With the announcement from the Prime Minister that Australia is under a sustained cyber attack by a “sophisticated state-based cyber-actor,” the issue of cyber security has been put squarely back on the national agenda — and the boardroom table.
Based on the nature of the hacking, the scale and the expertise needed to perpetrate such activity, it appears to be spearheaded by a state-based (which is to say, a foreign government) actor. But make no mistake, the attacks are not simply a diplomatic issue, targeting Australian organisations across a range of sectors, “including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure.”1
What then do organisations need to know about what’s happening, and how can they protect themselves from the threat?
So far, no large-scale breaches of compromised systems or data loss has been reported from these latest attacks, and the impact of the threats has been reported by the Australian Cyber Security Centre (ACSC) and the Prime Minister to be non-disruptive or non-destructive. For now. The motivation for these attacks appear to be primarily aimed at obtaining access to IT systems rather than causing damage, but they leave the possibility for more malicious action down the line.
Australia has experienced a series of significant cyber security incidents in the past three months, including logistics and beverage companies and government departments, resulting in disruption, destruction and the compromise of sensitive data. Yet they seem to be unrelated to the specific campaign of attacks announced by the government.2
It comes ahead of the imminent release of the Government’s 2020 Cyber Security Strategy, the successor to the 2016 strategy aimed at updating the national plan to protect Australia against cyber threats. Since the previous iteration, the magnitude of threats to Australia has dramatically increased, and, according to Home Affairs, “will become more acute as our society and economy become increasingly connected.”3*
The Australian Cyber Security Centre (ACSC) published a Threat Advisory detailing the attack’s methods.4 The attack appears primarily to have accessed public-facing systems, exploiting networks via unpatched software and using a variety of cyber ‘trade craft’. Many of the techniques used by the attacker have been seen previously, earning the attack the nickname: ‘copy-paste’.
According to the ACSC, using this approach, the attacker has been able to target networks of interest, regularly searching targets for vulnerabilities, and possibly “maintaining a list of public-facing services to quickly target following future vulnerability releases”. That is, they are ready to pounce when a vulnerability in a system has been identified — usually these are made known to the public to encourage users or IT professionals to apply updates to their systems that ‘patch’ the discovered security hole.
Additionally, in the instance of these current attacks, if the hacker has not been able to find a way into an organisation’s systems via this method, they have turned to spear phishing techniques, sending targeted emails impersonating legitimate sources to obtain compromising information. These include links to websites that steal user data, malicious files attached or linked in emails, links prompting users to grant access to the attacker and ‘click-through’ lures to events which then steal data. Once the hacker has access, they use other tools to interact with, or further penetrate, a businesses’ network.
This attack, like many cyber attacks, is invasive because of its ability to identify services used by businesses that are not being well maintained. The use of spear phishing also brings the human-factor into play, exposing vulnerabilities in a business’ culture such as attitudes towards cyber safety.
Neither of these types of threat is particularly new and the success of these attacks points to the fact that many organisations have not updated their cyber incident response plans to address such issues. Luckily, there are actions that can be taken by businesses today to protect themselves against future attacks. Below is the advice provided by the Government and ACSC and some pitfalls we encourage businesses to be aware of:
1. Patch the holes.
All internet-facing software, operating systems and devices should be patched immediately.
The challenge: This is standard advice, but in our experience complexity can lead to oversight. Businesses need to identify all internet-facing devices in the organisation, ensure updates don’t break other processes, that a patch exists for specific software and configurations, and that they have the means to implement the update. This scale of the problem can be overwhelming, so businesses should seek help if they have doubts.
2. Authenticate yourself.
MFA, or Multi-Factor Authentication, uses a second device to prove to another that you are who you say you are. Many government websites, for example, ask users to enter a code from an SMS or that’s been generated on their registered mobile phone — the idea being that a hacker may have your website password, but are unlikely to also have access to your phone.
The challenge: While MFA is becoming more common, our clients have found that there is significant user resistance to overcome as systems don’t always play nicely together and can add an extra barrier to get into a service (which of course, is precisely the point). Tech support often finds that fixing access issues involving lost phones instead of a simple ‘reset my password’ is too hard to deal with, leading to MFA not being instituted. This is especially true if they don’t understand the ramifications or don’t have leader support behind them.
3. Partner up.
No one can be expected to know all the answers to cyber defence on their own, so it’s crucial for businesses to partner with good intelligence sources. The ACSC provides great information for organisations on cyber readiness, and regular guidance to businesses to protect themselves — for instance, on protecting against cyber attacks with the increased reliance on remote working during COVID-195 or for specific industries, such as critical infrastructure providers.6
The challenge: What will become evident, no matter the source of intelligence, is that cyber security requires expertise to both understand complex highly-technical advice, and to implement it. We encourage businesses not to put this in the ‘too hard basket’ as the risk of attack is too great. Further advice should be sought if there is any doubt.
We find that businesses that have successfully addressed these cyber attack points have a culture that understands risk. These organisations are clear on the operational, regulatory and financial risks that they face and have sought and instituted advice to mitigate their impacts.
Cyber security is not an ‘IT’ problem, and this kind of thinking has led to the kinds of vulnerabilities attackers are exploiting. Only a whole of business strategy that understands the level of risk — and can institute a culture and systemic system to address it — will be able to institute the necessary changes, especially if they are seen as inconvenient (such as MFA) or not given priority (patching updates).
While complete cyber security is a myth, organisational cultures that foster diligence and vigilance by every employee — from contractor to CEO — will go a long way to reducing exploitable vulnerabilities.
It’s clear from the Government’s very public announcement that the time to address any remaining issues is now.
For more information on diagnostic tools, risk models and culture assessments that can be used to build a cyber resilient culture and implement cyber security measures, visit PwC Australia’s Cyber Security website.
* PwC’s formal submission to the consultation of the 2020 Cyber Security Strategy can be viewed at https://www.homeaffairs.gov.au/reports-and-pubs/files/cyber-strategy-2020/submission-171.pdf
© 2017 - 2022 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. Liability limited by a scheme approved under Professional Standards Legislation.