As breach reports pile up, improving Australian cybersecurity needs better language, sharing: ACSC

Energy sector most-targeted as ACSC triaged 14,804 cybersecurity incidents in 2015-16

Australia is likely to be safe from nation-state attacks for at least the next five years, the Australian Cyber Security Centre (ACSC) has predicted in its latest annual threat report as it fetes industry collaboration that has helped it better understand the mechanisms used by hackers against Australian targets.

The ACSC's Threat Report 2016 detailed ongoing analysis of successful breaches against government targets such as the Bureau of Meteorology – which was compromised by a malware-injected remote access tool (RAT), password-dumping utility, and root administrator access that had enabled the adversary to steal “an unknown quantity of documents” from the BoM network.

In another attack against an unnamed government department – one of 1095 cyber security incidents to which the Australian Signals Directorate (ASD) responded between 1 January 2015 and 30 June 2016 – ACSC investigations found that the target network had been compromised by a foreign state using repeated spear-phishing attacks that had enabled the adversary to gain network access using Microsoft Office macros. The adversary had even instructed the victim on how to circumvent Office security controls and enable macros, accurately referencing information about the department's ICT service desk and the user's own computer.

These anecdotal reports were picked from a rising tide of cybersecurity activity, in which CERT Australia responded to 14,804 cyber security incidents during fiscal 2015-16. Companies in the energy sector (comprising 18 percent of incidents) were targeted more frequently than those in banking and financial services (17 percent), communications (11.7 percent), transport (10.3 percent) and mining and resources.

Some 418 of these involved systems of national interest and critical infrastructure – including one attack, highlighted in the report, where a joint response by CERT Australia, the Australian Federal Police and the ASD determined that a malicious actor had used a staff member's legitimate credentials to gain administrator access and steal “a significant amount of data... including sensitive information relating to the organisation's physical security and layout”. That perpetrator was ultimately arrested through a joint effort with overseas authorities.

CERT Australia also participated in 15 cybersecurity exercises, working with various end users to explore hacking scenarios and to improve overall industry response to such incidents.

The persistence, sophistication and breadth of attacks against Australian targets have reinforced the importance of both cybersecurity awareness and broader, well-informed discussions on the topic, ACSC co-ordinator Clive Lines wrote in the report.

“While an ongoing dialogue is good for Australia, the level of public discussion and understanding would benefit from more informed and considered perspectives,” Lines said in highlighting the importance of correct nomenclature in informing cybersecurity analysis.

“In order to have a mature discussion in 2016, it is particularly important that we get the language right,” he continued. “Calling every incident a 'hack' or 'attack' is not helpful for a proportionate understanding of the range of threats and only promotes sensationalism. And treating every adversary as though they are all equally sophisticated and motivated detracts from a balanced perspective of risk and vulnerability.”

Although the threat of nation-state attacks was noted within the report's discussion of the threats facing the country, such attacks were unlikely to cause major disruption in the short term. Although it argued that nation-state actors were being “emboldened” by a lack of repercussions after previous such attacks, the report predicted that a nation-state attack against Australian government or commercial interests was “unlikely within the next five years.... in the absence of a shift in intent”.

The growing culture of information and threat sharing was helping the ACSC develop intelligence about “diverse state-based adversaries attempting cyber espionage against Australian systems to satisfy strategic, operational and commercial intelligence requirements,” the report said.

Noting that cybercrime “remains a pervasive threat to Australia's national interests and prosperity”, the report cited “high levels of misreporting and under-reporting [that] make it difficult to accurately assess the prevalence and impact of cybercrime.”

The report's authors were dismissive of the “rudimentary” cyber capabilities of terrorist groups, which it said “currently pose a low cyber threat” due to a focus on distributed denial of service (DDoS) attacks, social-media hijacking, Web-site defacement, and theft of personal information.

Read more: Despite $1.46b furphy, 2013-14 Budget offers slim pickings for cyber security

“It is unlikely terrorists will be able to compromise a secure network and generate a significant disruptive or destructive effect for at least the next two to three years,” the report notes despite the fact that DDoS attacks this year caused major problems for Australia's online census. That and other attacks have caused major harm to citizens’ belief that the government can protect their data, which was identified as a significant problem in a recent report that found government agencies were among the least-trusted bodies in terms of protecting private data.

Whether instigated by nation-state attackers or not, targeted attacks were becoming increasingly problematic and sophisticated, Symantec security expert Nick Savvides noted upon the release of the ACSC report. “In the last two years, Symantec has seen very sophisticated tools and skills used against governments and businesses by non-nation-state attackers that – if not as sophisticated – come very close to those used by the most advanced governments,” he said in a statement.

“The chaos of irregular warfare has well and truly moved into cyberspace, with attacks being conducted by increasingly well-resourced and skilled attackers who know that a successful incursion can cause massive disruption to infrastructure and even military operations.... It is paramount that we continue to improve our cyber-defence and cyber-security capabilities to stay ahead of cybercriminals and cyber-terrorists.”

Nation-state attacks are only part of the cybersecurity threat facing Australian organisations, however: previous analyses have noted that the majority of government breaches, such as last year's leakage of world leaders' passport details, are due to human error.

The ACSC report is a cornucopia of real-world incidents that confirm Australian businesses and government bodies are facing a constant barrage of attacks in different forms. Targeted banking malware against “at least” 36 Australian banks; credential-harvesting campaigns; installation of malicious code using Microsoft Office macros; 15 reported DDoS extortion threats during the previous 12 months; data theft; exploits based on Microsoft PowerShell and Wordpress vulnerabilities; and other problems are all documented as part of ACSC member organisations' activities in the last year – and every sign suggests that the attacks continue to grow in effectiveness.

Sympathisers of terrorist organisation ISIL have, for example, published details of alleged Western government and military personnel as 'hit lists' for radicalised individuals, the report notes, while social-media profiles have been used to fill out the profiles with more-detailed information.

Join the CSO newsletter!

Error: Please check your email address.

Tags DDoS attackstargeted attacksACSC(Australian Cyber Security Centre)threatscyber security

More about Australian Federal PoliceBureau of MeteorologyCERT AustraliaFederal PoliceMicrosoftSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place