This bulletin has been compiled in response to advice from the Australian Government today regarding the increased risk of state sponsored cyber-attack against Australian organisations and institutions.
In light of current geo-political tensions and a lack of progress in raising Australia’s cyber security baseline; the Government has sought to raise our collective national response through media activity and the publishing of advisories.
The Australian Cyber Security Centre (ACSC) has released an advisory following an investigation into the ‘sustained targeting of Australian governments and companies by a sophisticated state-based actor.’ The ‘actor’ has been named by media outlets as being China, however this is not confirmed information.
According to the ACSC, the Actor is utilising tactics, tools and procedures to compromise networks across Australia. This includes:
- Using remote code execution vulnerabilities in unpatched versions of Teletrik UI, as well as CVE’s (vulnerabilities) in Microsoft Internet Information Services, Sharepoint and Citrix.
- Targeting of rarely used/orphaned services that are not well maintained by network operators.
They have also been utilising spearphishing techniques to steal credentials and/or deploy services and tools including:
- links to credential harvesting websites,
- emails with links to malicious files or with malicious attachments,
- links prompting users to grant Office 365 OAuth tokens to the actor,
- use of email tracking services to identify email opening and lure click through events1.
Considerations to minimise your exposure to cyber-attack
The following actions should be undertaken as a high priority to minimise your exposure to cyber-attack from the current threat:
- Ensure that key personnel are briefed on the threat and areas of existing vulnerability. This should include members of your Executive Team and crisis management / business continuity personnel.
- Review your existing Cyber-Response Plan to ensure that it is up-to-date and all alerts and actions are in place.
- Consider rehearsing your cyber response plans I.e. 90-minute scenario based exercise involving IT Security, business and management teams.
- Conduct refresher training with employees to increase staff vigilance relating to phishing emails.
- Confirm with IT Security teams that all patching is up-to-date for your internet facing and internal systems, especially any known vulnerabilities with a CVSS of 9.0 or higher.
- Implement multi-factor authentication as a non-negotiable standard across cloud and all critical services.
Considerations for response preparation
So that you are able to respond effectively if impacted by a cyber-attack:
- Ensure your IT Security Team understand the communication and escalation channels through to your Crisis Management Team including thresholds for incident assessment.
- Refresh your communications strategy including current stakeholder map and draft statements for media etc.
- Review contingency strategies for communication, considering that both your website and email may become compromised.
- Monitor social media channels in consideration of any changed work arrangements imposed by COVID.
- Review your cyber insurance response protocols, which typically include access to forensic services.
If you require further advice or assistance with any of the above, please let us know.
1. Australian Cyber Security Centre Advisory Bulletin W1 18 June 2020