Electronic espionage against government networks is a daily occurrence, according to the Australian Cyber Security Centre’s first public report on information security threats.
Agencies of the federal, state and territory governments are all regularly targeted by hacktivists, criminals and foreign state-sponsored attackers. The ACSC’s new co-ordinator Clive Lines says the threat to all Australian organisations is “undeniable, unrelenting and continues to grow”.
“If every Australian organisation read this report and acted to improve their security posture, we would see a far more informed and secure Australian internet presence,” he said.
On a positive note, the report adds that the Australian Signals Directorate’s top four mitigation strategies are helping improve defences and lessen the fallout from attacks. Earlier this year, some Tasmanian agency heads rejected these basic risk reduction measures, arguing that the state’s auditor-general had set the bar too high in choosing ASD’s recommendations.
What the ACSC calls “confirmed significant compromises” of federal government networks have decreased since 2012, although the total number of cyber security incidents continues to rise.
One of the best ways to combat cyber attacks is through co-operation. According to experts who spoke to The Mandarin this year, public and private organisations everywhere all need to take the threat seriously, put security measures in place and share threat intelligence about breaches that are detected. The report explains that attackers do not view their targets in isolation:
“The ACSC is aware that cyber espionage adversaries target industry networks in addition to government networks to acquire desired information. Cyber adversaries will target the weakest link; if the network security of their primary target is robust, they will move secondary targeting of other networks that may hold the same information but are easier to compromise.”
The report points out that it’s very hard to tell the difference between the various types of attackers. Political actors, one generally assumes, prefer to make their motives known, but this too can be used as cover. Foreign espionage often seems like something else:
“In some cases, their activity appears to be financially motivated cybercrime, making it difficult for the victim to identify the true adversary, assess how much damage has resulted from the activity and remediate the damage.
“Cyber espionage does not always happen in isolation, with cyber espionage activities efforts sometimes combined with other means of collection.
“As such, organisations need to work within their own organisations to consider how cyber defences are integrated with other security measures as part of a broader security posture.”
The Australian Signals Directorate, one of the six partner agencies that make up the ACSC and the main the port of call for public sector organisations to report information security incidents, has received an escalating number of reports in recent years, from 313 reports in 2011 to 1131 last year.
The report lists some common techniques used by adversaries like spear-phishing emails, remote access tools and watering-hole attacks, and how the kind of advice ASD gives to agencies can reduce the threat. Government agencies feature in several examples:
“In 2014, the ACSC received a report from an Australian government agency that had discovered a compromise of one of its servers when performing an annual penetration test.
“An ACSC investigation confirmed the presence of Java ServerPage RAT (jRAT) on four servers. This had allowed remote administrator-level access to the servers and confidential files stored on them. The default administrator credentials had not been changed after a recent software upgrade. To remediate, the servers were removed from the network and rebuilt.”
A watering-hole attack uses a popular, trusted website to spread contagions among a group of people connected to a target, and public servants nearly fell afoul of this last year, too:
“In 2014, the ACSC noted incidents involving watering-hole exploitation of websites regularly visited by Australian government employees. These incidents were mitigated successfully, as the malware was attempting to exploit a vulnerability to which the visitor was not exposed. It is important to understand however that this type of activity is no longer opportunistic; it is now an activity targeting Australian government and business.”
Systems of national interest and critical infrastructure — generally controlled by the private sector but very important to everyone’s health, wealth and safety — are under attack as well. The Computer Emergency Response Team, another ACSC partner agency, responded to 153 such incidents in 2014 that involved systems of “national interest, critical infrastructure and government” — out of a total of 11,073 reports of cyber security incidents from Australian businesses. And that’s just what the CERT knows about through voluntary reporting:
“Some sectors have not yet invested heavily in cyber security, and therefore may not understand the level of risk or potential economic harm to their business. Furthermore, some businesses may be hesitant to report incidents due to the perceived impact or harm to their reputation.”
Some information security experts say government agencies are not as forthcoming as they could be about the breaches that happen to them for the same reasons — either they don’t know they are happening or their true extent, or they don’t want to share the details of the breach outside of government for public relations reasons. Attacks are not going to stop and even the world’s smartest, most well resourced organisations are still getting breached, despite doing everything they can to prevent it happening. The best way to combat cyber attacks is by sharing intelligence.
“Cybercrime affects individuals, businesses and governments. Australia’s relative wealth and high use of technology – including social media, email and online banking and government services – make it an attractive target for organised criminal syndicates.
“Misreporting and under-reporting of cybercrime make it difficult to assess the prevalence and impact of offences.”