The Australian Cyber Security Centre’s second annual threat report begins with a plea for everyone to keep their language around the topic measured, and it follows with good examples of what is and isn’t a serious cyber attack.
Foreign spies cracking the Bureau of Meteorology, installing a remote access tool, using it to access other government networks and probably exfiltrating a bunch of data is at the more serious end of “incidents” that have been announced publicly.
What happened to the online Census form before Australian Bureau of Statistics chief David Kalisch decided to take it offline was not, it was just typical mischief. But on the morning after it happened, the media and public heard a barrage of conflicting descriptions in the media based on loosely worded statements from the ABS boss, front bench ministers including the Prime Minister, and his Cyber Security Adviser Alistair MacGibbon.
The ABS and other representatives of the government used the common term used for what happened — a distributed denial of service attack — but soon after, Assistant Treasurer Michael McCormack came out with the very unequivocal statement: “This was not an attack, nor was it a hack.” McCormack preferred to call it an “attempt to frustrate” the Census by unknown actors, in line with the government policy in place since 2011.
Nobody representing the government or one of its agencies should have referred to DDoS “attacks” under that policy, although several did, confusing the situation.
When an cyber security incident isn’t a ‘hack’
In his opening comment in the new threat report, ACSC co-ordinator Clive Lines says high-profile incidents contribute to the slowly growing awareness in the community about information security, and that’s a good thing. But in his view, “the level of public discussion and understanding would benefit from more informed and considered perspectives” about cybersecurity:
“In order to have a mature discussion in 2016, it is particularly important that we get the language right – calling every incident a ‘hack’ or ‘attack’ is not helpful for a proportionate understanding of the range of threats and only promotes sensationalism. And treating every adversary as though they are all equally sophisticated and motivated detracts from a balanced perspective of risk and vulnerability.”
In aid of this, the report provides the ACSC’s definitions and views on the relative risks in Australia from cyber attack, cyber espionage, cybercrime and cyber terrorism (currently a very low threat from groups with weak capabilities aimed at spreading propaganda and basic mischief that are unlikely to advance in the next few years).
It explains the federal government adopted its own carefully crafted definition of “cyber attack” in 2011, which requires an element of “seriously compromising national security, stability or economic prosperity” because of the “tremendous significance” of a government saying it has been attacked:
“As such, the Australian Government’s definition of cyber attack can be at odds with what the information security community, the public and the media envisage cyber attacks to be.”
Pollies and public servants caused confusion
While the ACSC report has a lot to say on the consequences of “some media reporting” suggesting the Census incident was a foreign attack, its authors tactfully omit the fact that these reports were a direct result of loose language from politicians and public servants. The cross-agency taskforce says the media panic led to:
“… a heightened sense of threat and risk, increased concerns from the public about the security of their personal information, and triggered media speculation about nation state motivations, tradecraft, and the possibility of further ‘attacks’.”
Australia is still yet to experience a cyber attack that meets the high bar set by the federal definition and if one did happen, it would be plainly obvious. The ACSC thinks the threat is growing but reports “in the absence of a shift in intent – which could occur relatively quickly” our first official attack is unlikely in the next five years.
Administrators of government networks need to vigilant as they are “regularly targeted by the full breadth of cyber adversaries” with “the greatest level of threat” coming from foreign states. ACSC responded to 1095 cybersecurity incidents affecting government networks “serious enough to warrant operational responses” in the 18 months from January 2015 but this is decreasing as government agencies improve their own in-house response capabilities. The report warns:
“Hacktivists will continue to use low- sophistication cyber capabilities – website defacement, the hack and release of personal or embarrassing information, DDoS activities and the hijacking of social media accounts – to generate attention and support for their cause.
“As such, issue- motivated groups pose only a limited threat to government networks, with possible effects including availability issues and embarrassment. However, some hacktivists intend to cause more serious disruption and may be able to exploit poor security to have a greater impact.”
As for the Bureau of Meteorology incident — to use the government’s preferred term — the ACSC report provides an interesting description of how far the adversaries got. The Australian Signals Directorate found they had searched out and copied “an unknown quantity of documents from the Bureau’s network” and probably stole the information. The foreign intelligence service stole high-level passwords and had well and truly done their job before they were noticed:
“The presence of password dumping utilities and complete access by the adversary to domain controllers suggested all passwords on the Bureau’s network were already compromised at the time of the investigation.
“ASD also identified evidence suggesting the use of network scanning and time stamp modification tools, used to analyse the network architecture and assist with hiding the adversary’s tools on hosts.”
But never mind the spies, the BoM’s security controls were not up to the task of stopping “common threats” from criminals and was at serious risk from the CryptoLocker ransomware found on its network.
Unnamed agency in decades-old Office-suite macros vulnerability
In another case study, stripped of much detail, a government agency was targeted by a foreign country whose spooks “gained initial access to the network using malicious Microsoft Office macros – small programs executed by Microsoft Office applications to automate routine tasks” and have repeatedly tried again.
The adversary is steadily adjusting their approach, says ACSC, using information from the earlier intrusion to target certain users and vulnerabilities. According to the report, the adversary’s actions confirmed it was almost certainly from a foreign state that is keen to poke its nose into the particular department:
“For example, the adversary sent a spear phishing email to a staff member from the account of a legitimate user from another foreign organisation with which the staff member had prior communication. The adversary provided advice to the staff member on how to circumvent security controls to enable Microsoft Office macros.
“The adversary referred accurately to the department’s ICT service desk by acronym and had hardcoded the user’s username, the domain and the IP address of their computer in the malicious Microsoft Office document.”
In his foreword, Clive Lines also adds a note of caution about the proliferation of “threat intelligence” products being spruiked by cybersecurity companies:
“The current hype associated with the proliferation of ‘threat intelligence’ can be a distraction from what really matters: the motivation to allocate effort and resources to improving your cyber security posture by implementing technical controls. If you are relying on threat intelligence to respond to threats already discovered, it is too late for you and your organisation.”
He urges all organisations including government agencies to refer to the ASD’s Strategies to Mitigate Targeted Cyber Intrusions and says a significantly revised update will be released later this year.