ASD using classified capabilities to warn local entities of impending ransomware hit

Off the back of Channel Nine being attacked in March, ASD warned two companies that they were next in line.
Written by Chris Duckett, Contributor
Image: APH

While the Australian Cyber Security Centre (ACSC) is engaged in helping a local organisation remove and recover from a ransomware hit or cyber attack, its overseer, the Australian Signals Directorate (ASD) is able to use its more secretive powers to find out if any other organisations are on the attackers hit list.

Speaking about the attack on Channel Nine in March, director-general of the Australian Signals Directorate Rachel Noble told Senate Estimates that pre-warning organsations about any precursor activity on their networks or systems is part of ASD's "value add".

"We were very engaged with [Channel Nine] and the technical information that they were able to provide us about what happened on their network helped us, using our more classified capabilities, to warn two other entities that they were about to be victims as well, to prevent them from becoming victims," Noble said.

A particular focus in the past year for ACSC has been the health sector, which has seen its share of cyber incidents, and been the sector with the highest level of ransomware attacks.

ACSC head Abigail Bradshaw said when an incident occurs, ACSC assists organisations with shutting down and confining the ransomware, before providing assurance that the malicious actor is out, and then helping to restore systems.

"And lastly, as quickly as we can ... to take whatever indicators of compromise we can for the purpose of pre-warning other entities before they become victims," Bradshaw said.

"We use the full range of ASD capabilities to determine whether or not there might be indicators of future victims. We have done that in a number of cases in the last 12 months ... using the full range of ASD capabilities, we have been able to identify precursors going down on other people's networks, and to pre-warn those entities before they become victims, which [as Noble says] is much more useful."

The ACSC has been publishing pre-emptive threat advisories for health care over the past 18 months "because they have been so vulnerable and also useful targets for criminals," Bradshaw said.

"We have direct links into, and in fact officers embedded in the Department of Health, because of the criticality of the health sector at the moment." the ACSC chief said.

"That means we alert the Department of Health whenever there is a impact to the healthcare sector, but also, in particular, any entity involved in the vaccine rollout, because that is of critical importance."

Noble confirmed the government has been engaging with global meat producer JBS after ransomware took down its systems earlier this week.

"We have been engaging with the JBS subsidiary here in Australia to provide them with the best advice and assistance that that we can," Noble said.

"I think it's fair to say that they have a private incident response provider, which is terrific, and they know that we're here for them."

The director-general said ASD has not used its offensive cyber capabilities against the ransomware crew, at this time believed to be Russian-based.

JBS said on Tuesday it has seen "significant progress" in resolving the attack that hit its North American and Australian operations while leaving its Mexico and UK without impact.

"We have cybersecurity plans in place to address these types of issues and we are successfully executing those plans. Given the progress our IT professionals and plant teams have made in the last 24 hours, the vast majority of our beef, pork, poultry and prepared foods plants will be operational tomorrow," JBS USA CEO Andre Nogueira said.

The company said it has received strong support from governments in Washington, Canberra, and Ottawa, and was having daily calls with officials.

In April last year, the government announced ASD used its offensive powers against COVID-19 scammers, and since then, ASD has made sure those crews have not got up off the mat.

"We absolutely have continued quite a range of offensive cyber operations, including ensuring that this particular organised criminal syndicate -- watching them and making sure that they are unable to rebuild their infrastructure -- do not get back on their feet," the director-general said.

Bradshaw added that the National Cyber Security Committee has sometimes been meeting daily, in particular, when vulnerabilities in Microsoft Exchange and Accellion appear. 

Related Coverage

Australia's answer to thwarting ransomware is good cyber hygiene

But Labor thinks the advice falls short of recognising the actual problem.

Colonial Pipeline attack used to justify Australia's Critical Infrastructure Bill

Home Affairs has touted the benefits of the pending Critical Infrastructure Bill while confirming the government has considered the merits of a mandatory reporting requirement for ransomware as an extension of the cybersecurity strategy.

RBA to step up cyber resilience with new identity and access management system

The Reserve Bank of Australia has gone to market for help to deliver more automated IDAM capabilities to reduce unauthorised data access.

NSW cyber strategy demands government lead by example

A new cyber strategy wants strong cybersecurity foundations to start with government agencies as NSW aims to be a leader in digital.

The winged ninja cyber monkeys narrative is absolutely wrong: Former NCSC chief

'Hype, fear, uncertainty, doubt, that is our enemy,' says Ciaran Martin. 'We need absolutely to demystify cybersecurity.'

Editorial standards