On 19 June 2020, Prime Minister Scott Morrison announced that all levels of Australian government were targeted by ‘sophisticated state-based cyber actors’. The attack has emphasised the need for Australian businesses to ensure they have the appropriate technical defences in place. This is even more important with the prevalence of persons working from home due to the COVID-19 pandemic, and the even greater importance of the security and reliability of digital networks and systems for Australian business.

Introduction

On 19 June 2020, Prime Minister Scott Morrison announced that ‘sophisticated state-based cyber actors’ targeted a wide range of Australian political and private-sector organisations. According to the Federal Government’s cyber experts, the attack occurred over many months. It has been dubbed as Australia’s biggest cyber attack to date, causing businesses across the country to question the state of their cyber security systems.

Is China behind the attacks?

Peter Jennings, executive director of the Australian Strategic Policy Institute (‘ASPI’), has attributed the attack to China with 95% certainty. Senior intelligence sources reveal the attacks are consistent with political interference and a bid to map Australia’s critical infrastructure to find vulnerabilities. Unlike Russia or North Korea, China is believed to have the requisite interest in State and Territory government or universities, as well as the sophistication and size of the intelligence establishment.[1] Chinese Foreign Ministry Zhao Lijian has vehemently denied these claims.

Effects of COVID-19

The global spread of COVID-19 has caused the workforce to migrate from offices to remote-working environments. However, as more persons work from home, business cyber security protections are reduced. As stated by the ACSC, ‘an increase in remote working significantly increases the opportunities for adversaries to gain unauthorised access to systems and may cause real world physical harm’.[2]

In the US, for example, a Washington State Agency has reported a phishing email campaign where cyber criminals impersonate the US Center for Disease Control and Prevention encouraging users to click a link which automatically downloads malware which has the potential to compromise both the device and associated workplace systems.[3]

Statistics show that 89% of technology professionals and leaders in Australia say that ‘the rapid transition to remote work has increased data protection and privacy risk’.[4] Further, only 40% of the respondents were ‘highly confident’ that ‘their cybersecurity teams were ready to detect and respond to the rising cybersecurity attacks occurring during COVID-19’.[5] Businesses should be acutely aware of the new risks arising from the surge in remote work, and take steps to mitigate them.

The ACSC 18 June 2020 Guidelines

In response to the attacks, the Australian Cyber Security Centre (‘ACSC’) has published emergency security guidelines for businesses to implement to reduce risks.

The two ACSC recommended key mitigations are as follows.

1. Prompt patching of internet facing software, operating systems and devices

ACSC has announced that ‘all exploits utilised by the actor in the course of this campaign were publicly known and had patches or mitigations available.’[6] They accordingly recommend that organisations ensure that security patches or mitigations are applied to internet facing infrastructure within 48 hours of those being made available. It is also recommended for organisations to use the latest version of software and operating systems available.

2. Use of multi-factor authentication across all remote access services

Multi-factor authentication should be applied to all internet accessible remote access services. In basic terms, multi-factor authentication is an authentication method in which a computer user is granted access only after presenting two or more pieces of evidence to an authentication mechanism. 

The multi-factor authentication is recommended to be applied across web and cloud-based email, virtual private network connections (VPNs) and remote desktop services. In the current COVID-19 environment, with the growing prevalence and uptake of digital collaboration platforms such as Slack and Trello, businesses should also look at applying the authentication protocols when using these platforms.

ASD Essential Eight Controls

Beyond the ACSC priority key mitigations above, the ACSC strongly recommends implementing the remainder of the ASD Essential Eight Controls as follows:

1. Application control to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
2. Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
3. Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of the applications.
4. User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
5. Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
6. Path operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.
7. Multifactor authentications including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.
8. Digital backups of important new/changed data, software configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.

Concluding Remarks

In light of the heightened dependence on digital systems and networks as a result of COVID-19, Australian businesses are more vulnerable than ever before to cyber attacks. Implementing the ACSC’s guidelines should help provide commercial and government organisations strong technical defence measures to prevent the potentially devastating consequences of being hacked.

If you have any questions on disruption to your digital business in a COVID-19 world, please do not hesitate to get in touch below.

[1] Geoff Chambers, Simon Benson & Joe Kelly, ‘Beijing behind full cyber attack on Australia’ The Australian (20 June 2020) <https://amp.theaustralian.com.au/nation/politics/nation-under-full-cyber-assault-from-china/news-story/cfe5b61ea317f613359638a9c7bd6193>.

[2] Australian Cyber Security Centre, ‘COVID-19 – Remote Access to Operational Technology Environments’ Australian Signals Directorate (22 May 2020) <https://www.cyber.gov.au/advice/covid-19-remote-access-to-operational-technology-environments>.

[3] Washington Tech Solutions, ‘Phishing attacks use coronavirus outbreak to trick victims’ WaTech <https://watech.wa.gov/Phishing-attacks-use-coronavirus-outbreak-trick-victims>.

[4] ISACA, ‘Media Alert: Australian Businesses Ill prepared for Cyber Attacks’ PR Wire (22 June 2020) <https://prwire.com.au/pr/90329/media-alert-australian-businesses-ill-prepared-for-cyber-attacks>.

[5] Ibid.

[6] Australian Cyber Security Centre ‘Advisory 2020-008: Copy-paste compromises – tactics, techniques and procedures used to target multiple Australian networks’ Australian Signals Directorate (18 June 2020) < https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks>.