Australia facing sustained state-based cyber attack

Australian governments and industry are under fire from a sustained ongoing state-based cyber attack, Prime Minister Scott Morrison has warned, with China considered the most likely source.

During an urgent press conference today, Morrison warned that the "malicious" and "large-scale" attack is being carried out by a "sophisticated, state-based cyber actor".

Morrison declined to name the state suspected in the attack, but when asked whether the suspect is China, he did not deny it.

"What I can confirm is there are not a large number of state-based actors that can engage in this type of activity and it is clear, based on the advice that we have received, that this has been done by a state-based actor, with very significant capabilities," he said.

The attack is targeting multiple levels of government, as well as companies in a range of industries, political organisations, education, health, essential service providers and operators of other critical infrastructure, Morrison said.

In a threat advisory, the Australian Cyber Security Centre confirmed that the sustained attack is underway and detailed some findings to date of the investigation into the matter.

The ACSC has titled the advisory "copy-paste compromises" due to the tendency of the threat actor to use proof-of-concept exploit code and attack tools directly from open source.

Techniques observed to date include spearphishing, exploiting public-facing infrastructure using remote code execution vulnerabilities, and using previously compromised legitimate Australian websites as command and control servers.

"The actor has shown the capability to quickly leverage public exploit proof of concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases," the advisory states.

"The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations."

But the agency said during its investigations, it has "identified no intent by the actor to carry out any disruptive or destructive activities within victim environments".

The advisory includes some indicators of compromise and vulnerability to attack, as well as some detection techniques for specific activities associated with the attack, but the ACSC's threat mitigation advice is rather generic.

Recommendations include ensuring prompt patching of internet-facing software, operating systems and devices, as well as the use of multifactor authentication across all remote access services.

KnowBe4 Security Awareness Advocate for APAC Jacqueline Jayne said the attack should not come as a surprise.

"Intrusive cyber attacks at this grand scale are not a surprise when you consider the level of disruption, loss of trust, reputation and the possibility of financial gain," she said.

"When our government institutions, government agencies, health and essential industry, education, infrastructure and the private sector are attacked like this, the first question asked is 'how is this possible?'. The answer is because the cybercriminals are incredibly sophisticated and no matter how hard we try we are never going to stop them."

Forcepoint Director of Strategic Business for APAC Nick Savvides added that the attack "is a timely reminder that cybersecurity is a serious issue and affects every aspect of Australian life [and that] everybody has a role to play in keeping us safe from cybersecurity threats".

He said Morrison's announcement is designed to send a signal to the culprits that the government and some in the private sector are aware of the attacks.

He said the two specific security control recommendations from both the ACSC and the Defence minister "indicate that attackers may have operated sophisticated targeted phishing campaigns to capture usernames and passwords from victims, and were possibly in possession of zero-day vulnerabilities against systems or used older vulnerabilities on systems that are difficult to patch".

Image credit: ©stock.adobe.com/au/James Thew