Hackers go after Australian ICT, managed services providers

The Australian Cyber Security Centre (ACSC), which integrates the national security cyber capabilities and serves as a hub for collaboration and information sharing with the private sector and critical infrastructure providers, state and territory governments, academia and international partners, has released its annual Threat Report, which encompasses the period between 1 July 2016 and 30 June 2017.

Private sector incident responses by sector

australian cyber security

Among the current cyber attack trends and cybersecurity challenges Australians and Australian organizations face are ransomware (targeting a wide range of victims), credential-harvesting malware (specially crafted to target Australian users), attacks aimed at compromising Australian routers, and increased targeting of Android smartphones and of trusted third parties (e.g. ICT service providers).

Specific incidents

The ACSC is the focal point for the cyber security efforts of the Australian Signals Directorate (ASD), Computer Emergency Response Team (CERT) Australia, the Defence Intelligence Organisation (DIO), the Australian Criminal Intelligence Commission (ACIC), the Australian Federal Police (AFP), and the Australian Security Intelligence Organisation (ASIO).

Many details of the cyber attacks these agencies and organizations responded to during the stated period can’t be shared publicly, but the report has noted a number of attacks that stood out from the mass:

The network of the Australian arm of a multinational construction services company was compromised through their relationship with their managed service provider (MSP). “An account associated with the MSP was used by the malicious adversary to install malware on the victim network. The account was created by the victim organisation, speci cally for the service provider to log on and access the victim’s network – this setup is typical of many MSP- customer relationships.”

A company was defrauded out of US$500,000 in an Business Email Compromise attack. “The adversary sent a spoofed email, purporting to be from the CEO (who was travelling at the time), requesting a large payment from the financial controller. A second email, purporting to be from the COO, was then sent to the financial controller. This email contained a false email trail approving the CEO’s request for payment.”

Detected cashout of cybercrime. “In one particular investigation, the AFP identified a UK national who had opened bank accounts with multiple Australia- based financial institutions shortly after arriving in Australia. After returning to the UK, this individual received A$711,000 into one of those accounts as a result of funds diverted from an Australian company that had been compromised by malware. The matter was referred to the City of London Police and the offender arrested. He was found guilty and sentenced to two years and eight months in prison.”

Compromise of an Australian company with national security links. “In November 2016, the ACSC became aware that a malicious cyber adversary had successfully compromised the network of a small Australian company with contracting links to national security projects. ACSC analysis confirmed that the adversary had sustained access to the network for an extended period of time and had stolen a significant amount of data. The adversary remained active on the network at the time. Analysis showed that the adversary gained access to the victim network by exploiting an internet-facing server, then using administrative credentials to move laterally within the network, where they were able to install multiple webshells – a script that can be uploaded to a webserver to enable remote administration of the machine – throughout the network to gain and maintain further access.”

More interesting revelations

The report says that cyber espionage and cybercrime remain the primary threats to the Australian private sector, and that the vast majority of reported cyber incidents affecting the Australian private sector were criminally motivated (typically for financial gain).

“Malicious emails continued to be a common vector for compromising private sector networks. Targeted socially-engineered spearphishing emails, sometimes combined with phone calls, were regularly used to gain access to corporate networks. Malicious cyber adversaries make use of publicly available industry information such as annual reports, shareholder updates and media releases to craft their malicious cyber activities, and have used sophisticated exploits and implants to evade detection.”

58% of the cyber incidents impacting the private sector that the ACSC responded to were reported by the affected organizations, and the rest (42%) were detected by the ACSC.

An interesting point of fact is that the Wannacry attack in May 2017 ended up affecting 14 small businesses in Australia, but the impact was limited.

The ACSC says, for now, cyber attackers rarely target Australian financial institutions. “Criminal activity is generally opportunity- based and the relative cyber security maturity of Australian nancial institutions means there are more attractive and vulnerable targets in developing countries,” the agency noted.

More specific information can be found in the report, which also includes links to other helpful cybersecurity resources, and presents a good overview of the initiatives and programs started by the ACSC to help Australian organizations and individuals protect themselves against cyber threats.