The common modus operandi when it comes to cyber attacks is that cyber criminals typically target companies in the hope of getting in and getting out as quickly as possible so that they are not detected. Yes, cyber criminals can spend up to a year lurking on your system doing reconnaissance, but in the world of COVID – where desperation is a real thing – the likelihood is that a quick buck will be more common.
It is very uncommon that countries become the target of mass scale attacks. This requires a cybercriminal – or group thereof – with brazen mindsets and a specific skill set that would allow them to effectively carryout such an undertaking. Australia recently fell victim to such an attack and suggested heavy legislation in response.
Do not panic.
I recently read an article from The Guardian which pointed out that an attack did occur, but was targeted at businesses rather than the government.
The article pointed out that the sophisticated state-based cyber-attack Australian Prime Minister, Scott Morrison, has warned about is not particularly sophisticated. Rather, it serves as a wake-up call for businesses to keep their systems patched and secure, and to remain alert.
On 19 June, Morrison announced Australian government agencies and businesses had been targeted by a sophisticated state-based cyber actor.
“This activity is targeting Australian organisations across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure,” he said. “We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used.”
The article pointed out that, according to the threat advisory released by the Australian Cyber Security Centre, the so-called copy-paste compromises are nothing new – exploiting vulnerabilities in Telerik UI and several other services like Sharepoint, Microsoft Internet Information Services and Citrix where those businesses and departments had failed to patch to prevent the vulnerability being exploited.
The article added that when those have not been successful, the state actor has shifted to traditional spearphishing methods to attempt to extract login information from a person inside an organisation or government department.
“[The state actor campaign] doesn’t look very sophisticated,” University of New South Wales Professor of Cybersecurity Richard Buckland told The Guardian. “It’s well-resourced in a large scale but I haven’t seen anything yet that’s super-secret or super sinister. They’re using known techniques against known vulnerabilities and following known processes.”
The article pointed out that the advice from government in how to respond is basic cyber hygiene: patch software, use two-factor authentication, and implement the ACSC’s essential eight to mitigate attacks.
Morrison said the announcement wasn’t being made due to any significant attack or event, and that no large personal data breach had happened yet, leading to questions about why the prime minister had decided to make a formal announcement on a Friday morning from the Blue Room in Parliament House, particularly given the ACSC has been warning about some of the vulnerabilities for more than a year.
“I think what happened was it reached a point when the government decided enough was enough,” RMIT Cyber Security Professor Matthew Warren told The Guardian.
“It’s very simple advice but when you have government departments and organisations not patching their systems … when you look at it on an all of Australia perspective, you just need one weak link in the Australian ecosystem and then it has a potential flow-on effect.”
Buckland told The Guardian that he was pleased the prime minister made the announcement. He compared it to the government’s messaging around Covid-19 and needing to change behaviour around hand-washing and physical distancing.
Alerting people to the ongoing cyber-attacks might help them take it more seriously, he said.
“I am pleased that he made this announcement because I hope it leads to a shift [and] will contribute to a shift in how seriously people take cybersecurity and the importance to gain cybersecurity knowledge training, and capability in their organisations.”
Firing warning shots.
Rory Medcalf, Head of the Australian National University’s national security college, told the Guardian that the Australian Government was firing a warning shot to China, even though China was specifically not named. He said Government was not being overly provocative, even if China might interpret it that way.
“I think it is carefully measured; it is not as provocative as some people will claim it to be,” he said. “It’s a kind of a warning shot to say, ‘we know this is happening, we know it’s a state actor, we’re not naming who it is at this stage’. But, if this continues, we will become increasingly frank in calling it out.”
Medcalf told The Guardian there could be a future scenario where Australia and several other countries put out a joint statement about the activity, which would name China as the source. The other factor behind the announcement, Medcalf said, was the government being pressured by Labour to release its four-year cybersecurity strategy.
The previous strategy expired two months ago and, in Parliament earlier in June, Labour’s Spokesman on Cybersecurity Issues, Tim Watts, accused the Home Affairs Minister, Peter Dutton, of leaving cybersecurity at the bottom of his in-tray.
“It’s been 10 months since the Morrison government began consultations on the new cybersecurity strategy,” Watts said. “Given how quickly things change in cybersecurity, a virtual millennium in hacker years has passed without action … We can’t afford to respond to a crisis only after it’s happened.”
