Peter A Clarke

The Australian magazine had a big piece on cyber security titled Why the world is under cyber-attack.  It touches all the bases, malicious attacks are on the rise, they are growing in sophistication, they are attacking infrastructure, ransomware is on the rise and governments are becoming ever bigger players.  Not too much new though it is quite an involved piece with a dystopian bent.

The unfortunate thing about pieces like this is that it does not seem to move governments to properly regulate through adequate legislation and then ensure the agency or whatever other body is charged with regulation actively regulates.  That is happening on a more adequate level in Europe and even in the United Kingdom.  In the United States the regulation is patchy.  In Australia it is lamentable.  The Privacy Act is replete with carve outs and over broad exemptions.  The Information Commissioner is congenitally timid and ineffective.  Which bodes badly for the state of cyber protection for Australian busineses.  And on that note it is relevant to see the Australian reports that Nine Network’s Sydney office has been hit by a cyber attack which stopped it from airing weekend shows.  It has also been reported by the ABC, the Daily Mail and the Age.

The Age article provides:

Media giant Nine Entertainment Co has requested the assistance of the Australian Signals Directorate after a major cyberattack hit its broadcast systems in the early hours of Sunday morning.

As Nine worked to resolve the issue, Australian Parliament was also investigating a potential cyberattack in Canberra on Sunday evening, which is affecting government issued smartphones and tablets.

Assistant Minister for Defence Andrew Hastie said on Sunday night he was “not surprised” about the attack, which caused problems with Nine’s live broadcasting operations and print production systems. He said it was a warning to all businesses that they need to be aware of potential threats.

“This is a timely reminder that Australians cannot be complacent about their cyber security. Cyber security is a team effort and a shared responsibility,” Mr Hastie said. “It is vital that Australian businesses and organisations are alert to threats and take the necessary steps to ensure our digital sovereignty.

A Department of Parliamentary Services spokesperson said the government was working to investigate the cause of disruption in Canberra, with the Australian Cyber Security Centre providing advice.

“DPS is working to resolve the issues and some services have been restored,” the spokesman said.

“Some services on DPS issued smartphones and tablets have been experiencing disruptions over the weekend.”

Mr Hastie said the issue related to an external provider, with their connection to government systems cut as soon as an issue was detected as a precaution.

“The government acted quickly, and we have the best minds in the world working to ensure Australia remains the most secure place to operate online,” Mr Hastie said.

Incoming Nine chief executive Mike Sneesby confirmed on Sunday night the incident was a cyberattack. Nine’s director of people and culture Vanessa Morley said the company may be unable to fully restore systems for some time and instructed staff to work from home indefinitely. The origin and motive of the attack is unclear, but no requests for ransom have been made.

Sources familiar with the discussions at Nine said the company had been in talks with a large number of external security experts on Sunday who said they had not seen this kind of attack before in Australia. The sources said the experts believe it is some kind of ransomware likely created by a state-based actor. The Australian Cyber Security Centre, part of the ASD, confirmed it had offered technical assistance to Nine after it made contact about the attack. The ASD is in charge of protecting Australia from global threats including cyberattacks from state-based actors.

“We wish to inform you there has been a cyber-attack on our systems which has disrupted live broadcasts out of Nine Sydney (1 Denison). Our IT teams are working around the clock to fully restore our systems, which have primarily affected our Broadcast and Corporate business units,” Ms Morley said. “Publishing and Radio systems continue to be operational. While our IT teams work through this issue, we ask that all employees, in all markets, work from home until further notice.”

The decision to make all staff work from home followed a difficult Sunday for the media company, which was unable to broadcast Weekend Today from 7am until 10am. It managed to broadcast the NRL in the afternoon and ran a national news bulletin on Sunday evening from Melbourne.

There were some issues with use of some publishing tools that the newspapers use, but the division was able to operate. Nine owns The Sydney Morning Herald and The Age.

Nine News has flown producers to Melbourne for the week and an NRL commentary panel were told to drive to Newcastle to broadcast the football as part of a series of contingencies, according to people familiar with the plans.

The reason for the attack is unclear. Australia’s relationship with China has deteriorated over the past year, with Beijing frustrated by the country’s commentary on its sovereignty, security and development interests. Australia has been slapped with large tariffs and bans on local seafood, wine coal and barley.

