Oz infosec spooks: ease back on the “cybers”, this is serious
For example, not-China* didn't “hack the BoM's supercomputers”
Sensationalist language is making it hard to educate businesses and the public about infosec risks*, according to the Australian Cyber Security Centre's 2016 threat report.
While every ICMP ping is treated as an attack by some, the report says unequivocally: “Australia still has not been subjected to malicious cyber activity that could constitute a cyber attack”.
Also, in the short term, terrorist organisations will stick to the attacks they know best: finding ill-secured business or government Websites, and defacing them.
After its formalities, glossary and housekeeping notes, the report opens with the complaint that the breadth of the term “cyber attack”, the proliferation of cybers (“cyber war”, “cyber terrorism” and “cyber weapons”) and sensationalism (leading to a “disproportionate sense of threat) “undermines the development and application of proportionate nation state responses“.
The Bureau of Meteorology's woes in August get a mention – as an example of sensationalism: “this incident was initially described in some media reporting as being the result of a “foreign cyber attack” – a description that led to a heightened sense of threat and risk, increased concerns from the public about the security of their personal information, and triggered media speculation about nation state motivations, tradecraft, and the possibility of further 'attacks'.”
There are, however, genuine threats: the much-discussed Bureau of Meteorology compromise in 2015 is given as one such example.
The ACSC has decided to let a little light into what took place (see “sensationalist”, above).
At the time, “sources” let loose coded signals that China had compromised the BoM's supercomputers in a “massive” attack.
The reality is far less impressive: the attack – presumably by the tried-and-true vector of a phishing e-mail – led to this:
“ASD identified the presence of particular Remote Access Tool (RAT) malware popular with state-sponsored cyber adversaries, amongst other malware associated with cybercrime. The RAT had also been used to compromise other Australian government networks.
“ASD identified evidence of the adversary searching for and copying an unknown quantity of documents from the Bureau’s network. This information is likely to have been stolen by the adversary.”
Vulture South notes that while there exist RATs for the Linux operating systems common on supercomputers, they're more typically associated with Windows desktops.
As well as the two computers whose activity alerted the ASD of the RAT's presence, the attackers left footprints on “at least six further hosts” including “domain controllers and file servers”.
The report says it identified the misuse of one domain administrator's account, and that the attackers also dropped Cryptolocker on the network (and therefore probably tried to extort a ransom from the Bureau).
The Bureau has since been walked through the ASD's “don't be stupid” list, and is working with the ACSC on other strategies.
As for the “terrorists will attack soon” that led the political press' coverage of the report before it landed (Fairfax here, for example), that's an inversion of what the report actually says:
It is unlikely terrorists will be able to compromise a secure network and generate a significant disruptive or destructive effect for at least the next two to three years.
What about critical infrastructure? Surely that, at least, is a legitimate reason for us to switch from “relaxed and comfortable” to “run around in a panic”?
Yes and no, it seems: while CERT Australia reckons energy sits alongside communications as the sector with the highest number of compromised systems, it's hard to tell from the ACSC just how many blackouts, dam-release floods, or gas explosions the compromises have caused.
The report provides one unnamed target as a case study – and in that case, the attacker got the credentials of an authorised user, escalated their privilege to admin, and copied documents rather than taking out the victim's control systems.
The ACSC advises that industrial control should be kept away from the Internet, which is reasonable if imperfect advice (air-gaps can be crossed), but that's hardly exciting.
For now, espionage and ransoms are the threats we should be taking most seriously. ®
*Bootnote: Nobody will ever officially attribute the BoM attack to China. Including ourselves, since we don't know. ®