Following PM’s warning, Australian industry weighs the real threat from China

Conflict with China escalates on all fronts, online and off, as Australia fast-tracks cyber security investment.

Australia’s cybersecurity industry has been a flurry of activity in recent weeks, with industry announcements and significant new government investments on the back of an opaque prime ministerial warning that Australia was effectively locked in a cyber war with China.

Australian prime minister Scott Morrison was already raising eyebrows when he offered just a half hour’s notice of a hastily called press conference on 19 June—so important that he had, unusually, requested the presence of the opposition leader as well—putatively to warn citizens to make sure they had updated their iPhones.

Yet it was in the hours and days afterwards that the real reason for his press conference—a morning event that began half an hour after news networks were informed of it—that details emerged of an orchestrated series of cyber attacks by a “sophisticated state-based cyber actor on what Morrison called “all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure”.

Morrison declined in his statement to name the nation-state actor, but analysts wasted mere seconds before attributing the attacks to China—which has levelled punishing new trade sanctions and economically damaging propaganda against Australian interests.

SecureAuth APJ head of growth Michael Warnock wasn’t surprised, saying that “an attack at this scale is not a surprise”, particularly given the recent surge in political tensions as Australia asserts itself on the world stage.

“This is the world we are in now,” he said, “and this type of cyber warfare is the next level of threat to our countries, businesses and individuals. … There is industry angst that the federal government has yet to give cybersecurity the priority it has needed, particularly regarding the ongoing pressures placed across industries due to the COVID-19 pandemic.”

An industry responds—and so does China

The government recently provided its response, allocating some $1.4 billion in cybersecurity funding to its peak Australian Signals Directorate (ASD) signals-intelligence body. Yet that funding will be spread over a decade—potentially making it a footnote to a current conflict that reached new levels this week.

Those escalations came as China’s Foreign Ministry alleged that it has “irrefutable evidence” that Australian diplomats have been caught spying on Chinese interests—just days after an Australian man was sentenced to death for alleged drug smuggling in China in a move that human-rights advocates suggest reflected “weaponised” political use of the death penalty.

Morrison was initially dismissive of the claims, suggesting that “I wouldn’t be relying on Chinese state media for your sources”, but Chinese authorities have persisted amidst other allegations that they have interfered with the office of NSW Member of Parliament Shaoquett Moselmane.

Yet as the rhetoric between the countries increases, security-industry figures have been working to get the measure of how much the international political tension has translated into online cybersecurity activity.

Other industry figures condemned the Australian government’s perceived lack of action around cybersecurity, with industry veteran and CrowdStrike chief technology officer Mike Sentonas noting that the “lines between e-crime and nation-state attacks are blurring due to the increased sophistication of e-crime actors. … Having a frontline perspective of the rampant threat activity in Australia that occurs every day, including the number of high-profile breaches in recent months, demonstrates the country is not as prepared as we would like to believe.”

SecureAuth’s Warnock took the attacks as a suggestion that government policies around cybersecurity needed to be overhauled, with the government’s 2016 cybersecurity Strategy showing signs of age. “The government investment in the new policy needs to reflect the new world we are operating in,” he said, “as it has shifted dramatically since 2016 when the last policy was released. Unfortunately, the more Australia elevates its narrative on international stage, not all actors are going to support what we stand for and cyber attacks will continue as retaliation.”

Questions about the cyber attack itself

National cybersecurity authority the Australian cybersecurity Centre (ACSC) published formal advice about the incidents that Prime Minister Morrison cited, which it attributed to ‘copy-paste attacks’, noting that “the actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest.”

The attackers “regularly conduct reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases. The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations.”

Meanwhile, an analysis by Mimecast’s Threat Intelligence Team “did not reveal any of the email-related indicators of compromise” published in the ACSC advisory.

“The activity in question is primarily not via email and our analysis confirms that rates of detections have remained constant. Our assessment, therefore, on this morning’s announcement is that there wasn’t a specific attack campaign—but rather that the frequency of broad attacks from a particular state-based actor has increased.”

The mention of two recommended security controls during the press conference—patching of Internet facing systems and using multifactor authentication—led Nick Savvides, an Australian security-industry veteran and security researcher currently working as APAC director of strategic business with Forcepoint, to conclude that the malicious actors “may have operated sophisticated targeted phishing campaigns” and “were possibly in possession of zero-day vulnerabilities against systems”.

“While Australia has significant capabilities in cybersecurity and an active cybersecurity community, unfortunately not all organisations are at the same level. We are struggling with skills shortage, with unfilled cybersecurity roles in every sector”, Savvides said.

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)