Cybersecurity concerns after attack on BOM
Late last year, foreign spies infiltrated the weather bureau.
The Bureau of Meteorology’s computer system was subjected to a massive cyber intrusion from what has now been officially confirmed as a foreign government.
In its second annual report published this week, the Australian Cyber Security Centre has revealed more details of the incident as part of a wider and highly disturbing assessment of the security threat to Australia’s computer systems.
It outlines a threat that is ongoing, serious and underrated in the community.
The ACSC report details how the government’s cyber intelligence agency, the Australian Signals Directorate, detected “suspicious activity” on two of the Bureau of Meteorology’s computers. With further investigation, it unearthed a remote access tool popular with hackers acting on behalf of governments.
The report confirms the hackers managed to copy and steal “an unknown quantity of documents” from the bureau’s system. The centre says the tool “had also been used to compromise other Australian government networks”. It does not say which ones.
But the ASD investigation into the incident revealed how the intrusion was carried out, and that it was extensive.
The centre says what it found “suggested all passwords on the bureau’s network were already compromised at the time of the investigation”. When the breach was first uncovered, the bureau issued a statement sidestepping the issue of compromise altogether.
“The bureau’s systems are fully operational and the bureau continues to provide reliable, ongoing access to high-quality weather, climate, water and oceans information to its stakeholders,” it said.
The centre’s report says a lot more.
“In this instance, the ACSC attributed the primary compromise to a foreign intelligence service, however, security controls in place were insufficient to protect the network from more common threats associated with cybercrime.”
The Minister Assisting the Prime Minister on Cyber Security, Dan Tehan, confirmed this week that “state actors” were involved.
Again, without naming names, the centre details a separate case study of a “major incident” involving a foreign state infiltrating an Australian government agency’s network.
The hackers had gained access using malicious versions of programs executed within Microsoft Office applications, applications commonly used in computer systems.
Despite controls being applied to prevent further intrusions, the same foreign state had kept trying, adapting its techniques using information gained from the first one, and in one case contacting a staff member online, posing as a familiar colleague, and offering advice on how to circumvent the security controls to enable Microsoft Office applications – an action that would have restored access.
The report says that, depending on the seriousness and nature of an intrusion, government agencies are capable of tracking the source quickly and “to several levels of granularity” – meaning not just what kind of source it is, but whether it’s run by a government, which one and even the individuals involved.
The weather bureau intrusion can be assumed to be serious.
In that case, Tehan says, he won’t “name names” but that there is “a fairly clear understanding of what type of states are active in this area”.
Australian analysts have said previously they have no doubt who was responsible: China.
The Chinese have denied any involvement but their denials have not persuaded Australia’s security community.
So why would hackers from China or elsewhere be interested in Australia’s weather forecasts?
The bureau runs a supercomputer linked to a range of other agencies, including the Department of Defence. For cyber spies, it is a potential gateway to some of the most important corners of the government.
The incident is an example of the kind of sideways-entry tactics the report suggests are increasingly being employed against Australian computer systems, government and private.
“Where coercion, economic damage or embarrassment is the goal, the potential targets of cyber attack may include major industries, critical infrastructure, political entities, the media, the financial sector and other sectors considered important to Australia’s economy and identity,” the report says.
The centre’s report warns that Australian organisations are vulnerable wherever they are located.
The extent of malicious cyber intrusion in computer networks described in the report is staggering.
It says that in the 12 months to June this year, the government’s Computer Emergency Response Team responded to 14,804 cybersecurity incidents affecting Australians businesses, 418 of which involved systems of national interest and critical infrastructure.
The energy sector was the most targeted, followed by banking and financial services and communications.
In one case, a company controlling critical infrastructure was successfully hacked when the hacker obtained the credentials of a legitimate staff member and a contractor and used them to access the system.
The credentials were then upgraded to administrator level to broaden access and the hacker stole data including sensitive information relating to the physical security and layout of the infrastructure. An investigation led to an arrest.
The government distinguishes between cyber espionage, cybercrime, cyberterrorism and a cyber attack.
A cyber attack is officially defined as “a deliberate act through cyberspace to manipulate, disrupt, deny, degrade or destroy computers or networks, of the information resident on them, with the effect of seriously compromising national security, stability or economic prosperity”.
