As breach reports pile up, improving Australian cybersecurity needs better language, sharing: ACSC

Australia is likely to be safe from nation-state attacks for at least the next five years, the Australian Cyber Security Centre (ACSC) has predicted in its latest annual threat report as it fetes industry collaboration that has helped it better understand the mechanisms used by hackers against Australian targets.

The ACSC's Threat Report 2016 detailed ongoing analysis of successful breaches against government targets such as the Bureau of Meteorology – which was compromised by a malware-injected remote access tool (RAT), password-dumping utility, and root administrator access that had enabled the adversary to steal “an unknown quantity of documents” from the BoM network.

In another attack against an unnamed government department – one of 1095 cyber security incidents to which the Australian Signals Directorate (ASD) responded between 1 January 2015 and 30 June 2016 – ACSC investigations found that the target network had been compromised by a foreign state using repeated spear-phishing attacks that had enabled the adversary to gain network access using Microsoft Office macros. The adversary had even instructed the victim on how to circumvent Office security controls and enable macros, accurately referencing information about the department's ICT service desk and the user's own computer.

These anecdotal reports were picked from a rising tide of cybersecurity activity, in which CERT Australia responded to 14,804 cyber security incidents during fiscal 2015-16. Companies in the energy sector (comprising 18 percent of incidents) were targeted more frequently than those in banking and financial services (17 percent), communications (11.7 percent), transport (10.3 percent) and mining and resources.

Some 418 of these involved systems of national interest and critical infrastructure – including one attack, highlighted in the report, where a joint response by CERT Australia, the Australian Federal Police and the ASD determined that a malicious actor had used a staff member's legitimate credentials to gain administrator access and steal “a significant amount of data... including sensitive information relating to the organisation's physical security and layout”. That perpetrator was ultimately arrested through a joint effort with overseas authorities.

CERT Australia also participated in 15 cybersecurity exercises, working with various end users to explore hacking scenarios and to improve overall industry response to such incidents.

The persistence, sophistication and breadth of attacks against Australian targets have reinforced the importance of both cybersecurity awareness and broader, well-informed discussions on the topic, ACSC co-ordinator Clive Lines wrote in the report.

“While an ongoing dialogue is good for Australia, the level of public discussion and understanding would benefit from more informed and considered perspectives,” Lines said in highlighting the importance of correct nomenclature in informing cybersecurity analysis.

“In order to have a mature discussion in 2016, it is particularly important that we get the language right,” he continued. “Calling every incident a 'hack' or 'attack' is not helpful for a proportionate understanding of the range of threats and only promotes sensationalism. And treating every adversary as though they are all equally sophisticated and motivated detracts from a balanced perspective of risk and vulnerability.”

Although the threat of nation-state attacks was noted within the report's discussion of the threats facing the country, such attacks were unlikely to cause major disruption in the short term. Although it argued that nation-state actors were being “emboldened” by a lack of repercussions after previous such attacks, the report predicted that a nation-state attack against Australian government or commercial interests was “unlikely within the next five years.... in the absence of a shift in intent”.

The growing culture of information and threat sharing was helping the ACSC develop intelligence about “diverse state-based adversaries attempting cyber espionage against Australian systems to satisfy strategic, operational and commercial intelligence requirements,” the report said.

Noting that cybercrime “remains a pervasive threat to Australia's national interests and prosperity”, the report cited “high levels of misreporting and under-reporting [that] make it difficult to accurately assess the prevalence and impact of cybercrime.”

The report's authors were dismissive of the “rudimentary” cyber capabilities of terrorist groups, which it said “currently pose a low cyber threat” due to a focus on distributed denial of service (DDoS) attacks, social-media hijacking, Web-site defacement, and theft of personal information.

“It is unlikely terrorists will be able to compromise a secure network and generate a significant disruptive or destructive effect for at least the next two to three years,” the report notes despite the fact that DDoS attacks this year caused major problems for Australia's online census. That and other attacks have caused major harm to citizens’ belief that the government can protect their data, which was identified as a significant problem in a recent report that found government agencies were among the least-trusted bodies in terms of protecting private data.

Whether instigated by nation-state attackers or not, targeted attacks were becoming increasingly problematic and sophisticated, Symantec security expert Nick Savvides noted upon the release of the ACSC report. “In the last two years, Symantec has seen very sophisticated tools and skills used against governments and businesses by non-nation-state attackers that – if not as sophisticated – come very close to those used by the most advanced governments,” he said in a statement.

“The chaos of irregular warfare has well and truly moved into cyberspace, with attacks being conducted by increasingly well-resourced and skilled attackers who know that a successful incursion can cause massive disruption to infrastructure and even military operations.... It is paramount that we continue to improve our cyber-defence and cyber-security capabilities to stay ahead of cybercriminals and cyber-terrorists.”

Nation-state attacks are only part of the cybersecurity threat facing Australian organisations, however: previous analyses have noted that the majority of government breaches, such as last year's leakage of world leaders' passport details, are due to human error.

The ACSC report is a cornucopia of real-world incidents that confirm Australian businesses and government bodies are facing a constant barrage of attacks in different forms. Targeted banking malware against “at least” 36 Australian banks; credential-harvesting campaigns; installation of malicious code using Microsoft Office macros; 15 reported DDoS extortion threats during the previous 12 months; data theft; exploits based on Microsoft PowerShell and Wordpress vulnerabilities; and other problems are all documented as part of ACSC member organisations' activities in the last year – and every sign suggests that the attacks continue to grow in effectiveness.

Sympathisers of terrorist organisation ISIL have, for example, published details of alleged Western government and military personnel as 'hit lists' for radicalised individuals, the report notes, while social-media profiles have been used to fill out the profiles with more-detailed information.