Prime Minister says Australia is under cyber attack from state-based actor

Light on detail and refusing to attribute, Scott Morrison says state-based attacks are targeting all levels of government, as well as the private sector.

Prime Minister Scott Morrison called a press conference on Friday morning to "raise awareness" of the state-based cyber attacks Australia is currently facing across all levels of government, as well as the private sector.

"Based on advice provided to me by our cyber experts, Australian organisations are currently being targeted by a sophisticated state-based cyber actor," Morrison said.

"This activity is targeting Australian organisations across a range of sectors, including all levels of government, industry, political organisations, education, health, central service providers, and operators of other critical infrastructure."

While Morrison said the government knows it is a "sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used", he was unable to say who exactly is targeted, or what that targeting looks like, and refused to attribute the attacks.

"The threshold for public attribution on a technical level is extremely high, so Australia doesn't engage lightly in public attributions, and when and if we choose to do so is always done in the context of what we believe to be in our strategic national interest," he said.

"What I simply can confirm is there are not a large number of state-based actors that can engage in this type of activity and it is clear based on the advice that we have received that this has been done by a state-based actor with very significant capabilities."

"The Australian government is not making any public attribution on these matters," he said in response to a question asking if China was behind the "attacks". "We are very confident these are the actions of a state-based actor, we have not gone any further than that, I can't control what speculation others might engage in ... I've simply laid out the facts as we know them."

He said the Australian Cyber Security Centre (ACSC) has been working with the private sector to "thwart this activity".

"Regrettably, this activity is not new, but frequency has been increasing," he said. "The ACSC has also been working with targeted organisations to ensure that they have appropriate technical mitigations in place and their defences are appropriately raised."

Despite not providing detail of any specifics, Morrison said his announcement was about raising awareness.

"We raise this issue today not to raise concerns in the public's mind but to raise awareness in the public's mind," he said. "This is the world that live in, these are the threats we have to deal with."

Morrison also denied there had been any large-scale breaches resulting in the compromise of personal details of any individuals.

"We know what's going on, we're on it," he said.

Following the prime minister's press conference, the ACSC released an advisory detailing the copy-paste compromises.

"The title 'Copy-paste compromises' is derived from the actor's heavy use of proof-of-concept exploit code, web shells and other tools copied almost identically from open source," the ACSC said.

"The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure -- primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI.

"Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability, and the 2019 Citrix vulnerability."

A Citrix vulnerability was previously used to attack a database of Australian Defence recruitment details.

If attacking public-facing systems failed, the ACSC said the actor switches to spearphishing.

"Once initial access is achieved, the actor utilised a mixture of open source and custom tools to persist on, and interact with, the victim network," the advisory said.

"Although tools are placed on the network, the actor migrates to legitimate remote accesses using stolen credentials. To successfully respond to a related compromise, all accesses must be identified and removed."

The ACSC added it did not see any intent by attackers to "carry out any disruptive or destructive activities within victim environments".

"All exploits utilised by the actor in the course of this campaign were publicly known and had patches or mitigations available," it said.    

Speaking with ZDNet previously, when he was Minister for Law Enforcement and Cyber Security, Angus Taylor said attribution is important, and a major statement that has to be made.

"You're saying to that country, you're calling out bad behaviour and these things can always escalate -- making them accountable," he said.

"Holding criminals and hostile governments to account ... diplomats have to manage those issues very carefully because these things can escalate, but I am adamant we should attribute."

Australia's Parliament is known to have suffered two serious cybersecurity incidents in the last decade.

In 2011, hackers busted the parliamentary email accounts of then-Prime Minister Julia Gillard and at least two other senior ministers: Foreign Minister Kevin Rudd and Defence Minister Stephen Smith.

The hackers, widely speculated to be state-based actors from China, were believed to have had access for up to a month to thousands of emails.

In February 2019, a seemingly more comprehensive hack of the Australian Parliament network -- as well as political party networks -- was revealed.

According to Morrison, it was down to a "sophisticated state actor", again speculated to be China.

The attack forced a password reset of all Australian Parliament House network users, including politicians and all of their staffers.

Australia this year has experienced a handful of reported ransomware attacks, with logistics giant TollBlueScope, and most recently Lion

Service NSW, the state government one-stop-shop for service delivery, also fell victim to a phishing attack in April. The email accounts of 47 Service NSW Staff members were illegally accessed and the matter is still being investigated.

After Shadow Assistant Minister for Cyber Security Tim Watts on Thursday raised concerns over the delay in Australia's updated cybersecurity strategy, Morrison said to expect a superseded document to appear in the coming months.

The country's current cybersecurity strategy was launched in April 2016 with a AU$230 million kitty.

"Cybersecurity is a shared responsibility of us all," Minister for Defence Linda Reynolds said on Friday.

RELATED COVERAGE