State-sponsored cyber intrusions have become a growing concern for both Australian governments and organisations. Defense Minister Richard Marles warned last year that the country was seeing increased interest from state actors in critical infrastructure.
Nathan Wenzler, chief security strategist at cybersecurity firm Tenable, said state-sponsored threat actors typically infiltrate stealthily and spread. Wenzler said Australian organizations should treat them as seriously as other actors or face serious risk during a geopolitical conflict.
According to Wenzler, the recent state-sponsored attack by the Russian-backed group Midnight Blizzard against Microsoft proved that it is a myth that large organizations are immune. Companies need to gain a complete understanding of their environment and mature their risk management approach.
State-sponsored cyberattacks are a growing concern in Australia
State-sponsored cyber threat activity is increasing in Australia. The Australian Cyber Security Center found that total cybercrime reports rose 23% to 94,000 in the year to June 2023, attributing some of that increase to state-sponsored attacks against critical infrastructure.
The ACSC report said part of the reason for this increase in state-sponsored activity was the creation of the new AUKUS defense partnership between Australia, the UK and the US, “with its focus on submarines.” nuclear and other advanced military capabilities.
SEE: Why uncertainty is the biggest challenge to Australia's cybersecurity strategy
A cybersecurity year-in-review report from Dragos, which specializes in industrial and critical infrastructure security, found that there was a continuing trend of adversaries targeting industrial organizations around the world, some of which are linked to government-sponsored groups. state.
“Despite its geographical isolation, Australia is not exempt from attack. In fact, the Dragos Intel team has seen numerous instances of adversaries directly targeting Australian critical infrastructure entities,” said Conor McLaren, Senior Hunter at Dragos.
According to McLaren, these included “strategic cyberespionage operations.”
Volt Typhoon is an example of a threat to Australian geopolitical interests
Australia and New Zealand last year joined other Five Eyes intelligence partners in exposing a link between the Volt Typhoon hacking network and China. Volt Typhoon was found to have compromised thousands of US devices and critical infrastructure for espionage and sabotage.
Employing “living off the land” techniques, which typically raise no alarms for cybersecurity professionals as they spread, Volt Typhoon and linked groups have been flagged as a potential threat to Australia's critical infrastructure and organizations. , in case they manage to establish themselves.
Tesserent CEO Kurt Hansen recently told TechRepublic Australia that the current geopolitical environment creates risks for commercial organizations should tensions deteriorate and that business models are at risk. Hansen urged organizations to exercise vigilance in the face of these attacks.
How and why state-sponsored cyberattacks usually occur
The common pattern seen in state-sponsored attacks is stealth, according to Tenable's Wenzler. Attackers are silent in their attack methods, taking a “wait and see approach to infiltrating a network, compromising a device or system and waiting for opportunities,” Wenzler said.
Normally, its objective is to spread.
“They do not cause damage or cause alarm,” Wenzler explained. “But they continue to spread. They will use that first place to make more commitments, obtain credentials, access requests, because nation-state actors are not seeking financial reward.”
Ultimately, these actors want to be able to cause harm if there is a conflict.
“They are looking to shut down critical infrastructure or military operations. They seek to cause panic or shock citizens, shutting down services such as water supply or energy,” Wenzler said.
State actors must be treated seriously as financial crimes
According to Wenzler, Australian organizations may not be taking state-sponsored cyber attackers seriously enough. The main reason is that unlike traditional cybercriminals such as ransomware attackers, state-sponsored attackers do not have an immediate financial impact.
“But the level of damage they can cause is much greater,” Wenzler said. “Financial loss is obviously a big deal, but think about that kind of meticulous, methodical nature of infiltrating every single thing in their environment, and then if necessary, they could just take it all out.”
While this is often seen as a government issue, Wenzler said these actors are looking to go beyond critical infrastructure, and any service provider like supermarkets or hotels has responsibilities to the public.
“Even in the private sector we can't turn a blind eye to these things,” Wenzler said.
Midnight Blizzard: lessons for Australian cybersecurity professionals
Microsoft's January 2023 disclosure of a compromise by state-sponsored threat actor Midnight Blizzard is a warning that no organization is immune from state-sponsored attacks. Even with more resources and awareness, large companies remain vulnerable to being compromised.
SEE: Top cybersecurity trends that will dominate the Australian market in 2024
“Many organizations have the idea that bigger companies just do it better… and only those of us who are smaller have to worry about that. And that is not the case,” Wenzler said. “This is a very clear example that the same type of challenges can happen to anyone.”
Identity credentials are a key vector for threat actors to gain a foothold
The Midnight Blizzard compromise shed light on identity and credentials. Wenzler said a takeaway for Australian cybersecurity teams was to be clear in managing credentials and ensure no credentials are forgotten or not protected.
This can be a common situation around service accounts or non-human accounts. Wenzler said these accounts are assigned to applications or automated functions to work, but are then often overlooked or forgotten, even though they often have higher privileges.
“They are prime targets for attackers,” Wenzler said. “If you can get those types of accounts, you get great access to the infrastructure and chances are no one will pay attention to it. It is necessary to control the identity and the rights and permissions that everything has.”
Interconnected environments require a holistic approach to security
The attack on Microsoft also exposed the misconception that security functions can be treated as “little isolated silos,” Wenzler said, where completing a checklist of tasks like patching Windows systems or hardening cloud infrastructure is all that is needed. is required to safeguard security.
“The challenge is getting all of these things connected,” he said. “Those Windows systems could provide access to your cloud environment, and that can potentially reach your critical infrastructure. It is remembering that all these things are linked.”
How Cyber Teams Can Combat State-Sponsored Security Threats
Following Midnight Blizzard's commitment to Microsoft, Wenzler argued that cyber teams should review security measures, such as ensuring multi-factor authentication is enabled, and apply best practice approaches, such as the principle of least privilege, to minimize risk. commitment identification.
However, he added that the key was to aim for a holistic understanding of an organisation's environment, adopting a mature risk management approach to security and being prepared to engage government agencies and authorities for support in the event of a threat. .
Aim to understand your organization's interconnected environment.
Organizations should take steps early to understand their environment as completely as possible, Wenzler said. This was particularly useful in identifying activities from state-sponsored threat actors, who through “living off the land” techniques, did not generate an obvious warning to cybersecurity teams, meaning they were much more difficult to detect. detect.
Take a proactive risk management approach to cybersecurity operations
Organizations are also encouraged to follow frameworks like NIST and The Essential Eight, which over time have moved from focusing on putting up walls and waiting for threat actors to bounce off them, to recommending a more proactive risk management approach for security. cyber security.
“As we embrace this idea, security is much more about risk management than simply implementing IT services, so you have to start understanding that risk landscape; that means being proactive, understanding the environment, understanding the risk profile and using that to make good decisions about what to do next, including the right security controls for you,” Wenzler said.
Be prepared to request support from law enforcement authorities.
While organizations will likely seek to resolve the issue of a state-sponsored threat actor as a normal security incident, Wenzler said it was also important to involve local government and law enforcement authorities, who have detailed knowledge of the actors. of state threats. This will also support other organizations as the threat could be more widespread.
Wenzler said law enforcement agencies sometimes offer additional resources. However, he said many private sector organizations still do not include contact details for government agencies and law enforcement in incident response plans. He said it was important to document who to contact beforehand, rather than searching when an incident occurs.
