The government has set the scene for the release of Australia’s next cyber security strategy, with Prime Minister Scott Morrison warning of a surge in malicious cyber activity in recent months.
In a hastily organised press conference devoid of much substance on Friday, Morrison said the new strategy, containing “significant further investments”, will be released in the “coming months”.
The Department of Home Affairs has been consulting on the development of the new strategy since September to replace the 2016 strategy, which funnelled $230 million into the industry over four years.
But that strategy expired two months ago, prompting Shadow Assistant Minister for Cyber Security Tim Watts to call on the government to release the strategy in a parliamentary address earlier this week.
He used the address to criticise Home Affairs Minister Peter Dutton for leaving cyber security “at the bottom of his in-tray” and that “a virtual millennia in hacker years has passed without action”.
On Friday, Morrison said the government was “aware of and alert to the threat of cyber attacks”, noting that “frequency has been increasing” and the Australia Cyber Security Centre has been working with industry to “thwart this activity”.
He pointed to a “sophisticated state-based cyber actor” currently targeting Australian organisations, though - like on previous occasions - declined to attribute the cyber activity to any one nation.
“This activity is targeting Australian organisations across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure,” he said.
But Morrision said the “investigations conducted so far have not revealed any large-scale personal data breaches”.
An ACSC advisory [pdf] posted this morning indicates the actor’s “heavy use of proof of concept exploit code, web shells and other tools copied almost identically from open source”.
“The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI,” it said.
“Other vulnerabilities in public facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability.”
The ACSC has also identified the actor using spearfishing techniques such as linking credential harvesting websites, linking malicious files or attaching malicious files to emails and using links that prompt users to grant Microsoft Office 365 OAuth tokens to the actor.
Morrison’s attribution, or lack thereof, follows a series of recent cyber attacks against both the private and public sectors, including Toll Group, Lion, BlueScope and Service NSW, since the beginning of the coronavirus pandemic.
He said that while the 2016 cyber security strategy had “strengthened Australia’s cyber security foundations and stimulated private sector investment”, the new strategy will include “significant further investments”.
“[The 2016 cyber security strategy] was a forward thinking plan, and with forward thinking investments,” he said.
“They were important investments for us to make and I'm glad we made them, and we’re continuing to make them.
“And as I’ve flagged today, we're making more because this is what keeping Australia safe looks like to make those investments.
“There of course can’t be any guarantees in this area - it is an area of rapidly advancing technology.”
The NSW government this week surpassed the federal government’s 2016 cyber security investments by allocating $240 million to bolster its cyber security capability over the next three years.