Cyber security by Sgt Ross Tilly (Crown Copyright)

Is China Behind Australian Cyber Attack?

Large-Scale Spear-Phishing Attacks on Australian Government, Industry and Universities

Australian Prime Minister Scott Morrison announced that the country is under a massive cyber attack, with key institutions such as government, hospitals, universities and industry being targeted.

Speaking publicly, Morrison said that a”sophisticated state-based actor” was responsible for the attacks. Austrlia has been under cyber attack for “many months,” he said, but had now seen a huge spike.

Morrison did not name any suspects, but said that there are “not a large number” of countries capable of cyber operations on this scale. Security sources have pointed the finger at China.

China and Australia have been in a diplomatic dispute cince Australia ordered an inquiry into the origins of coronavirus in March. China hit back with an 80% trade tariff on Australian barley and instructed students and tourists to boycott the country.

Spear-Phishing

The cyber attacks are primarily spear-phishing: using fake emails to lure users into revealing secret log in details. The unsuspecting user receives an email that appears to be genuine, but embedded links lead them to websites controlled by the hackers, or prompt them to give access to Microsoft Office software.

According to the Daily Mail, the Australian spear-phishing attacks include:

  • Sending links to “credential-harvesting websites” which collect usernames and passwords;
  • Emails with links to malicious files, or with the malicious file directly attached;
  • Links prompting users to grant Office 365 authentication tokens to the attackers;
  • Use of email tracking services to identify when emails are opened and lure so-called “click-through events”.

Copy-Past Compromises

The Australian Cyber Security Centre released a statement saying that there is a “sustained targeting of Australian governments and companies”. They revealled that the hackers are “regularly conducting reconnaissance of target networks looking for vulnerable services”. Most of the malicious code being used in the attacks is freely available online, leading the Centre to call them “copy-paste compromises”.

The hackers appear to be “maintaining a list of public-facing services to quickly target following future vulnerability releases” and specifically target software that is “not well known or maintained by victim organisations”.

China Prime Suspect

Peter Jennings, executive director of the Australian Strategic Policy Institute, said he is 95% sure the attacker is China. In an interview with The Australian, he said:

“The Russians could do it. The North Koreans could do it, but neither of them have an interest on the scale of this. They have no interest in state and territory government or universities. The only country that has got the interest to go as broad and as deep as this and the only country with the sophistication and the size of the intelligence establishment to do it, is China.”

China is both the world’s second-largest economy and a nuclear weapons state with the world’s second-largest defence budget. Chinese Information Operations and Information Warfare includes the concept of “network warfare”, which is roughly analogous to the United States concept of cyber-warfare. Foreign Policy magazine provided an estimated range for China’s “hacker army” personnel, anywhere from 50,000 to 100,000 individuals.

One often-named culprett is PLA Unit 61398 (also known as APT 1, Comment Crew, Comment Panda, GIF89a, and Byzantine Candor ). PLA Unit 61398 is the Military Unit Cover Designator (MUCD of a People’s Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks. The unit is stationed in Pudong, Shanghai.

Australian Defence Minister Linda Reynolds warned: “There is no doubt that malicious cyber activity is increasing in frequency, scale, in sophistication and in its impact.”

Australia Launches Warships

HMA Ships Canberra, Hobart, Stuart, Anzac, Ballarat and Arunta left their base in Sydney Harbour on Monday. The six warships headed into the Indo-Pacific for training operations ahead of huge show of force in the region with the US Navy.

They will conduct “task group training” before taking part in a warfare training exercise with the US and other allies known as the Rim of the Pacific in August.


Sources: Daily Mail, The Australian