md3d - Fotolia

Australian prime minister confirms country is suffering repeated nation-state cyber attacks

Concern over critical national infrastructure as cyber attackers repeatedly try to gain access to network of organisations operating in multiple sectors

Australia’s critical national infrastructure (CNI) is being subjected to frequent and worsening cyber attacks, the country’s prime minister, Scott Morrison, has revealed.

During a press conference today (19 June), Morrison said the source of the attacks is thought to be a nation-state with “significant capabilities”, but stopped short of identifying who the government suspects is behind the attacks.

As well as Australia’s CNI, a wide range of sectors have found themselves targeted, said Morrison, including health, education, government and general industry.

The Australian Cyber Security Centre (ACSC) has issued guidance on what end-users can do to protect themselves from the attacks, which rely on “copy-paste compromises”, according to its advisory.

This labelling derives from the perpetrator’s heavy use of proof-of-concept exploit codes and web shells that are copied almost identically from the open source community.

The advisory also warns that the perpetrators are taking advantage of unpatched version of the Telerik UI, which is used by organisations to bolster the user experience of websites, as well as mobile and desktop applications.

The attackers regularly seize on this to gain access to public-facing infrastructures using a remote code execution vulnerability, but they are also favouring other routes, said the ACSC.

“Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services, a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability,” said the advisory.

“The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases.”

The attackers also have an “aptitude” for seeking out test and development environments and orphaned services that are no longer being tended to by their owner organsiations, said the advisory.

When access cannot be gained by these means, the perpetrators are then known to make use of spear-phishing techniques to trick end-users into handing over their login credentials.

Once access into the organisation has been secured, the attackers deploy a mix of open source and custom tools to interact with the victim network and take over the websites of compromised organisations to run command-and-control servers.

“Primarily, the command and control was conducted using web shells and HTTP/HTTPS traffic,” said the advisory. “This technique rendered geo-blocking ineffective and added legitimacy to malicious network traffic during investigations.

“During its investigations, the ACSC identified no intent by the actor to carry out any disruptive or destructive activities within victim environments.”

Read more about nation-state cyber attacks

To address the compromise, all accesses to the network must be identified and removed, said the ACSC, but there are several steps organisations can take to protect themselves from falling victim to attack in the first place.

These include ensuring that all internet-facing infrastructures that are vulnerable to attack are patched within the next 48 hours, and that organisations make use of multifactor authentication across all remote access services.

“All exploits utilised by the actor in the course of this campaign were publicly known and had patches or mitigations available,” said the ACSC. “Additionally, organisations, where possible, should use the latest versions of software and operating systems.”

Ghian Oberholzer, regional vice-president of TechOps for the Asia Pacific region at cyber security firm Claroty, said the risk that these attacks pose to the resiliency and continued operations of Australia’s CNI should not be underestimated.

“The most alarming element of the multi-faceted cyber attack launched on Australian organisations is the risk it poses to Australia’s critical infrastructure – the very services on which society depends, including our water supply, power grids and telecommunications systems,” said Oberholzer.

“Cyber attacks on businesses are damaging enough, but the impacts of a successful attack on any of these critical services could be catastrophic, such as shutting down the electricity grid.

“Critical infrastructure often eludes the public’s attention as a major source of cyber risk, but it remains highly susceptible to targeted attacks, as past experience shows.”

Oberholzer added: “Today’s announcement by the prime minister illustrates the need for sophisticated cyber security practices, policies and technology to protect our critical infrastructure. Australia cannot afford to suffer catastrophic damage to its critical infrastructure at the best of times, and thanks to Covid-19, these are far from the best of times.”

Read more on Hackers and cybercrime prevention

Data Center
Data Management