Australian Prime Minister Scott Morrison today warned of a major state-sponsored cyber-espionage campaign targeting government and private sector businesses.
He urged domestic organizations to take steps to improve their resilience, including the use of multi-factor authentication to access cloud and internet-facing systems, and to patch online devices promptly.
“This activity is targeting Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure,” Morrison warned.
“We know it is a sophisticated state-based cyber-actor because of the scale and nature of the targeting and the tradecraft used.”
In a technical advisory yesterday, the Australian Cyber Security Centre (ACSC) referred to the state actor’s “copy-paste compromises” — in other words, its heavy use of proof-of-concept exploits, web shells and other elements “copied almost identically from open source.”
The attackers specifically targeted remote code execution vulnerabilities in development tool Telerik UI, Microsoft Internet Information Services (IIS), SharePoint and Citrix.
“The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases,” the ACSC continued.
“The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organizations.”
When exploits don’t work, the hackers use spear-phishing plus open source and custom tools to achieve persistence. They’ve also been spotted using compromised legitimate Australian websites for command-and-control, in an attempt to hide their activity.
Michael Sentonas, global CTO at CrowdStrike, said his firm had seen a 330% spike in malicious activity in the first half of 2020 versus a year ago, and warned that the lines between e-crime and state-backed attacks are blurring due to increased sophistication of the former.
“Having a front line perspective of the rampant threat activity in Australia that occurs every day, including the number of high-profile breaches in recent months, demonstrates the country is not as prepared as we would like to believe,” he added.
“It is positive that this issue is being raised, and governments and organizations must now take action and harden their defenses against an advanced pool of adversaries”.
Given Australia’s recent geopolitical disputes with its larger neighbor to the north, China will be top of the list of suspects in these attacks.