Under that definition, Australia has not yet experienced an attack. But the centre warns that the threat is growing.
It says the capability exists abroad to launch such an attack but there isn’t evidence of intent. If that doesn’t change, it predicts an attack is unlikely in the next five years.
But it also warns both that a shift in intent “could occur relatively quickly” and that the “hype” around the quality of intelligence available to detect a problem can distract from the ground-level protections required to stop the problem occurring.
On the threat of cyberterrorism, the findings are reassuring for now but less so for the future.
The report says international terrorists’ cyber capabilities “remain rudimentary and show few signs of improving significantly in the near future”.
But that could also change in the next “two to three years”.
The recent “distributed denial of service”, or DDoS, intrusion on the Australian Bureau of Statistics on census night falls under the heading of cybercrime.
The ABS will be called to explain further when officers make their appearance at next week’s round of senate budget estimates hearings and at later separate hearings during a specific senate inquiry. But the bureau has already blamed what it says was a failure by its systems contractor, IBM.
Two days after census night, prime minister Malcolm Turnbull said: “Measures that ought to have been in place to prevent these denial-of-service attacks interfering with access to the website were not put in place. That was a failure that was compounded by some failures in hardware – technical hardware failures – and inadequate redundancy.”
That failure was described as a problem with a geoblocking function, switched on to combat the overseas-based denial-of-service attempt, and the collapse of a router.
A third issue is also understood to have emerged – that the combined problems created the impression that data was leaving the system and IBM was unable to clarify at the time whether that was the case or it was simply a data loop the other problems had created.
Given that denial-of-service incidents can precede cyber attacks, the system was shut down as a precaution. The ABS later established that no data had left the system or been compromised.
The Australian Cyber Security Centre describes denial-of-service attacks as routinely being associated with extortion involving ransom demands. There has been no mention – publicly at least – of any ransom demand in this case.
Some cybersecurity experts are offering a variation on the theories emerging so far as to why the incident occurred. The Bureau of Statistics has been encouraging Australians to move to electronic lodgement of census forms.
In a statement issued this week, it says 4.9 million forms – or 58 per cent of the total – were lodged online at this year’s census, 2.2 million more than five years ago. A further 3.5 million paper household forms had been collected.
The Saturday Paper has heard views within the cybersecurity community that having so much personal data flowing electronically to a centralised hub potentially represented both a rare challenge and a lucrative opportunity for hackers, and one that had been noted and discussed in online forums.
Some experts are speculating that this may have created a honey-pot effect, prompting multiple mass attempts to infiltrate and access the data for use or sale or simply to prove it could be done.
If that’s true, those attempts appear to have failed, thanks to a swift response.
Until further evidence is heard from the bureau and IBM, and the various investigations completed, it can’t be established whether the theory is fanciful or based in fact. But the incident highlights the vulnerability of systems great and small, the level of disruptive capability and the need for vigilance.
The government puts a $1 billion price tag on the current cost of cybercrime in Australia.
Launching twin “stay smart online” guides for businesses and individuals, Dan Tehan said: “There have been more than 74,000 cybercrimes reported since November 2014, with online scams and fraud accounting for 42 per cent.”
At the national and international level, foreign-state-sourced intrusions are of particular concern.
The cybersecurity centre laments the absence of effective repercussions, saying this will “embolden some states to continue developing and using cyber capabilities as a coercive tool”.
The potential impact has certainly been widely debated.
Security of communications systems in particular has had plenty of attention in recent times, both internationally in the case of former United States secretary of state and now Democrat presidential candidate Hillary Clinton’s use of a private email server and in Australia via these high-profile examples of cyber intrusion.
Yet reports have emerged this week of Australian ministers, and indeed the prime minister, using what experts describe as an insecure online messaging network – WhatsApp – to contact each other and hold discussions, instead of secure government email servers approved by the Australian Signals Directorate.
It seems some political leaders in Australia are still failing to practise what their agencies preach.
This article was first published in the print edition of The Saturday Paper on Oct 15, 2016 as "Cyber rattling". Subscribe here.