Hackers break in to RBA, but it's business as usual
According to news coming out of the Australian Financial Review on Monday, the Reserve Bank of Australia (RBA) was hit by attackers who infiltrated its networks and allegedly stole information.
But should we really be surprised?
While Australia's banks being hit by Chinese hackers makes for a great headline, the reality is that there's nothing particularly different about this attack than ones that have occurred in the past.
According to Freedom of Information documents (PDF) released by the RBA in December last year, the attackers' point of entry was via an email. The email, which was sent in November 2011, contained a link to a malicious website that if clicked on would download malware to its victims' computers.
It was sent, undetected by the RBA's security systems, to "several bank staff, including senior management up to head of department", and was ultimately successful — six people clicked the link and infected their machines.
While that elicits all sorts of buzz phrases like "advanced persistent threat" and "highly targeted" to go along with state-sponsored hacking, it's actually not particularly difficult to put together some names and email addresses. A quick LinkedIn search shows a couple of heads of departments and some 352 results for RBA employees.
Grabbing email addresses? Easy. Usernames for the rba.gov.au domain are employees' last names, followed by the first letter of their first name.
RBA's security system was bypassed because its antivirus systems failed to flag it. That might sound sophisticated, but run a piece of malware through VirusTotal, and it quickly becomes apparent that many vendors either miss recently authored pieces of malware completely, or take a while before they are aware of the threat. And "customised" malware that's capable of evading detection sometimes doesn't have to be much more than a few changes to a toolkit.
There's additionally the argument that's been floating around the security industry for the past few years that protection using signatures and heuristics alone is a fallacy, and instead network forensics are more important.
Of course, toolkit-based malware doesn't necessarily have the level of sophistication to take over a computer and dig for information like one that uses a zero-day can, but the RBA's malware wasn't up to that level of sophistication.
The incident summary includes a line downplaying the issue, stating, "of note, all of the affected PCs did not have local administrator rights. This prevented the virus from spreading".
And before we jump all over those six employees, what were their backgrounds? We don't know whether they were technologically savvy people, or just those who, like a huge proportion of Australians, need to use a computer to do their job. We might never know.
But we do know that even the most tech-savvy people fall for phishing schemes from time to time. Take a Facebook developer — someone who you would reasonably expect to know about protecting intellectual property, especially when they have access to live systems.
Facebook's own "Loopback" project, designed to test its own security, saw a developer fall victim to a spear-phishing email. His infected machine thereafter altered the code he was working on, publishing a (disabled by Loopback's coordinators) backdoor on Facebook's live servers.
This sort of thing likely happens all the time. The fact that it happened to six employees at RBA isn't anything out of the ordinary.
The RBA seems to agree, judging by the response it took.
It essentially suggested deploying updated virus signatures, looking for links in emails and possibly blocking the download of certain files from the internet via web browsing. It did not consider any changes to its risk register, and the team doing the security analysis didn't think it needed to, either.
While that covers the technology side of the issue, what about the human side? The RBA wrote that "while users are aware of the need for caution with suspicious attachments, such awareness is unlikely to protect the bank from credible-looking emails and attachments".
Its own documentation lists the "severity of actual impact" as minor, and although it states that "bank assets could have been potentially compromised, leading to service disruption, information loss, and reputation", it does not, in the RBA's incident report summary, list it as having financial, legal and compliance, or reputational impacts.
It did contact the Defence Signals Directorate (DSD), which might cause some to think that this is a national security dilemma. But the reality is, doing so is just good practice. The DSD's Information Security Manual states that agencies are recommended to coordinate their reporting of cybersecurity incidents to DSD.
This is not only to help gain appropriate assistance, if it is needed, but also to help the government maintain a better perspective on attacks conducted against it.
Does this mean we're not in some form of "cyber" war with scary foreign nations?
Not at all. China's probably hacking us, just as we and the US are hacking them, and anyone else that falls under our radar. We just shouldn't be surprised that it happens.
Subsequent to this article being written, the RBA issued the following statement:
As reported in today's media, the bank has on occasion been the target of cyberattacks. The bank has comprehensive security arrangements in place which have isolated these attacks and ensured that viruses have not been spread across the Bank's network or systems. At no point have these attacks caused the bank's data or information to be lost or its systems to be corrupted. The bank's IT systems operate safely, securely, and with a high degree of resilience.
The bank takes cybersecurity and its potential consequences extremely seriously. As part of its extensive efforts to ensure that security arrangements are best practice, the bank routinely consults with the Defence Signals Directorate and draws on the expertise of specialist private firms. There is ongoing rigorous testing of the bank's IT systems and regular training of staff.