Australian Prime Minister Scott Morrison warned late last week that a sophisticated, state-sponsored cyber actor has been attacking the country’s government and corporate institutions, as well as critical infrastructure operators, with increasing regularity.
Morrison did not name-and-shame the specific country that is responsible for the alleged attacks. But inside sources told Reuters that China is the culprit, noting similarities between the recent attacks and past malicious activities that were also attributed to Beijing and were aimed at Australia’s national parliament and three largest political parties. A Chinese Foreign Ministry spokesman on Friday reportedly denied China was involved.
“Based on advice provided to the Government by our cyber experts, the Australian Cyber Security Centre (ACSC), Australian organizations are currently being targeted by a sophisticated state-based cyber actor,” reads an official statement issued by the offices of the Prime Minister, Minister for Home Affairs and Minister for Defense. “This activity is targeting Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, essential service providers, and operators of other critical infrastructure.”
“We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used,” the statement continues.
The statement advises organizations to patch their internet-facing devices, including web and email servers; use multifactor authentication and become an ACSC partner.
A more detailed government technical advisory notes that the ACSC “identified no intent by the actor to carry out any disruptive or destructive activities within victim environments,” which suggests that the purpose of the attacks is entirely stealthy in nature, such as cyber espionage and data exfiltration.
The advisory said the actor’s attacks rely largely on “proof-of-concept exploit code, web shells and other tools copied almost identically from open source, and that the culprit has been compromising networks particularly through bugs in public-facing infrastructure. This includes a remote code execution flaw (CVE-2019-18935) found in unpatched versions of Telerik UI — a commercial toolset for building business and kiosk applications for Windows Presentation Foundation — as well as a deserialization vulnerability in Microsoft Internet Information Services (IIS), and 2019 bugs in SharePoint (CVE-2019-0604) and Citrix (CVE-2019-19781).
“The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases,” the advisory states. “The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organizations.”
The attackers have also engaged in spear phishing campaigns designed to trick email recipients into clicking a link leading to a malicious files or credential harvesting page, opening malicious attachments or granting Office 365 OAuth tokens to the actors, the advisory further notes.
“Once initial access is achieved, the actor utilized a mixture of open-source and custom tools to persist on, and interact with, the victim network,” says the document. “Although tools are placed on the network, the actor migrates to legitimate remote accesses using stolen credentials. To successfully respond to a related compromise, all accesses must be identified and removed.”
The advisory also notes that the actor has been using legitimate Australian websites as C2 servers, with malicious communication accomplished via HTTP and HTTPs traffic.
Tensions have reportedly mounted between Australia and China, especially after Australia publicly called for an investigation into China’s handling of the COVID-19 pandemic. China then reacted by placing tariffs on Australian exports and banning shipments of beef from Australia.
However, experts still expressed a note of caution when it comes to blame for the attacks.
Katie Nickels, director of threat intelligence at Red Canary, noted that “Attribution is particularly challenging for this activity due in part to the adversary’s reuse of open source code… The tools mentioned in the ACSC report like Cobalt Strike and PowerShell Empire have been used by many adversaries of differing motivations and sophistication levels, so their use does not clearly point to a certain adversary.”
“The best thing for organizations to do is to examine the reporting shared by the ACSC and consider how to mitigate and detect the tactics, techniques, and procedures (TTPs) that were used,” said Nickels. “The TTPs discussed in the ACSC report are not new — these are the same TTPs we see adversaries use on a daily basis.”
However, for some, building up defenses against such attacks could create cost challenges, noted Henry Harrison, CSO at Garrison Technologies.
“For the information and systems that really matter — typically those processing secret classified information — Australia, like other advanced nations, has strong security measures that provide good protection against even the most sophisticated attacks. But across the world these strong security measures are not typically deployed to protect less sensitive systems such as citizens’ personal information or critical services and infrastructure. In a world where sophisticated attacks are targeting these critical aspects of society, is it really sustainable to continue protecting them at a lower level of security?”