It is likely that the attackers recently targeting Australia are a major Nation State. The attack is described as 'copy and paste', using open source tools and other public resources. The scale of these attacks would require significant resources, people and planning superior to that of individual actors or other entities.
The attacks used public exploits and targeted phishing, which are very common. Attackers first targeted external IT infrastructure, then used targeted e-mails if the initial attacks failed. They used e-mail tracking services to measure open and click-through rates, demonstrating how managed the campaign is likely to have been. The attackers have not been reported to target specific industries or sectors, spreading their attacks widely across the Australian economy and state.
The hypothesis that it is a major Nation State is also supported by Australia's decision to publicly announce the news. It can be surmised that this may be an attempt to dissuade those behind it, in case more details are made public. This also means that others will point the finger at obvious suspects, giving Australia the benefit of being able to deny this later and move on from any adverse consequences.
It is still unusual for a Head of State to be involved, a response usually reserved for a major policy decision or international issue, serving to increase the reach and impact of the news. When the Australian announcement is viewed within the context of other criticism levelled at Nation States, this looks like a continuation of foreign policy rather than an exercise in raising awareness and prevention.
The UK this week also called out a nationwide attack, albeit with different inferred consequences than those levied on Australia. It can be inferred that the UK National Cyber Security Centre (NCSC) hopes that either through publication organisations are more alert or the attacker gets the message that they are being scrutinised. The attack announced by the NCSC shows similarities to the Australian reports, including similar techniques to harvest credentials from victims.
There is evidently a level of coordination between the 5-eyes community of the US, UK, Canada, New Zealand and Australia. It is also hard to imagine this not being discussed at the recent virtual NATO summit, where responses to cyber attacks were on the reported agenda along with a new framework for response.
Cyber attacks on nations are now an issue of geopolitics more than ever. The days of attacks being in shadows, and part of the cut and thrust of intelligence work has changed through both increased media attention and public awareness.
The trend of “calling out” another Nation State has been growing starting with the use of criminal indictments from the United States. When coupled with direct action against criminal groups through arrests and prosecutions, a new strategy to tackle high level cyber crime and espionage is emerging.
Only time will tell if this approach works. It also raises many questions about the long term outcomes of the approach, which seems to instinctively calibrated for dealing with countries who are not belligerent and do not seek the limelight. What can be done if an adversary doesn’t cease their actions from attention or is not rational in their decision making? Will this make some nations seek the publicity of being seen to play on a larger stage?
It has been several years since Nations started to admit the use of offensive cyber tactics, and the first cyber attack campaigns by Nations came to light. A capability like this is often as valuable as a deterrent, which requires publicity. The publicised electronic corruption of the Al-Qaeda Inspire magazine by the UK may have been publicised in this way or as a way to demonstrate the reach of the UK to others.
Given the current geopolitical climate in the region, attacks like this are likely to continue whether they play out in the public domain or not.
Even though these attacks are now highly publicised there is little need for sophisticated responses. We recommend the basics of cyber security such as enabling multi-factor authentication for all remote services, prompt and effective patching of systems and raising awareness of phishing emails among staff. Good cyber hygiene goes a long way to preventing these attacks locally, while hopefully geopolitical responses slow their impact nationally.