Suspected State-Sponsored Hackers Pummel US and Australia

Cyberwarfare / Nation-state attacks , Data Loss , Forensics

As Diplomacy Fails, China and Iran Escalate Hack Attacks(jeremy_kirk) • February 19, 2019    Suspected State-Sponsored Hackers Pummel US and AustraliaThe Australian Parliament Building in Canberra (Photo: AUSPIC)

Dozens of companies in the U.S. and political parties in Australia have been targeted in recent attacks that appear to have state sponsorship. Officials say China and Iran appear to have escalated their online espionage campaigns, seeking to gather better intelligence and steal intellectual property.

See Also: Live Webinar: Building Secure Delivery Pipelines with Docker, Kubernetes, and Trend Micro

Australian Prime Minster Scott Morrison on Monday declined to assign blame for cyberattacks that recently breached Parliament's networks, including the email archives of legislators. He also sought to assuage fears over possible interference with the upcoming federal election, which must be held before May 18 (see: Hack Attack Breaches Australian Parliament Network).

"Our cyber experts believe that a sophisticated state actor is responsible for this malicious activity," Morrison says in video published by broadcaster ABC. "Let me be clear, though: There is no evidence of any electoral interference. We have put in place a number of measures to ensure the integrity of our electoral system."

Alastair MacGibbon, Australia's national cybersecurity adviser, says the government doesn't know who is behind the attacks or their intent, but is investigating. The quick remediation action undertaken after the attacks removed some of the forensic evidence, in an unfortunate, but necessary, turn of events, he says.

U.S. Targeted

In the U.S., dozens of U.S. corporations and government agencies have been hit by attacks that appear to have been carried out by Iran, The New York Times reports.

Those attacks have come in parallel with increased activity by China aimed at stealing intellectual property from military contractors and technology companies, the Times reports. Targets have included Boeing, General Electric Aviation and T-Mobile, it says, citing an intelligence report (see: Feds Urge Private Sector 'Shields Up' Against Hackers).

imageTom Uren

China's activity appears to abrogate an unprecedented agreement reached in September 2015 between former President Barack Obama and Chinese President Xi Jinping. The agreement forbids the theft of intellectual property via cyberattacks (see: U.S., China Reach Cyber Agreement).

The U.S put much effort into that diplomatic solution, which appeared to temporarily convince China it should stop, says Tom Uren, senior analyst with the International Policy Centre at the Australian Strategic Policy Institute. But one question is whether China intended to abide by the agreement or develop better tools and techniques to mask its activity, Uren says.

"It kind of looks like the latter now," Uren says.

Australia: Target for Influence

Contributing to the tension is the trade standoff between the U.S. and China. President Donald Trump has imposed a variety of tariffs on Chinese goods in an effort to revamp trade rules.

Counting both imports and exports, China is Australia's No. 1 trading partner. As in many other regions, China has jostled for economic and political influence in Australia, including leasing Darwin Port and developing interests in agriculture and real estate.

"Australia has become a major target for Chinese espionage and influence operations, since China wants to peel Australia from the U.S. That may not sound doable, but they see no harm in trying."
—James Lewis, CSIS

As President Trump's foreign policies have caught many in the western world off guard, it has created opportunities for China to create wedges between traditional alliances.

China is now targeting Australia not only for commercial but political espionage, says James Lewis, senior vice president and director of the Technology Policy Program at the Center for Strategic and International Studies.

"Australia has become a major target for Chinese espionage and influence operations, since China wants to peel Australia from the U.S.," Lewis says. "That may not sound doable, but they see no harm in trying."

Australia has taken a softer approach than the U.S. and not publicly laid blame for cyberattacks. Over the past few years, the U.S. has taken to the courts and sought criminal indictments against alleged Chinese, Russian and Iranian hackers, pursuing a confrontational tactic that has sought to at least embarrass attackers and the government agencies that employ them (see: US Again Indicts Chinese Intel Agents Over Hacking).

But attributing cyberattacks remains an often thorny and controversial undertaking. The indictments, however, demonstrate that U.S. prosecutors feel confident in their technical investigations. And Australia, facing its upcoming federal election, may need to consider sending stronger messages, says Steve Ledzian, vice president and CTO for FireEye in Asia-Pacific.

"A big question for Australian leadership is when they will start publicly attributing targeted cyber attacks," Ledzian says. "Disclosure alone helps raise awareness, but offers little deterrence for attackers."

Iran: DNS Meddling

Iran's cyber activity is also raising alarms. The National Security Agency attributed a recent round of attacks to Iran, paralleling findings also reached by FireEye.

U.S. intelligence agencies say Iran's activity has ramped up after a lull following a deal in 2015 that restricted the country's nuclear program (see: Intelligence Chiefs Expect More Cyberattacks Against US).

In January, amidst the government shutdown, the Department of Homeland Security advised government agencies to double-check their Domain Name System settings to guard against attacks that can open a door to effective social engineering attacks (see: DHS Issues More Urgent Warning on DNS Hijacking).

Changing a DNS record can mean that those browsing the web can be directed to fraudulent websites even if the precise URL has been entered in a browser window. Broader use of TLS/SSL certificates and certificate pinning can trigger warnings if this happens, but in some cases it may be hard to detect. Fiddling with a DNS record can also allow an adversary to spy on web traffic (see: Criminals, Nation-States Keep Hijacking BGP and DNS).

Also related to Iran, the U.S intelligence community was rocked once again when an indictment, unsealed last week, charged a former servicewoman with helping Iranians target U.S intelligence agents with cyberattacks (see: US Air Force Veteran Charged in Iran Hacking Scheme).

imageFour Iranian men along with a former Air Force servicewoman were charged in a hacking scheme that targeted military members. (Source: FBI)

Monica Elfriede Witt, a 39-year-old former Air Force counterintelligence agent, is accused of helping four Iranians with background information to aid spear-phishing attacks. Witt, who defected to Iran in 2013, is also accused of revealing a highly classified intelligence program related to Iran and the identity of an intelligence officer.

The four Iranians are accused of targeting U.S. military personnel via Facebook and email, sending alluring messages that tried to entice recipients to disable their anti-virus programs and download malicious attachments.