The relationship spiralled after the Turnbull government blocked telecommunications provider Huawei from the 5G network over national security concerns. Australian correspondents working in the region were forced to leave in September last year. The Herald and The Age have been critical of many of China’s political decisions and have conducted investigations into Chinese Communist Party influence, spy agencies and the country’s involvement in hacking.

Separately, Nine’s program Under Investigation has been working on a story that looks at Russian president Vladimir Putin’s campaign of chemical assassination and Russia’s development of banned poisons.

Cyberattacks have become increasingly common across a range of industries. Earlier this month the federal government was working with local businesses that were compromised by a Microsoft bug that allowed a suspected China-based state-sponsored hacking group to access corporate emails.

Major Australian law firm Allens, the Reserve Bank of New Zealand and the Australian Securities and Investment Commission are among other companies to be hit by attacks.

It is interesting to note that the Age reports that the attack is some form of ransomware while the Australian and the ABC both ran reports that thee was no ransomware.  There are hints at the attack possibly being undertaken by a state player.  It is all rather vague.  Which is a pity.  Part of the reason for poor cyber hygiene is that there is very little publicity about how these attacks are developing.

And just to show cyber attackers are not focused on private enterprise only there is reported to be an IT disruption at Federal Parliament which has not been characterised as a cyber attack.

The Australian cyber security article provides:

I have spent the past seven years infiltrating the world of cyberwarfare, tracking an escalating series of hacks on healthcare services, the power grid, nuclear plants, our privacy, our psyche, with no end in sight. But this year, one in which we ­virtualised our lives at a scope and speed the world has never seen, I have caught a harrowing glimpse of another plague, one for which there is no vaccination, and one that promises to consume us all if we do not alter our course.

Among the stories to have emerged during the coronavirus pandemic are two cyber-attacks that bookended it. Last April, weeks into its stay-at-home order, Israel announced that Iranian hackers had infiltrated two Israeli water treatment facilities in an attack that officials said was designed to cut off water supplies or contaminate the drinking water for thousands of people quarantined at home. Nearly one year later, the US reported an eerily similar cyber-attack on a water treatment facility in a small town in Florida that increased the amount of the caustic substance lye in the water from 100 parts per million to 11,000 parts per million. Had an engineer not noticed a phantom hand moving his cursor across his screen, the attack might have poisoned thousands of residents, sending them to hospitals already under siege from Covid-19.

It is still unclear whether those two cyber-­attacks are related. But what is clear is that they flanked a period in which the world endured not just a terrible pandemic but some of the most aggressive and costly hacking episodes in modern history. Water treatment facilities, hospitals, schools, clinical trials, coronavirus vaccine research, supply chains, treatments and tests, electricity companies, technology firms and government agencies were all, in some way, shape or form, hijacked by hackers. Cyber-criminal activity spiked and nation-state hackers – not just the usual suspects in Russia, China, Iran and North Korea, but newer players like Pakistan – were caught hacking one another in an attempt to glean any intelligence or advantage they could during the pandemic.

Unless we pause and change tack, these cyberattacks offer a glimpse of what the world can expect in the future as we digitise our economies, societies and daily lives at accelerating rates. When this is all over, working from home could become the new normal. We will depend more heavily on Zoom and the so-called “internet of things” – devices such as smart TVs, thermostats, fridges, pacemakers and insulin pumps that we are now plugging into the internet at a rate of more than 127 per second. It will see more critical infrastructure – more water and sewage treatment facilities, power grids, oil and gas pipelines, chemical plants, nuclear reactors, health, financial and government services – migrate to an internet that was never built with global security in mind. Unless we reprioritise our collective cyber-defence, this could have life-threatening implications.

Until now the vast majority of attacks have been designed for espionage, or to steal money or data, but the same code and digital entry points are being used to set the stage for bioterrorism, an assault on our power grids, our democracies, our transportation systems, our drinking water. A ­decade ago, such predictions were dismissed as overly alarmist. Indeed, too many cybersecurity companies used the threat of a calamitous attack, a “Cyber Pearl Harbor” or “Cyber 9/11”, to market products that never quite succeeded in keeping hackers at bay. But the analogies to Pearl Harbor and 9/11 were problematic for another reason. In those two attacks, we never saw the planes ­coming; but we have seen the cyber equivalent approaching for more than a decade. The focus on planes and bombs is also a distraction from the predicament we already find ourselves in here in the West, where our power grids, hospitals, intellectual property, universities, elections and water supplies have already been infiltrated by hackers. We may not have seen the digital equivalent of a Pearl Harbor but, with each passing day, we inch dangerously closer. The world is simply waiting for the appropriate geopolitical trigger.

