Surge in cyber attacks amid China tensions
Jun 19, 2020 – 6.45pm
Venture capital firms and defence contractors are among the hardest hit as growing tensions with China have contributed to a 330 per cent increase in cyber attacks on Australia since the start of the year.
Prime Minister Scott Morrison revealed a targeting all levels of government, industry, critical industry, education, health and essential services providers.
Prime Minister Scott Morrison said Australia had was increasingly suffering cyber attacks from a foreign nation. Alex Ellinghausen
Investigations had so far not found any evidence personal data had been stolen, Mr Morrison said, although sources believe cyber theft, including that of intellectual property, has been one of the main motivations.
The head of the Australian Strategic Policy Institute's International Cyber Policy Centre, Fergus Hanson, said given the recent , as well as past form, it was pretty clear China had been behind the attacks.
"This is just a carpet-bomb attack, not a surgical strike," he said.
Mr Morrison said the attacks had been going on for many months but the frequency had increased recently, although agencies such as the Australian Cyber Security Centre had thwarted many of them.
But the tipping point was reached on Thursday, with Cabinet's national security committee agreeing with security agencies it was time to go public.
"We know it's a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used," Mr Morrison said.
"I raised this not to raise the concerns of Australians, but in many ways to reassure Australians that we understand what's going on here and we're addressing it to the best of our capabilities and we're in a position to do that better than most countries in the world. We know it's going on."
Mr Morrison's public statement had twin purposes: telling the perpetrator to back off, as well as a call to action to business leaders and the community that Australia was increasingly being dragged into cyber warfare and they needed to bolster defences.
The Opposition and state premiers and chief ministers were briefed on the cyber attack, while Australia has also begun to consult global allies. Mr Morrison spoke to United Kingdom Prime Minister Boris Johnson on Thursday evening, while Australian officials have spoken to counterparts in fellow Five Eyes nations and other trusted countries.
Government officials pointed to the rising number of cyber warnings from the Australian Cyber Security Centre, which escalated after the.
Confirming the breadth of the incidents, the ACSC released 109 different attack approaches that had been used as part of the campaign.
Telstra chief executive Andy Penn said the increase in people working and studying from home, away from traditional cyber security measures, had increased their vulnerability.
"We have seen a significant increase in cyber-attack activity in recent weeks and we are on heightened alert for ourselves and for our customers and we are actively managing the risk," he said.
While not attributing the incidents to China, government cyber experts said the basic low-level tactics being used suggested they were being driven by junior contractors, most likely acting under the Chinese Ministry of State Security's encouragement.
Mr Morrison defended the decision not to name the attacker, saying the threshold for public attribution on a technical level was extremely high.
"And so Australia doesn't judge lightly in public attributions and when and if we choose to do so, it is always done in the context of what we believe to be in our strategic national interest," he said.
Mike Sentonas, the chief technology officer of Silicon Valley firm CrowdStrike, said there had been a sustained focus on Australia by sophisticated e-crime and nation-state actors.
The lines between these previously separate players were becoming increasingly blurred.
CrowdStrike, which is listed on the Nasdaq, has recorded a 330 per cent increase in attacks this year, compared to the same period in 2019.
"The number of attacks right now is staggering, it's unprecedented really," Mr Sentonas said.
"We have an escalating trade war with China so it's not surprising we have become a bigger target."
But he also cautioned hackers from Iran, North Korea and Russia were very active.
Federal government briefings indicate Services NSW, which holds data on millions of people, was among those hit in the cyber attack.
An investigation is still under way into the severity of the attack, although the agency said it appeared only customer information in 47 team members' email accounts was affected and individual account data had not been compromised.
A cyber security source said state actors had been particularly targeting venture capital firms, defence contractors, the space industry, think tanks and others that hold valuable intellectual property.
While the future submarines and frigates, being designed by Naval Group and BAE Systems respectively, are high-value targets, several sources said all major contractors were being subjected to sustained cyber intrusions.
"It's been pretty active through COVID and everyone has copped it," one defence industry executive said.
Increased since the onset of COVID-19
Australian Industry and Defence Network chief executive Brent Clark said the real concern was with second-tier companies that had access to sensitive data but their systems were not robust enough.
BlueScope Steel, transport group Toll Holdings and beer maker Lion Australia have fallen prey to highly publicised e-crime attacks in recent months.
One person briefed on the issues said the campaign called out by the Prime Minister began in August 2018, around the time Australia blocked Chinese firm Huawei from bidding on 5G telecommunications contracts.
The severity of the attacks and their frequency had increased since the onset of the COVID-19 pandemic.
"As we went further up the Chinese shit list the amount of activity increased," said the person.
"It is almost certainly the Ministry of State Security [MSS] or one of their contractors behind it."
The source, who works in cyber security, said the techniques used were not overly sophisticated and related to "known vulnerabilities", which could be fixed with the manual patching of servers.