State-Based Cyber Actor Escalating Assault on Australia

The country's prime minister warned of rising threats from a sophisticated nation-state cyber actor that has been targeting a wide range of sectors for months. Without specifying which country is responsible, he said there are not a large number of actors that have the capability to carry out attacks in such a manner

Australian Prime Minister Scott Morrison at a press conference earlier this year. Photo: Reuters 

A nation-state actor is intensifying its cyberattacks on Australia's public and private sectors, Prime Minister Scott Morrison announced on June 19. 

"This activity is targeting Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, essential service providers, and operators of other critical infrastructure," Morrison said. 

The prime minister said the attacks had increased “over many months” and that he was making the threat public to boost awareness. He emphasized there was no evidence of a “large-scale” breach of personal data.

Morrison did not identify the country involved, but said "What I simply can confirm is there are not a large number of state-based actors that can engage in this type of activity, and it is clear based on the advice that we have received that this has been done by a state-based actor."

"We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used,” Morrison said. “There aren’t too many state-based actors who have those capabilities.”

He added that "we have some of, if not the best, agencies in the world working on this and that means that they are putting all of their efforts in thwarting these attempts. I can confirm that they have thwarted many, but this is a very complex area and it requires constant persistence and application and that's what they're doing."

Reports in the Australian media quoted unidentified government officials as saying China is the primary suspect. The two countries are locked in a dispute over a number of issues, including trade and the spread of the coronavirus.

In an advisory issued on June 18, the Australian Cyber Security Centre said it was "responding to a sustained targeting of Australian governments and companies by a sophisticated state-based actor."

The actor is heavily using "proof-of-concept exploit code, web shells and other tools copied almost identically from open source" to exploit a flaw in Citrix technology as well as unpatched software vulnerabilities in Microsoft SharePoint software, according to the advisory.

The actor has regularly conducted reconnaissance of target networks looking for vulnerable services, attempted to exploit public-facing infrastructure, and utilized various spearphishing techniques, the centre said, adding "It is imperative that Australian organizations are alert to this threat and take steps to enhance the resilience of their networks. Cyber security is everyone’s responsibility."