wordpress blog stats
Connect with us

Hi, what are you looking for?

State-based cyber actor is attacking Australian organisations, says Aussie PM

Australia, Sydney, Opera House

A “sophisticated state-based cyber actor” is targeting Australian organisations across a range of sectors, “including all levels of government, industry, political organisation, education, health, essential service providers and operators of other critical infrastructure”, Australian Prime Minister Scott Morrison announced in a press conference on June 19. Both government agencies and private sector were targeted. The scale and nature of the targeting and “tradecraft” used, prove that a “state-based cyber actor” is at work, he said. While such attacks are not new, their frequency, scale, sophistication and impact have been increasing, Morrison and Defence Minister Linda Reynolds said. Thus far, investigations have not revealed any “large-scale” personal data breaches, Morrison said. News.com.au first reported this.

Morrison had also spoken to UK Prime Minister Boris Johnson about this attack on June 18. UK and Australia are both part of the Five Eyes intelligence alliance that also includes the USA, Canada and New Zealand. Australia will conduct further technical briefings with states and territories throughout June 19. The Australian Cyber Security Centre (ACSC), the country’s nodal agency on cyber matters, has released a technical advisory as well as per which the attackers did not “carry out any disruptive or destructive activities within victim environments”.

Who did it?

Morrison did not attribute the attack to any particular nation since “the threshold for public attribution on a technical level is extremely high”. If the attack is ever publicly attributed, it will be done in the country’s “strategic national interest”. Despite that, he made it clear that the state-based actor involved in these attacks has “very, very significant capabilities”, the kind that not many state-based actors can engage in. He refused to say if these were actions of a friendly nation. However, multiple media reports suggest that China is behind these attacks, a suggestion that Morrison neither confirmed nor denied during the press conference.

  • Very few cyberattacks launched by nation-state actors have been formally attributed to nation-states. Usually, as in this case, targeted countries do not formally attribute the attacks. US’ charges against Chinese military personnel in the Equifax case earlier this year; Georgia, US, UK and other American allies attributing an October 2019 attack on Georgia to Russia; and public attribution of the 2014 Sony hack to North Korean actors are all rare instances where governments, publicly and formally (read: on the record) hold another country responsible for cyber attacks.
  • Even in the Kudankulam Nuclear Power Plant hack, which was attributed to North Korea by a South Korea-based IssueMaker Labs (a claim picked up and independently analysed in media reports), no government agency ever formally attributed the attack to North Korea or commented on it. India’s National Cyber Security Coordinator Lt Gen. (Dr) Rajesh Pant, in an interview with MediaNama, had also said that technically attribution is “very, very difficult” and if it is publicly done, it is largely done as an act of political signalling “to send a message”.

Why China?

This is not the first time China has been suspected. In 2019, a “sophisticated state actor” had carried out a “malicious intrusion” into Australia’s main political parties and parliament. Reuters had later reported that Australian intelligence concluded China was responsible for the attack but the report itself was never made public and none of the five people Reuters spoke to was attributed. In 2015, when computers at Australia’s Bureau of Meteorology were attacked — in an attack that compromised sensitive systems across the government —, China was again attributed, but never officially or on the record. China had, of course, denied carrying out the attack.

Nature of the attack

As per the technical advisory released by the ACSC, the attackers used proof-of-concept exploit codes, web shells and other tools that were almost identically copied from open source.

Methods used:

Advertisement. Scroll to continue reading.
  • Exploiting known vulnerabilities: Attackers exploit public-facing infrastructure, primarily through the use of remote code execution vulnerability in an unpatched version of Telerik UI. Other vulnerabilities the attackers exploited in public-facing infrastructure include deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability. ACSC did not identify the exact vulnerabilities in the SharePoint and Citrix case.
  • Looking out for vulnerabilities: Attackers used public proofs-of-concept to target systems and conducted regular reconnaissance of target networks to spot vulnerabilities. They probably maintained a list of public-facing services that could be quickly targeted after future vulnerability releases.
  • Using tools not known to victim organisations
  • Spearphishing: If public-facing infrastructure could not be exploited, the attackers resorted to spearphishing, including links to credential harvesting sites, emails with malicious links and files, links asking users to give Office 365 OAuth tokens to attackers, and using email tracking services to lure click-through events.
  • Piggyback on legitimate Australian websites as command and control servers: The attackers compromised legitimate Australian websites to use them as C&C servers using web shells and HTTP/HTTPS traffic. This rendered geo-blocking ineffective and made malicious network traffic look legitimate during investigations.

The actors gained access to networks through open source and custom tools and then migrated to legitimate remote access using stolen credentials. Thus, to deal with a compromised system, all accesses will have to be identified and removed.

Steps to take:

  • Patch internet-facing devices promptly and ensure that all web or e-mail servers are fully updated with the latest software.
  • Always use multi-factor authentication to secure internet access, infrastructure and cloud-based platforms.

Written By

Send me tips at aditi@medianama.com. Email for Signal/WhatsApp.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.


This article addresses the legal and practical ambiguities in understanding the complex crypto ecosystem in India.


It is widely argued that the PDP Bill report seeks to discard the intermediary status of social media platforms but that may not be...


Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