Industrial Cyber Attacks
News
OT Network security

Australia’s critical infrastructure targeted in recent cyber attacks

June 19, 2020
Australia’s critical infrastructure

At a press conference on June 19, Australian Prime Minister Scott Morrison confirmed that his country has been fending off a series of ongoing cyber attacks. According to Morrison, the cyber attacks are targeting Australia’s critical infrastructure, government institutions and businesses.

“This activity is targeting Australian organisations across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure,” he said.

While the prime minister did not identify China as the source of these cyber attacks, many reports suggest the country is behind the campaign targeting Australia’s critical infrastructure. Morrison said the attacks have been ongoing, occurring over a series of months.

“We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the trade craft used,” Morrison said. “Regrettably this activity is not new, but frequency has been increasing.”

Morrison said the purpose of the press conference was to raise awareness and encourage organizations, particularly those in Australia’s critical infrastructure, to implement technical defenses to thwart this malicious cyber activity. This news comes one day after the Australian Cyber Security Centre released an advisory on the tactics, techniques and procedures used to target multiple Australian networks.

“The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor,” the advisory says. “The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI. Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability.”

According to the advisory, the actors have been using proof-of-concept exploit code, web shells and other tools copied almost identically from open source.

“The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases,” the advisory says. “The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations.”

The actors have also been using spear phishing techniques such as sending emails with links to malicious files, or with the malicious file directly attached, and using email tracking services to identify the email opening and lure click-through events.

“Once initial access is achieved, the actor utilised a mixture of open source and custom tools to persist on, and interact with, the victim network. Although tools are placed on the network, the actor migrates to legitimate remote accesses using stolen credentials. To successfully respond to a related compromise, all accesses must be identified and removed,” the advisory says. “In interacting with victim networks, the actor was identified making use of compromised legitimate Australian web sites as command and control servers. Primarily, the command and control was conducted using web shells and HTTP/HTTPS traffic. This technique rendered geo-blocking ineffective and added legitimacy to malicious network traffic during investigations.

“During its investigations, the ACSC identified no intent by the actor to carry out any disruptive or destructive activities within victim environments.”

In the hours following the June 19 press conference, China responded to the allegations in a press conference of their own.

“China is a staunch supporter of cyberspace security and we have been the biggest victim of cyber attacks,” said Ministry of Foreign Affairs spokesman Zhao Lijian. “We have been firmly opposing and combating all forms of cyber attacks. Our position is clear and consistent.”

Zhao said the allegations against China could be traced back to the Australian Strategic Policy Institute.

“The attacks and the blame coming from this institute against China is totally baseless and nonsense,” he said.

Rebecca Addison
Industrial Cyber Editor. Rebecca Addison is a former newspaper editor with a decade of experience in the media industry. During her career, she has interviewed world leaders and corporate CEOs, and covered topics ranging from blockchain and CBD to healthcare and education.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats
CISA partners with private sector after Sisense security breach, as critical infrastructure sector potentially impacted
CISA partners with private sector after Sisense security breach, as critical infrastructure sector potentially impacted
Forescout discloses Connect:fun exploitation campaign targeting organizations using Fortinet's FortiClient EMS
Forescout discloses Connect:fun exploitation campaign targeting organizations using Fortinet’s FortiClient EMS
CISA issues Emergency Directive 24-02 in response to Russian cyber threat targeting Microsoft email accounts
CISA issues Emergency Directive 24-02 in response to Russian cyber threat targeting Microsoft email accounts
European Commission recommends Coordinated Implementation Roadmap for transition to Post-Quantum Cryptography
European Commission recommends Coordinated Implementation Roadmap for transition to Post-Quantum Cryptography
HP details evolution of Raspberry Robin malware, shift in distribution method and threat landscape
HP details evolution of Raspberry Robin malware, shift in distribution method and threat landscape
MITRE Engenuity's Center for Threat-Informed Defense expands cybersecurity community resources
MITRE Engenuity’s Center for Threat-Informed Defense expands cybersecurity community resources