On June 19, 2020, Australia‘s Prime Minister, Scott Morrison, announced sophisticated state-backed attacks on the country's critical national infrastructure. After more than a week, the Australian Cyber Security Centre (ACSC) reported advances in the attack investigation.
Here’s all that happened in the attack and all that followed.
- No major breach incident was reported. However, malware delivered in embedded attachments by hackers resulted in the theft of some sensitive data.
- It was also reported that criminals failed to execute any disruptive or destructive activities within victim environments.
- On June 24, it was reported that a Russian website live-streamed footage of Australians in their houses and workplaces via hacked security cameras.
Threats and exploits used in the attack
The attacks specifically targeted government agencies, education, health, and essential service providers.
- Cybercriminals employed modified proof-of-concept exploit code to disrupt the public-facing infrastructure through the use of remote code execution flaws in Telerik UI.
- Other exploited vulnerabilities include a deserialization vulnerability in Microsoft Internet Information Services (IIS), a 2019 Citrix vulnerability, and the 2019 SharePoint vulnerability.
- Additionally, a personalized spear-phishing technique aimed at harvesting credentials was launched by the cyberattackers. Experts suggest that hackers have had access to thousands of emails for up to a month.
- Researchers spotted Korplug (from a PlugX malware family) being used in the attack. The malware has been observed in attacks by OceanLotus, a Chinese APT group, to load a Cobalt Strike payload.
- The attackers further used tools such as Juicy Potato and RottenPotatoNG to obtain privilege access inside the compromised systems.
Countermeasures and new initiatives
- Prime Minister Scott Morrison has urged health critical infrastructure, essential services, and other organizations to implement technical defenses.
- Under AustCyber funds, ACSC invested $1.22 million in Cybermerc, a threat sharing platform, to help develop Aushield Defend, a threat intelligence platform for the Australian industry, researchers, and academia.
- Morrison pledged approximately $1 billion in funding for Australia's cyber defenses over the next 10 years.
- Additionally, the country will be urgently hiring an army of 500 cyberspies to protect its infrastructure against thriving incidents of cyberattacks while focusing on raising awareness.
Initially, some security experts claimed that China, Russia, and North Korea fit the PM’s description of the attackers. Although an in-depth analysis points toward Chinese APT groups, there has been no official declaration of the same.
With newly announced fundings, the government hopes the investment would ensure the tools and capabilities Australia needs to fight back and keep its people safe from future cyber challenges.