Medcalf told The Guardian that Morrison’s announcement was “also a signal to say that that strategy is coming and here is a kind of a foretaste of what that’s going to be”.
Front line reaction.
It may seem to opposition parties that there is not much interest in addressing the issue. However, the reality on the front line is vastly different. A report by afr.com points out that companies will be expected to adhere to strict compliance very soon.
Businesses will be required to comply with minimum standards of cyber security under a federal government plan to harden the nation's defences of vulnerable computer networks against foreign adversaries and cyber criminals.
Ramp up spending.
The article pointed out that firms will also need to ramp up their spending on cyber security, including potentially contributing to the cost of the national agencies as part of an updated cyber security strategy.
Prime Minister Scott Morrison has confirmed the strategy will also see Canberra lift its spending following revelations a "sophisticated state-based actor" had attempted to hack into Australian networks on an industrial scale.
The article added that China is being blamed for unleashing the attacks, which began about 18 months ago when Australia rejected Huawei's participation in the rollout of the 5G network.
The attacks have escalated in recent months after the Morrison government angered Beijing over its advocacy of an inquiry into the origins of the coronavirus pandemic.
The attacks have targeted all levels of government plus the private sector, most notably firms in the financial services, defence, and healthcare industries, but there has been no major data breach identified.
The updated cyber security strategy was due to be released in the run up to the postponed May federal budget but was delayed because of the pandemic.
The AFR article pointed out that industry sources said the strategy was expected to require firms to comply with a minimum level of cyber security set by the federal government, with those in the critical infrastructure field such as banks, healthcare and utilities expected to be the top priority.
The government would be responsible for setting an industry-by-industry standard to apply to all firms in that sector. The standards would be applied either through a code of conduct, with potentially a regulator to ensure compliance.
The article added that the Home Affairs Department, which is preparing the strategy, believes while there are already mature cyber security requirements in industries such as telecommunications, there are minimal or highly variable requirements in other sectors and different standards of enforcements.
In particular, the department has identified gaps when services are provided across different levels of governments, or by smaller organisations, such as local councils which oversee water and sewerage services.
"Often the government encourages the private sector to set their own rules but there is no one to set standards," a source said.
The article pointed out that a discussion paper on the strategy also flagged the government could seek to recover the cost of providing services to owners of critical systems through direct charges or other alternative funding models rather than relying on tax revenue.
The head of the Australian Strategic Policy Institute's International Cyber Policy Centre Fergus Hanson said hardware and software vendors and internet service providers would likely have to shoulder the direct cost of increased cyber security requirements, but these would flow through to businesses and eventually their customers.
Model to follow.
The article pointed out that Hanson said Telstra's Cleaner Pipes project, which gathers reams of data to block malicious websites, could be a model for other ISPs to follow.
Defence Minister Linda Reynolds said the government had committed $386 million on cyber security since 2013 to strengthen defences, develop innovation and grow the workforce.
"It is very clear that state and non-state actors are increasing their 'grey zone' attacks on Australia’s cyber networks," she said.
"However, the federal government cannot do this alone. It is imperative that state and local governments, companies and institutions all take action to protect themselves."
The AFR article added that Reynolds said following the announcement on 19 June that a state actor had been attacking Australian institutions, almost 500 companies had sought advice on how to partner with the Australian Cyber Security Centre to boost their cyber protection.
There was also a six-fold increase in traffic to cyber.gov.au, with 150 000-page views of advice on how to mitigate attacks. While Morrison did not identify the culprit behind the cyber-attacks, China's Foreign Ministry late on Friday denied involvement and said it was a "staunch guardian" of cyber security.
The article added that Beijing attacked the Australian Strategic Policy Institute slandering China by claiming it was responsible for the cyber-attacks, saying the think-tank lacked credibility because the US government and arms dealers funded it.
Companies will need to remain vigilant, especially with their staff working remotely. There has been a increase in COVID-19 related scams that specifically target individuals who criminals hope are gullible.
Millions of employees in the US, the UK, and four other countries may open their email today to find COVID-19 themed phishing messages laced with malware.
