The cyber honey trap
that caught out Beijing
The inside story of the new front line in China's escalating cyber
offensive and its most notorious hacking group, Stone Panda.
Craig Valli, director of the Security Research Institute at Edith Cowan University, is at the frontline of an escalating cyber war. Philip Gostelow
Angus GriggNational affairs correspondent
It's just before 9am in China and a hacker from the regional city of Xinpu is embarking on an early offensive.
The target is an industrial control system in Western Australia and the objective is to infiltrate the network and plant malicious software which could one day be used to steal information or cripple that business.
"New attack from Xinpu, China to Australia," reads the early warning system at Perth's Edith Cowan University (ECU).
The attacker successfully breaches the network's outer defences, but won't compromise anything as the target is not really a conveyor belt at an iron ore mine as the keyboard warrior suspects.
The hacker sitting outside Shanghai has actually landed on a so-called "honey pot", set up by ECU's Security Research Institute to study the techniques and tactics of cyber criminals and state actors. Its sensors deliberately sit on the frontline of this escalating war.
"Some days we get up to 1 million attacks," says Craig Valli, director of the research institute at ECU. "Around 30 per cent of these come from China."
Valli is speaking about the global network of sensors he has established to track and study cyber intrusions, one cluster of which sits in Australia.
From the safety of a desk it allows one to observe this global battle, which has become so persistent and damaging for Australia in recent months that Prime Minister Scott Morrison felt the need to call out a "sophisticated state-based cyber actor" at a specially convened press conference last Friday morning.
China was quickly identified as the likely perpetrator, a suspicion illustrated by Valli's so-called "HoneyMap". Using red dots and a world map it only takes a single glance to identify China as the main actor in this theatre.
Mainland China is lit-up like a network of traffic lights flashing red and on Tuesday morning, when AFR Weekendlogs on, the HoneyMap shows 16 sites across the country from which attacks are being launched. Their targets are mainly in the US, but Australia also features prominently.
In the first hour of observation China launches 1099 attacks from sites as diverse as Xinjiang in the west to Shanghai and Shezhen on the coast to Harbin and Beijing in the North.
Over that same time period Australia sustains 758 attacks from adversaries in China, but also Russia, Panama, Ireland and numerous other locations. And these numbers only take into account Valli's small network of "honey pots", which are but a tiny fraction of the potential targets available to adversaries.
There has been a 330 per cent increase in attacks on Australia since the start of the year. Fairfax Media
Warning signs
In the days leading up to the Prime Minister calling out that unnamed "state actor", Valli's Australia sensors showed a sustained pick-up in activity. And one former defence minister and opposition leader, cum Governor of Western Australia had a front row seat for the action.
Valli was showing Kim Beazley around the ECU's Security Operations Centre in Perth on Thursday when the screens lit-up.
"Australia was getting hammered," says Valli.
He says activity in the days preceding Morrison's press conference was up between 50 per cent and 250 per cent at different periods. Plenty of this was coming from China but during an increase in intensity like this it becomes a "pile-on" as others join the fray, he says.
While not seeking to diminish China's responsibility, Valli, who sits on INTERPOL's cyber crime experts group, says there should be less focus on where the attacks come from and a greater understanding of their scale and threat. He says over the last 10 years the capability of adversaries has increased 60-fold.
"Show me another industry which has had to deal with that level of increase," he says. "There are just so many bad actors out there."
Those "bad actors" have led to a 330 per cent increase in attacks on Australia since the start of the year, according to Silicon Valley cyber security firm CrowdStrike.
Chief technology officer Mike Sentonas called the level of activity "unprecedented", while noting state actors and cyber criminals were becoming increasingly difficult to separate.
It is an observation confirmed by another Australian cyber security expert who has had direct dealings with China's most notorious hacking squad, known as APT10 or Stone Panda.
The group, consisting of contractors and agents from China's Ministry of State Security, has been active in Australia over the last two years, according to the source who prefers not to be named.
Former PM Malcolm Turnbull called out Chinese hacking.
He says the group, whose members have been indicted by the US Department of Justice for stealing commercial secrets, penetrated the NSW Department of Premier and Cabinet. But the NSW government was not their ultimate target.
Rather, the goal was to take control of email accounts ending in .gov.au, which would not be blocked by spam filters at the Department of Defence in Canberra, he says.
This then allowed APT10 – short for Advanced Persistent Threat – to mount a spear phishing campaign against Defence in an attempt to infiltrate its network.
"It was a broad campaign to gain access and collect intelligence," says the source.
However, the hackers efforts were thwarted after they did a little freelancing on the side once they had gained access to the NSW government network. APT10 used its access to the NSW government network to generate multiple fake invoices of between $70,000 and $80,000 each.
"After completing their intelligence collection they went looking for money," says the source. "That's how they got caught. They didn't get the money and we kicked them out but it shows China does not control its hackers."
The attempt illustrates the merging of cyber crime and intelligence gathering. The worry is that these cyber criminals now have the same tools or weapons used by nation states, which is not unlike giving private security contractors access to precision guided missiles and fighter jets.
Some days we get up to 1 million attacks. Around 30 per cent of these come from China.— Craig Valli, director of Security Research Institute at Edith Cowan University
It also shows how little sleep is lost by hackers over the possibility of getting caught, a point former prime minister Malcolm Turnbull made in his recently released book A Bigger Picture.
"While many nations sought to spy on Australia, China represented by far the bulk of detected activity," he wrote. "It was mostly cyber espionage, generally managed by intelligence agencies in Shanghai."
Calling out China
Turnbull called out China for conducting more cyber intrusions than any other nation, while noting finally "they're not embarrassed by being caught". This brazenness may not worry those keyboard warriors and their masters, but it has added another charge to the already lengthy list of grievances levelled at Beijing.
On Monday, it was European Commission President Ursula von der Leyen who called-out China for hacking into hospitals during the peak of the COVID-19 pandemic.
"We've seen attacks … on computer systems, on hospitals, and we know the origin of the cyberattacks," she said. "This cannot be tolerated."
Canberra has not gone this far in calling out China, but during Turnbull's time in office, it was Beijing's persistent efforts to steal commercial secrets that was often cited as a major reason the former prime minister formed a more hawkish view on Australia's biggest trading partner.
It is a government posture which continues today and may be partially responsible for a gradual cooling of public opinion towards Beijing in Australia.
The Lowy Institute annual poll, released on Wednesday, shows trust in China to do the right thing has fallen to a record low of just 23 per cent, having more than halved over the space of two years.
At the same time, just 22 per cent of Australians trust Chinese leader Xi Jinping to do the right thing.
The publicity surrounding high profile hacks on Parliament House in Canberra and the Australian National University, both of which were blamed on China, look to have contributed to this erosion of public trust in Beijing.
Morrison going public with his cyber concerns elevated the issue further.
Morrison's press conference last Friday was the diplomatic equivalent of a cease and desist letter, while at the same time the government has moved to "harden" the nation's cyber defences.
In a sign of where Canberra is heading and how it is thinking, Morrison appointed the former US Secretary of Homeland Security, Kirstjen Nielsen, to the government's industry advisory panel on cyber security.
The appointment was made in November but only announced on Wednesday, adding to the sense her presence on the board is partly about sending a message to Beijing after Nielsen championed efforts to ban Chinese telco Huawei from 5G networks in the US.
Not that anyone is naive enough to believe this will change China's behaviour in the short term, a point made by the HoneyMap and its network of global sensors.
"New attack from Beijing, China to Australia," said the early warning system on Thursday morning.
No comments:
Post a Comment