The discussion around state-sponsored cyber attacks on Australia has once again launched to the fore in the country following comments by the Prime Minister Scott Morrison on June 19. According to the new remarks, Australian institutions of all kinds have fallen victim to cyber attacks from a sophisticated state based cyber-actor over at least the course of the last several months, raising alarm about the vulnerability of the country’s critical infrastructure.
The attacks are taking place against all levels of governments as well as services and businesses in Australia, according to Morrison, with their frequency having increased “over many months”.
“I’m here today to advise you that, based on advice provided to me by our cyber-experts, Australian organisations are currently being targeted by a sophisticated state-based cyber-actor,” Morrison said at a press conference. He added that such attacks have been targeting organizations “across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure”.
Although identified as being state-sponsored, no country has been officially implicated for having been behind the cyber attacks, with official comment remaining silent on the matter. However, Morrison did point out that the cyber attacks can be safely believed to be state-sponsored because of the “scale and nature of the targeting and the trade craft used”.
The Prime Minister’s announcement follows a month on from revelations that a state-sponsored Chinese hacking group, Naikon, was responsible for engaging in a five-year-long cyber espionage campaign targeting several governments across the Asia Pacific region, including that of Western Australia. However, no connection has yet been made between China and the newly-revealed attacks against Australia.
“We raised this issue today not to raise concerns in the public’s mind, but to raise awareness in the public’s mind,” Mr Morrison explained. “We know what is going on. We are on it, but it is a day-to-day task,” he added.
State-sponsored threat to critical infrastructure
Without a doubt, a major series of ongoing state-sponsored cyber attacks such as those reportedly occurring in Australia could pose significant risks to the country’s critical infrastructure. These can even include such vital lifelines as water supply, power grids and telecommunications systems.
This is the view of Ghian Oberholzer, the regional vice president of TechOps in the Asia Pacific region for the industrial cybersecurity firm Claroty. According to him, given the scale of the attacks, the threat to critical infrastructure is likely the most devastating risk in the incidents.
“Cyber attacks on businesses are damaging enough, but the impacts of a successful attack on any of these critical services could be catastrophic, such as shutting down the electricity grid,” explained Oberholzer. “Critical infrastructure often eludes the public’s attention as a major source of cyber risk, but it remains highly susceptible to targeted attacks, as past experience shows.”
Pointing to similar examples of how state-sponsored cyber attacks in the past had laid bare the vulnerabilities of critical infrastructure, Oberholzer contested that their protection should remain the highest priority for the cybersecurity response of national governments. “Earlier this year Israel’s wastewater treatment plants suffered a series of coordinated attacks. Fortunately, there was no significant damage. In 2015 an attack on Ukraine’s power grid left 230,000 people without power for up to six hours,” Oberholzer pointed out.
“Today’s announcement by the Prime Minister illustrates the need for sophisticated cyber security practices, policies, and technology to protect our critical infrastructure,” he went on. “Australia cannot afford to suffer catastrophic damage to its critical infrastructure at the best of times, and thanks to COVID-19 these are far from the best of times.”
Detecting and mitigating cyber attacks of this kind
One factor which hampers the response to the reported state-sponsored attacks is the lack of clarity around their origin. According to Katie Nickels, director of threat intelligence at security firm Red Canary, organizations should remain cautious about jumping to conclusions around laying blame, particularly when there is limited public information.
“The best thing for organizations to do is to examine the reporting shared by the ACSC and consider how to mitigate and detect the tactics, techniques, and procedures (TTPs) that were used,” explained Nickels, pointing out that the ACSC had found that adversaries initially gained access by exploiting vulnerabilities in public-facing software such as Telerik UI. “Organizations should ensure Telerik UI and other software is updated to the latest version to prevent exploitation of known vulnerabilities,” she added to this end.
This premise is largely supported by Mahmoud Elkhodr, a lecturer in information and communication technologies at CQUniversity Australia. In a piece written for The Conversation, Elkhodr noted that businesses should strive to follow the ACSC’s advice on secure management of databases, email systems and physical computer assets.
“[T]he latest announcement is a reminder that we should not lower our guard against cyber attacks,” wrote Elkhodr. “The latest round of cyber attacks are likely the result of previous ‘reconnaissance attacks’, which revealed existing vulnerabilities in Australian networks.”
“Taking the steps outlined above could help prevent hackers mounting similar attacks in the future,” he added.
All in all, according to Nickels, such steps should be widely adopted by Australian organizations in the wake of the announcement about the state-sponsored attacks, adding that those which have a defense-in-depth mitigation strategy and behavioral-based detections “should feel confident that those approaches help reduce risk regardless of what adversaries they face”.