Wednesday, 19 October 2016

Australian Government agencies still closing the cyber door after hackers have had their way

Australia treats cyber attacks as extremely serious and provocative events.

Fortunately, Australia still has not been subjected to malicious cyber activity that could constitute a cyber attack as defined on the previous page.

Contrary to speculation, this is not simply a matter of failed detection; the effects of a cyber attack could not possibly have gone unnoticed.

However, the threat of a cyber attack being conducted against Australian government, infrastructure, industry or other networks has grown following a series of high-profile disruptive or destructive incidents in other countries over the last five years.

The ACSC has previously assessed that cyber attacks against Australia would most likely occur against high value targets such as critical infrastructure, government networks or military capabilities during periods of very high tension or an escalation to conflict.

Although this remains broadly accurate, the nature and targets of recent incidents overseas – combined with a growing understanding of adversaries’ capabilities and intentions – highlight the breadth of potential targets and different ways cyber capabilities can be employed by adversaries seeking to achieve damaging or destructive effects outside conflict……

Australian government networks are regularly targeted by the full breadth of cyber adversaries. While foreign states represent the greatest level of threat, cybercriminals pose a threat to government-held information and provision of services through both targeted and inadvertent compromises of government networks with ransomware.

Hacktivists will continue to use low sophistication cyber capabilities – website defacement, the hack and release of personal or embarrassing information, DDoS activities and the hijacking of social media accounts – to generate attention and support for their cause.

As such, issue motivated groups pose only a limited threat to government networks, with possible effects including availability issues and embarrassment.

However, some hacktivists intend to cause more serious disruption and may be able to exploit poor security to have a greater impact.

As the Prime Minister acknowledged during the launch of Australia’s Cyber Security Strategy on 21 April, the ACSC has worked with government organisations to Between 1 January 2015 and 30 June 2016, ASD, as part of the ACSC, responded to 1095 cyber security incidents on government systems which were considered serious enough to warrant operational responses.

As cyber security awareness has increased, and government organisations have improved their ability to respond to their own lower level cyber security incidents, the number of incidents requiring an operational response has decreased. We can expect to see this trend continue.

The security of government networks and information is not only measured by how many cyber security incidents occur – it is about the type of incidents, their scale and the impact they have on national security and economic prosperity. Australian government organisations are required to report cyber security incidents to improve the ACSC’s understanding of the threat and to assist other organisations facing these threats………

Bureau of Meteorology In 2015, ASD detected suspicious activity from two computers on the Bureau of Meteorology’s network.

On investigation, ASD identified the presence of particular Remote Access Tool (RAT) malware popular with state-sponsored cyber adversaries, amongst other malware associated with cybercrime.

The RAT had also been used to compromise other Australian government networks.

ASD identified evidence of the adversary searching for and copying an unknown quantity of documents from the Bureau’s network.

This information is likely to have been stolen by the adversary.

ASD recovered a password dumping utility used by the adversary and identified the malicious use of at least one legitimate domain administrator account.

ASD identified at least six further hosts on the Bureau’s network that the adversary attempted to access, including domain controllers and file servers.

The presence of password dumping utilities and complete access by the adversary to domain controllers suggested all passwords on the Bureau’s network were already compromised at the time of the investigation.

ASD also identified evidence suggesting the use of network scanning and time stamp modification tools, used to analyse the network architecture and assist with hiding the adversary’s tools on hosts. In this instance, the ACSC attributed the primary compromise to a foreign intelligence service, however, security controls in place were insufficient to protect the network from more common threats associated with cybercrime.

CryptoLocker ransomware found on the network represented the most significant threat to the Bureau’s data retention and continuity of operations. The implementation of security controls outlined in ASD’s Strategies to Mitigate Targeted Cyber Intrusions publication will significantly improve the security posture of the Bureau’s corporate network. The ACSC continues to work with the Bureau of Meteorology to implement a number of further, specific recommendations to mitigate future compromise.

ABC News, 12 October 2016:

The ABC has previously been told China was behind the breach, but the Minister Assisting the Prime Minister for Cyber Security, Dan Tehan, would not be drawn on which foreign state was believed to be responsible.
"We don't narrow it down to specific countries, and we do that deliberately, but what we have indicated is that cyber espionage is alive and well and that's why we want to be transparent in this report about the incident," Mr Tehan said.
In December, the ABC was told it would cost millions of dollars to plug the security breach.
The ACSC said between January 1, 2015 and June 30, 2016, ASD responded to 1,095 cyber security incidents on government systems which were considered "serious enough to warrant operational responses".

No comments: