This June, the Australian government had to face one of the most intense weeks of its present term in office. Prime Minister Scott Morrison called a press conference on June 19 to explain that the country was being targeted by a wave of cyberattacks:
“Based on advice provided to me by our cyber experts, Australian organizations are currently being targeted by a sophisticated state-based cyber actor […] This activity is targeting Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, central service providers, and operators of other critical infrastructure.”
When asked about the precise source of the campaign, the Prime Minister refused to attribute responsibility for the attacks, as is often diplomatic protocol when other nation states may be implicated. Independent analysts, however, pointed the finger at China.
Copy–paste compromises _
The TTPs identified by the Australian Cyber Security Centre (ACSC) indicate that the attackers used what is known as ‘copy-paste compromises’, judging by the heavy use of proof-of-concept exploit code, web shells, and other tools copied almost identically from open source to exploit vulnerabilities.
A number of attack vectors were used to target the public sector, the most common being the exploitation of vulnerabilities in remote access tools, such as the Telerik user interface, and services like Microsoft Internet Information Services (IIS), SharePoint 2019, and Citrix 2019.
The cyberattackers also demonstrated the ability to quickly exploit proof-of-concepts and test or development services that organizations have left under-protected. Ultimately, if these security holes couldn’t be exploited, the attackers used spearphishing techniques such as links to spoof domains or emails with malicious links.
The ACSC discovered that the genuine websites of the organizations under attack were being used as command and control servers, yet they found no activities that may have caused damage or losses to the victims’ environment, leading some analysts to speculate that the objective was to spy on these organizations, both on a state and private level. This type of industrial cyberespionage has been attributed in the past to groups with links to China.
Lessons for organizations_
The campaign targeting the public sector and major companies in Australia offers some important lessons that directors of any large organization should take into consideration.
- The need for appropriate and specific cybersecurity resources. Vulnerabilities and unprotected systems, as the ACSC has underlined, would suggest that the Australian government did not have enough sufficient cybersecurity capacity to deal with such advanced threats. This is also clear from the response of the Australian government, which has now dedicated AU$1 billion to bolster its cyberdefenses.
This highlights how leaders of organizations must ensure that CISOs and IT managers have the appropriate technological assets and teams to provide the level of threat protection required by the organization.
- Rapidly detect and respond to sophisticated threats. Governments such as Australia’s and large organizations need advanced threat hunting and detection and response capabilities to quickly identify the type of cyberattack and its source, in order to mitigate it and make decisions promptly. Cytomic Orion delivers these capabilities and has extended them in the new version with OSQuery, which allows organizations to see in real time the entities, attributes, and system status of all protected endpoints, and extends coverage of the MITRE ATT&CK framework, providing new threat intelligence based on the behavior on Linux endpoints and servers.
- Keep all programs and services patched and up-to-date. These cyberattacks have, on the whole, rapidly exploited vulnerabilities in remote-access tools such as Telerik, SharePoint, and Citrix. As we pointed out in our blogpost on cyberattacks against Cisco, Zoho, and Citrix tools, the main preventive barrier is to ensure the systems are fully updated and to implement patches whenever a vulnerability appears, especially at a time like this, when remote services are in great demand due to the COVID-19 pandemic. As this is not a simple task, particularly for large organizations, there is the option of the vulnerability portal designed by Cytomic and solutions such as Cytomic Patch, which can identify and manage security flaws in operating systems and hundreds of corporate software tools in real time through a centralized console.