At a press conference on June 19, Australian Prime Minister Scott Morrison confirmed that his country has been fending off a series of ongoing cyber attacks. According to Morrison, the cyber attacks are targeting Australia’s critical infrastructure, government institutions and businesses.
“This activity is targeting Australian organisations across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure,” he said.
While the prime minister did not identify China as the source of these cyber attacks, many reports suggest the country is behind the campaign targeting Australia’s critical infrastructure. Morrison said the attacks have been ongoing, occurring over a series of months.
“We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the trade craft used,” Morrison said. “Regrettably this activity is not new, but frequency has been increasing.”
Morrison said the purpose of the press conference was to raise awareness and encourage organizations, particularly those in Australia’s critical infrastructure, to implement technical defenses to thwart this malicious cyber activity. This news comes one day after the Australian Cyber Security Centre released an advisory on the tactics, techniques and procedures used to target multiple Australian networks.
“The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor,” the advisory says. “The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI. Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability.”
According to the advisory, the actors have been using proof-of-concept exploit code, web shells and other tools copied almost identically from open source.
“The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases,” the advisory says. “The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations.”
The actors have also been using spear phishing techniques such as sending emails with links to malicious files, or with the malicious file directly attached, and using email tracking services to identify the email opening and lure click-through events.
“Once initial access is achieved, the actor utilised a mixture of open source and custom tools to persist on, and interact with, the victim network. Although tools are placed on the network, the actor migrates to legitimate remote accesses using stolen credentials. To successfully respond to a related compromise, all accesses must be identified and removed,” the advisory says. “In interacting with victim networks, the actor was identified making use of compromised legitimate Australian web sites as command and control servers. Primarily, the command and control was conducted using web shells and HTTP/HTTPS traffic. This technique rendered geo-blocking ineffective and added legitimacy to malicious network traffic during investigations.
“During its investigations, the ACSC identified no intent by the actor to carry out any disruptive or destructive activities within victim environments.”
In the hours following the June 19 press conference, China responded to the allegations in a press conference of their own.
“China is a staunch supporter of cyberspace security and we have been the biggest victim of cyber attacks,” said Ministry of Foreign Affairs spokesman Zhao Lijian. “We have been firmly opposing and combating all forms of cyber attacks. Our position is clear and consistent.”
Zhao said the allegations against China could be traced back to the Australian Strategic Policy Institute.
“The attacks and the blame coming from this institute against China is totally baseless and nonsense,” he said.