Australian companies face Russian revenge attacks and Chinese expansionism

Russian nation-state actors and sympathetic cybercriminal groups are “exploring options” for a barrage of cyberattacks on critical infrastructure in Australia and other countries opposed to Russia’s invasion of Ukraine, authorities have warned as the ongoing conflict reshapes real-world and online power dynamics worldwide. At the same time, Chinese entities have been professionalising and apparently coordinating their cyberattacks on Australia and other countries.

“Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks,” the US Cybersecurity and Infrastructure Security Agency (CISA) said in a new warning—endorsed by the Australian Cyber Security Centre (ACSC) and the comparable Five Eyes agencies in the UK, Canada, and New Zealand—that damaging sanctions and “materiel support provided by the United States and US allies and partners” had made them targets.

The extensive advisory is a primer on Russian and Russia-aligned cybercriminal groups known to have conducted ransomware, destructive malware, cyber espionage, DDoS and other attacks on Western government, private-sector, nuclear and conventional energy generation, and other critical infrastructure targets.

This includes Russian state-sponsored attacks like BlackEnergy and NotPetya, with at least five Russian government and military organisations targeting foreign IT and operational technology (OT) networks.

Russian group Sandworm was this month blamed for two waves of cyberattacks against Ukrainian critical infrastructure, as new Incontroller malware targeted industrial control systems (ICSs) in the invaded country.

This renew earlier warnings by the ACSC—updated for the ninth time in late March 2022—that encourage all organisations to patch applications and devices; implement mitigations against phishing and spear phishing attacks; ensure that logging and detection systems are fully updated and functioning; and review incident response and business continuity plans.

“There are no specific or credible cyberthreats to Australian organisations at this time,” the ACSC wrote, but noting that “this could change quickly.”

Despite recent cybercriminal compromises of multifactor authentication (MFA), the ACSC urges all Australian organisations to implement the technology—which if configured correctly, it said, “remains one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network and accessing sensitive information.”

The Russian threat looms large, but defences have improved

The renewed warnings reflect the concerns of a cybersecurity community for which long-simmering concerns about nation-state hacking have loomed large since Russia’s Ukraine invasion in February 2022.

Warnings by cybersecurity authorities come in the midst of what John France, CISO with security-industry body (ISC)², called “an uncertain world”. Noting widespread alarm amongst national cybersecurity authorities in Australia and elsewhere, France said during a webinar about the Ukraine conflict, “it’s not an isolated case where it’s one nation-state [the US] warning; it’s pretty global.”

He said it was “interesting” to see agencies responsible for national cybersecurity warning businesses and users, as cyber “knows no geographies”.

While one new analysis suggests that cyber defenders are getting better at protecting their turf, cybersecurity vendor Mandiant’s newly released M-Trends 2022 analysis suggests that cybercriminals are keeping their targets on the back foot by continuing to “innovate and adapt to achieve their mission in targeted environments”.

Still, median dwell time—the number of days between compromise and detection—declined significantly during 2021, from a global average of 73 days in 2020 to just 28 days last year.

China poses its own threat to Australian businesses

Although APAC and EMEA organisations improved their threat detection significantly over the last year, Mandiant “encountered more threat groups in 2021 than in any previous period,” executive vice president for Mandiant Intelligence Sandra Joyce said in a statement, and “began tracking more new malware families than ever before”.

With 733 newly tracked malware families in 2021 alone, she said, the increase “speaks to a threat landscape that continues to trend upward in volume and threat diversity”.

Particularly significant for Australian businesses is the threat posed by China, which Mandiant notes has reinvented its approach to cyber operations to “move away from prolific amateur cyberattacks in favour of more focused, professionalised, and sophisticated attacks conducted by a smaller set of actors. Targets of cyber espionage are not chosen at random”.

Mandiant warned of a “direct correlation” between Beijing policymaking “that can be used to forecast future targets of cyber espionage activity”. Targets “are carefully selected and derived from priorities taken from official government material such as the five-year plans, domestic and national defence white papers, and other policy platforms.”

Mandiant has observed increasing commonality amongst the attacks used by Chinese cyber actors, suggesting increasing sharing of attack methods with a continued focus on government organisations.

Australia could face cyberattacks from both sides

Further escalation of this conflict could see Australia sandwiched between the economically and politically motivated campaigns of China-backed cybercriminals and the Russia-backed actors ganging up to target perceived enemies of the Russian state.

Whether that changes the threat climate for Australian organisations remain to be seen, but with China already extending its reach across Asia-Pacific—through initiatives such as its new partnership with Solomon Islands and broader Belt and Road Initiative (BRI) efforts—Australia, New Zealand, and other regional countries will need to consider how cybersecurity defences must change to adapt to the new environment.