​APT experts back Turnbull’s secret briefing revelations

One of the world’s most active global cyber threat intelligence firms has come out in defence of the Prime Minister’s decision to reveal secret briefings about hacking global activity widely attributed to Russian state-backed actors dating back nearly a decade.

FireEye, which tracked the group since 2007 before naming it Advanced Persistent Threat 28, or APT28, and releasing a report last year reiterating its belief that it is sponsored by the Russian government, today said it proposed “a major threat to western democracy”.

Tim Wellsmore, Canberra-based threat intelligence director at FireEye’s consulting arm Mandiant, turned the arguments of Prime Malcolm Turnbull’s critics on their head and praised him for not to allow the issue to be politicised — something of which Mr Turnbull’s critics have accused him doing the opposite by revealing the secret briefings to The Australian newspaper before briefing opposition ministers about his plan.

“I’d have to completely disagree and say that it’s good that politicians are finally talking about this in public. There’s no question that having the government telling the public that they’re going to be discussing the impact of these types of operations and the risks to the Australian government are very important to know. Then they get taken seriously. It’s a good step forward for us,” Mr Wellsmore said.

However, it’s a view that may not sit well with many in the shadowy vocation of security and intelligence that have traditionally adhered to a creed that forbids any unnecessary visibility on their capabilities and functions.

The Australian Signals Directorate (ASD), which is to carry out the briefings, is known to be one of them.

The Sydney Morning Herald today published parts of a letter from shadow attorney-general Mark Dreyfus to the Prime Minister dressing him down on precisely these grounds writing:

"This is irresponsible in the extreme - Australians have every right to expect their Prime Minister would put national security ahead of their own political purposes.

"There is no reasonable purpose for the government seeking publicity on details of national security matters such as this."

Opposition Leader Bill Shorten described it as an attempt to create a distraction while Mr Turnbull argued that the bi-partisan nature of the briefings defused any concerns about political brinksmanship in the move.

Mr Wellsmore said that FireEye takes the task of monitoring APTs very seriously and that the it had closely examined the digital finger prints the attacks targeting such groups and individual as the Democratic National Congress (DNC), Hilary Clinton’s presidential campaign advisor John Podesta, the US Democratic Congressional Campaign Committee (DCCC), the World Anti-Doping Authority (WADA), NATO and the Pakistani military, and even controversial girls band Pussy Riot, and found that they all pointed back to APT28.

For instance, the coding environment for malware it exploited was all in Russian language and apparently created at times which would suggest a correlation with time-zones associated with Russian working hours.

When asked whether APT2 seemed a little obviously sloppy in covering its tracks and could point to deception by third parties, Mr Wellsmore said that the correlation between Russian policy and the operations had been too strong to ignore.

“Who would they serve? We’re quite confident in their attribution to the Russian government,” he said.

“We have about 31 groups that we classify as APTs but there are others we’re not yet confident to brand APTs as being down to a single group or entity… so we’re quite confident about the attribution of APT28”.

FireEye’s first 2014 assessment of APT28, which it attributed to Russian government actors was backed by a joint report by the US Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) released in late 2016.

Australia, he said, could be targeted due to its close ties to the US and may be considered a circuitous means to gather intelligence on our allies through military ties. It may also, he said, be interested in government groups involved in our innovation capacity, research and defence contracts.

However, Mr Wellsmore also warned that there may be other threats closer to home that the Australian government needed to keep in check.

“We know there are a large number of nation actors around here that aren’t Russia and China that should be considered quite a high risk for us,” he said.

Tags Tim Wellsmore​APTAPT28​FireEyeglobal cyber threat intelligenceAdvanced Persistent Threat 28

Show Comments