Manuel.
“[Attribution] is almost like a diplomatic warning of ‘don’t go any further because then there’ll be other consequences’…Often attribution can be used as a diplomatic sort of blunt tool to put a country on notice,” Mr Manuel told InnovationAus.
Mr Manuel, also Director of Deakin University’s Cyber Research and Solution Centre, said the Australian government will be carefully monitoring China’s response to the attribution and whether the attacks continue to determine if sanctions and tariffs are warranted.
Just hours after Australia’s official attribution, the Chinese embassy in Canberra issued a statement rejecting the “groundless accusation” of the Australian government, accusing it of “parroting the rhetoric of the US” and engaging in its own eavesdropping.
“What the Australian government has done is extremely hypocritical, like a thief crying ‘stop the thief’,” a spokesperson for the Chinese Embassy said.
“As a victim of cyber attacks, China always firmly opposes cyber attacks and cyber theft in all forms, and calls on countries to advance dialogue and cooperation to safeguard cyber security.”
Attribution is also often a trade or diplomatic tactic, Mr Manuel said, and Australia is deploying it at a time when its relations with China are at their lowest point in years.
“China will make certain claims about Australia and Australia will make certain claims about China. This is a kind of balancing act,” he told InnovationAus prior to the Chinese embassy statement.
“There are red lines, obviously, where from a political perspective we don’t want countries to cross. And if they do cross them, that tends to be when they will call it out specifically. And that draws different sort of pressures. It becomes political pressure, social pressure trading pressure as well.”
The immediate damage for China will be relatively low, according to former National Security Adviser and head of the Australian Cyber Security Centre Alastair MacGibbon.
He told ABC Radio the retaliations to these types of attacks are typically “quite muted” because it is so difficult to prove the exact provenance of attacks and to hold foreign individuals responsible.
“The reality is consequences for China will be pretty low, but I think there’s an important moral message here,” Mr MacGibbon said, pointing to the unprecedented involvement of Japan and NATO in an attribution to China.
“That shows us the significance of the body of evidence and the global nature of this particular activity. So it is a significant day.”
Mr MacGibbon, now chief strategy officer at private firm CyberCX, said the Microsoft Exchange attacks attributed to China had crossed a “significant line” of cyber espionage norms because China had used private contractors to exploit the vulnerability, who then made personal gains through cybercrimes.
“China has used contractors to carry out what you would suggest is a legitimate state-based espionage activity. We may not like it but it’s kind of what nations do to each other,” he said.
“And those contractors have then, for their own gain, carried out activities in parallel to what they were doing for the Chinese government.”
Do you know more? Contact James Riley via Email.