Australian government organisations, businesses, and critical infrastructure are under persistent cyber attack from a state-based actor.
Prime Minister Scott Morrison called a snap press conference on Friday morning to announce the ongoing attack but did not offer specific details.
“Based on advice provided to me by cybersecurity experts, Australian organisations are currently being targeted by a sophisticated state-based cyber actor,” Morrison said.
"This activity is targeting Australian organisations across a range of sectors including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure.
"We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the trade-craft used."
Morrison said the attacks have persisent and ongoing.
“Regrettably this activity is not new, but frequency has been increasing," he said.
"The Australian Cyber Security Centre (ACSC) has been actively working with targeted organisations to make sure they have technical mitigations in place and their defenses are appropriately raised.”
Morrison said ministers and the opposition received technical briefings overnight about the cyber attack. He also said there had been no large-scale breach of personal data during the ongoing attack to date.
“We raise this issue today not to raise concerns in the public’s mind but to raise awareness,” Morrison said.
“This is the world that we live in and these are the threats that we have to deal with.”
When asked if China was responsible for the attack, given past form, the prime minister refused to point fingers.
“The threshold for public attribution on a technical level is extremely high,” he told the press conference.
“Australia doesn’t engage lightly on public attributions and when, and if, we choose to do so will be in the context of our national interest.
“There are not a large number of state-based actors that can engage in this activity.”
Copy-paste compromises
On Thursday, the ACSC published an advisory warning of the “sustained targeting of Australian governments and companies” by a “sophisticated state-based actor”.
The hackers behind the attack are using what the ACSC calls “copy-paste compromises” – publicly known exploits and tools leveraging vulnerabilities in unpatched public-facing network infrastructure.
Specifically, the ACSC mentions vulnerabilities in Telerik UI, Microsoft Internet Information Services (IIS), and 2019 vulnerabilities in SharePoint and Citrix.
According to the ACSC, the persistent threat actor has been probing networks for vulnerabilities and keeping an eye on services that could be targeted when a new security flaw is discovered.
If attacks on public-facing infrastructure don’t work, the actor goes on a spear-phishing campaign to gain credentialled access to networks.
Although the prime minister offered assurances that no personal data had been breached, the ACSC has seen these hackers exfiltrate data over command and control channels.
“Without access to full, unencrypted network traffic or other supporting evidence such as copies of staged data, it may be difficult to confirm exfiltration,” the ACSC said.
“However, data volumes transferred may provide sufficient confidence that exfiltration has likely occurred.”
To mitigate against the effects of ongoing cyber threats, the ACSC recommended individuals and organisations keep internet-facing infrastructure patched, and the use of multi-factor authentication for remote access services.