The article points out that, according to the ZDNet news service, a cybersecurity company called Cyfirma says it’s part of an email blitz that allegedly will have started Sunday by a North Korean-based hacker team dubbed the Lazarus Group. Cyfirma said it found plans for the attack on a Korean-language hacker forum.
The article adds that, to seem convincing the messages will appear to come from government agencies or trade associations offering employees or businesses financial support to get through the pandemic. The messages will ask recipients to go to websites controlled by the attackers and disclose personal information that presumably would be used for fraud. Other alleged targeted countries are Singapore, South Korea, Japan, and India. Computer emergency response teams in all six countries have been notified. Regardless of whether this alert is accurate there is no doubt hackers are using the pandemic to create COVID-19 scams. Last week Microsoft reported pandemic-themed attacks peaked in mid-March and have been declining since –hopefully because people and anti-malware software are smart enough to recognize them. But attacks increase in different countries, often based on headline-making events — for example, news of a local spike of COVID cases or deaths.
The article points out that another COVID-related scam was detailed last week by Juniper Networks, which makes equipment for running corporate networks. Email messages to employees went out last month that appears to come from the U.S. Department of Labour about changes to federal family and medical leave legislation. For more information they must click on the attached document. That document carries malware that looks for login usernames and passwords on infected computers for Canadian and American banks and U.S. cell phone companies. There is a tip-off this might be fraud: The message comes from the so-called “COVID-19 Centre.” For companies one lesson is to keep reminding employees that COVID scams are rampant. For individuals, protect your bank accounts with two-factor authentication. Check with your financial institution to see if it is offered, and if so, how to set it up.
The article adds that Exploiting people’s trust is a prime strategy by hackers. For example, trust that a COVID email comes from a government department. Here is another: Trust that a job offer on LinkedIn really comes from the company making the offer. Security company ESET has uncovered a big espionage scam against aerospace and defence companies that used LinkedIn. The attackers created fake LinkedIn accounts, with photos, pretending to be HR officials from big companies like Collins Aerospace and General Dynamics. Then they sent messages to specific people in firms, selected by their LinkedIn profiles as likely to be interested by a job offer. Once the victim replied the attackers would send email messages that included an attached file with corporate or job information. But the file was infected. Now the victim’s computer was compromised, allowing the attacker to read their email. From there the attacker could try to get into the victim company’s system to steal data.
While workforces around the world enjoyed a considerable period of working remotely, it is now time to get back reality and get back into the office. Even if it is only for a few days a week.
To do this, basic steps need to be followed. A recently article by helpnetsecurity.com profiled a few of them.
Scan for vulnerabilities.
The article points out that Laptops and other devices have been a huge asset for enabling employees to continue their work remotely. But while out of the office, those not connecting to the corporate network through a VPN may have not received the necessary OS, app, AV, and GPO updates that they normally would. This presents a risk to organizations when those devices reconnect to the corporate networks. It may not be possible to scan all devices before they return to the network, but security leaders should consider doing this where they can – as well as preparing processes to validate devices returning to the corporate network.
Quarantine devices returning to corporate network.
The article points out that, following a zero-trust model will ensure that security leaders are accounting for any potential risks that may have arisen due to remote work. Only allow devices access if they have been validated as secure. While initially quarantining devices by default may introduce some user experience and complexity challenges, in this type of scenario it is an important step to minimize risk.
The article points out that, given the fast nature of the transition, there was little time to educate workers on best practices for remote work. The advantage security leaders have in transitioning back to the office is that there is plenty of time to be proactive on educating employees on best practices, as well as threats like targeted phishing attacks that may look to take advantage of the transition.
Prepare for those who cannot return to the office.
The article points out that while some employees may head to work in the coming weeks or months, that may not be possible for every employee. Some employees may have underlying health concerns that put them higher at risk, making it safer for them to stay at home, or perhaps they have children at home that need to be cared for. For CISOs, that means not only preparing for a secure return to work, but also for the possibility of needing secure long-term remote work solutions and policies.
Consider updating cybersecurity strategies.
The article points out that there is a unique opportunity during this time to reconsider cybersecurity strategies for the long term. That may include using quiet networks to baseline network activity for better understanding of anomalous activity, or rethinking security policies and procedures for remote work. In any case, leaders should take some time to step back and think about what this crisis has taught them about their organizations and any security weak points that were exposed. That information can inform strategies in the months and years to come.