On Friday morning, the federal government announced Australia was the target of a sophisticated, state-based cyber attack, affecting a broad range of sectors. However, an expert says it’s likely to be routine espionage reconnaissance gone wrong.
Prime Minister Scott Morrison announced on Friday morning that a number of Australian organisations, including government departments and universities, had been the subject of a widespread, ‘sophisticated’ cyber attack.
— SBS News (@SBSNews) June 18, 2020
While he didn’t say who was behind the attack, he did attribute it to an unidentified country, leading many to wildly speculate on who the culprit was.
State-based cyber attacks are the ‘digital version’ of old school spying
The ransomware hackers targeting some of Australia’s manufacturing and transport companies have a fairly clear motive — they want money and they want to exploit companies with vulnerable security systems.
State-based cyber attacks, however, aren’t looking to make a quick buck. Their primary goal is generally information and how it can be leveraged.
Dr Ralph Holz is a cyber security lecturer at the University of Sydney and the Netherlands’ University of Twente. He has told Gizmodo Australia the attack was likely a routine reconnaissance mission.
“I would be highly surprised if reconnaissance isn’t being done routinely by pretty much every country around the globe who has a modicum of capability,” Dr Holz said.
“You always would like to be informed about your opponents and sometimes even about your allies.”
Dr Holz said that like the spies of yesteryear, cyber attackers are looking for information that can give the involved state a competitive edge in global markets. It can also help leverage power in diplomatic discussions.
“The goal could be anything — for economical reasons … because you want to have a competitive advantage. It’s useful if you know what your competition is planning to do,” Dr Holz said.
“It’s just the digital version of what has always been done.”
What’s not routine is being detected. Dr Holz said if a foreign government detects your espionage attempts, it means a lot of those security vulnerabilities could soon be fixed.
The ‘sophisticated’ attacks used less-than-sophisticated methods
The Australian Cyber Security Centre (ACSC) has said the attacks were undertaken using ‘copy-paste compromises’ — publicly available hacking codes proven to exploit certain software. Dr Holz said these tactics were usually used by hackers without a lot of resources, which contradicts the government’s announcement.
“Normally, copy-paste attacks are used by people who don’t have a lot of sophistication,” Dr Holz said.
“At the same time, the government says it is sophisticated. I guess once again, they’re referring to the scale rather than just the attack being tried against low value targets.
“Without the government releasing more information about the reasoning — what makes them call this sophisticated and what makes them call this a really broad-scale attack — all we can do is speculate.”
We might be waiting a while for more clarification, Dr Holz admits. This is because counter-intelligence is about striking a balance between not letting the foreign actor know what you know and informing the public of safety concerns.
While details are light, it’s understood that Australian servers may have been compromised. Dr Holz said this is a pivot point. The hackers can launch attacks from these local servers making it hard for counter-intelligence to detect where the exploitations are coming from.
Through using these vulnerabilities, the hackers could potentially get both one-off troves of data as well as ongoing access to the systems.
“So if they get access to, let’s say, a low value target, but there is no proper firewalling between the network segment of that target and one that is a higher price then they’re one step further,” Dr Holz said.
“That’s just an absolutely classic tactic that is actually universally employed in such attacks.”
Foreign governments have been known to dabble in cyber warfare
Which country was behind it is still the subject of speculation but Dr Holz said there were a few countries known to employ these sorts of tactics.
“We do know that there are governments, like Russia and China, that have routinely engaged in this,” Dr Holz said.
“Given the diplomatic situation that we have in Australia, I’m guessing that they cannot be ruled out and I’m also guessing that the government already knows but they have good reasons not to disclose it.”
It might not be that important for the public to know after all. Once a government publicly confirms the responsible actors, a strong stance — like a public accusation — can put stress on the delicate web of diplomacy the world’s governments rely on. In 2020, when tensions are already high over the health, diplomatic and economic impacts of coronavirus, it might not be worth it.
“The moment you disclose who your attacker is means you’re going on the confrontational course. In general, as a government, you would like to avoid that. After all, what has really been lost? It doesn’t sound like such a big impact that Australia now needs to get ready for really bad tensions,” Dr Holz said.
“[Public warnings are] a kind of diplomatic way of telling the other country we know what you’re up to, without actually having to disclose too much.”
Instead, the government’s announcement was the easiest way forward. Acknowledge the attack so the offending state is aware it’s been compromised and warn the public about what they need to do.
“The government has issued a warning that Australia needs to get better security and I think they are right on that one,” Dr Holz said.
“If this if this leads to more [secure systems] on the Australian side, then that’s a plus and I think the government would have achieved what they wanted.”