Australia warns of new Chinese APT attacks

The Prime Minister of Australia, Scott Morrison, confirmed last week that the network of the country’s parliament had been hit by a cyber attack, possibly launched by a “sophisticated state actor”. The Liberal, Labor and Nationals parties were also targeted some weeks ago.

With federal elections due to take place in May, there were concerns that Australia might have fallen victim to the attacks perpetrated by Russia, such as those seen during the presidential campaign in the US in 2016 and indeed during electoral periods in other western nations since then. However, Morrison stated there was “no evidence” of such interference, and it is not believed any data was accessed during the attacks.

According to Australian intelligence sources speaking to the media some days later, the hackers used previously unknown techniques, a “‘first-seen’ in terms of the tools and trade craft used”. This underlined the suspicion that a state-sponsored group was responsible for the attacks.

With Russia seemingly deemed unlikely to be responsible in this instance, the focus of investigation has now fallen on China, which is a key suspect for a number of reasons.

Although the numbers of cyber attacks perpetrated by Beijing had dropped significantly following an agreement concluded in 2017 by then Australian Prime Minister Malcolm Turnbull and China’s President XI, the relationship between the two countries soured significantly in December of the same year, when Turnbull accused Beijing of meddling in his country’s national affairs, thereby poisoning bilateral relations and undermining mutual trust: this led to a sharp denial by the Chinese government.

In August 2018 Canberra banned the use of technology produced by two Chinese companies – Huawei and ZTE – in the development of country’s 5G networks. US intelligence agencies had claimed that Huawei-manufactured equipment could contain backdoors used for espionage, and further, that Huawei has links to the Chinese government – claims that the company roundly denies.

In December reports emerged concerning the compromise by the state-sponsored Chinese hacker group APT10 (aka StonePanda, among other names) of at least nine global managed service providers (MSPs). Alastair MacGibbon, head of the Australian Cyber Security Centre (ACSC), warned that the “audacious” global campaign to steal commercial secrets by targeting the IT companies that provide services had left “tens of thousands” of Australian companies at risk.

There was particular concern over natural resource companies, which offer a very attractive target for Chinese hackers. Western Australian mining enterprises have in recent years been the victims of systematic, sustained hacking campaigns launched by Chinese groups intent on harvesting technological information for the benefit of Beijing’s state-owned industries. As well as being utilised to improve China’s own technological expertise in these industries, the data has also been used as leverage in contract negotiations: Australian companies have reportedly lost millions of dollars in revenue over the last decade.

One interesting point about cyber attacks being blamed on specific nation states concerns the possible consequences when such accusations have not been proved.

Just this month China has introduced an indefinite ban on the import of Australian coal, ostensibly to “protect the interests of Chinese importers and the environment”. The move immediately resulted in a drop in the value of the Australian dollar.

Imports from Russia and Indonesia were not affected by the measure, and this has led to speculation that Beijing was responding to accusations of Chinese responsibility for the recent cyber attacks against Australia’s parliament and political parties, or the ban on the use of Huawei/ZTE telecommunications equipment.

While Geng Shuang, China’s Foreign Ministry spokesman, claimed that the import ban had been implemented due to quality and safety and compliance reasons, he nevertheless added: “One should present abundant evidence when investigating and determining the nature of a cyberspace activity instead of making baseless speculations and firing indiscriminate shots at others.”

Moving away from the specific focus of this article on Australia, it is clear that China’s state-sponsored hacker groups continue to draw the close scrutiny of security agencies worldwide.

In April 2017, for example, a joint report from the NCSC and PwC showed that UK firms were being targeted by APT10 in Operation Cloud Hopper, a global cyber campaign that continues to this day.

At the end of 2018, the US Department of Justice charged two Chinese nationals with being members of APT10, alleging that they had hacked several unnamed managed service providers, as well as the NASA Goddard Space Center and Jet Propulsion Laboratory, the US Department of Energy's Lawrence Berkeley National Laboratory, the US Navy, and a number of other organisations.

Importantly, in the last couple of weeks, it has come to our attention that attacks perpetrated by state-sponsored Chinese hacking groups against companies and governments worldwide are on the rise again. Confirmed observations in the US have shown a marked increase in the number of business entities impacted by intellectual property theft and system compromise.

Governments, businesses and politicians in the US, Europe, Africa, the Middle East, Asia, the Pacific and Russia are all at risk of attack from an increasingly aggressive Chinese state-sponsored programme, and are advised to ensure that stringent cyber security practices are in place and closely monitored.