I’ve spent years digging into this predicament. What I have discovered is worse than I could have ­conceived. I have discovered that our governments, charged with keeping civilians secure, are leaving us more unsafe. In the most tangible form, I learnt that governments in the US and UK – and, increasingly, regimes with far less red tape and abysmal human rights records – have paid hackers to dig for secret vulnerabilities in popular software and never tell a soul. These secret vulnerabilities form the raw material for cyber-weapons; they are dubbed “zero days” because, once discovered, companies such as Microsoft, Apple and Google have had zero days to patch them. This demand for “zero days” constitutes a new arms race; they are traded between governments, mercenaries and hackers. Those who own them are able not only to spy on our communications, but increasingly to hijack critical infrastructure.

Speed, cybersecurity experts have long said, is the natural enemy of security. And early last year, the world began virtualising its business, manufacturing, finance, education and government at an ever-increasing rate. Use of tools such as Zoom, Slack and Microsoft Teams surged between January and April, a period that likewise saw a 630 per cent surge in cyber-attacks.

Many of those attacks were the work of cybercriminals who seized on new work-from-home dynamics and a sudden urgency in business transactions to reap a profit. Data had migrated from corporate networks, where dedicated IT staff monitor for intrusions and regularly patch buggy software, to the cloud, employees’ personal phones and computers – ripe targets for hackers.

Cyber-criminals seized on the need for a dispersed workforce to access employer systems and data remotely. In a series of extortion attacks they threatened to deluge victims with web traffic, cutting off customers’ and employees’ access to their online services, in exchange for a hefty payment. Among the more high-profile targets was Travelex, the British foreign exchange company. In some cases, these cyber-criminals demanded 20 bitcoin – more than $1m at today’s rates – to leave them alone. And when victims refused to pay, hackers turned up the pressure, increasing ransom demands by 10 bitcoin each day.

Ransomware attacks became our new norm. Schools, electricity and energy companies, retailers and – perhaps most distressing of all – hospitals found their systems and data held hostage at dizzying speeds. During the pandemic, cyber-­criminals cut the time it took from their initial entry to holding an entire organisation’s network for ransom to less than 45 minutes. The attacks up-ended the lives of doctors, nurses and patients across the UK and the US and became their own kind of pandemic, as Russian cyber-criminals shut down clinical trials and treatment studies for a coronavirus vaccine and held hostage Universal Health Services, a major hospital chain with more than 400 locations across the US and UK.

In New England, healthcare workers at the University of Vermont Medical Centre found that they could not give cancer patients chemotherapy infusions because the hospital’s medical record system had been wiped out. Some tried to recall complicated chemotherapy protocols from memory. Nurses described the situation as “dire”. One compared the attack to working in the burns unit of a hospital after the Boston marathon bombing.

The attacks on hospitals and healthcare organisations became so frequent that in May, the UK’s National Cyber Security Centre and the US Cybersecurity and Infrastructure Security Agency (CISA) jointly warned the sector that the attacks had become so unyielding – the culprit was stolen passwords – that there was only so much government officials could do. “We can’t do this alone,” warned Paul Chichester, the NCSC’s director of operations.

By July, these attacks were no longer the work of cyber-criminals with stolen passwords. That month, Chichester again sounded the alarm after hackers, believed to be Russian, were caught using never-before-seen bespoke tools to break into the organisations leading vaccine research and development in the UK, Canada and the US. He described these as “despicable attacks against those doing vital work to combat the pandemic”.

Over that same period, China also emerged as one of the most prolific hackers of vaccine research and development. Last May, the FBI and CISA jointly accused Chinese hackers of “attempting to identify and illicitly obtain valuable intellectual property and public health data related to ­vaccines, treatments and testing from networks and ­personnel associated with Covid-19 related research”. It wasn’t just the US that Beijing’s hackers targeted but institutions in Vietnam, Mongolia, Taiwan and the Philippines, in attempts to get a hold on its own pandemic.

The World Health Organisation reported a 500 per cent increase in cyber-attacks by April. They came from all over the globe, including China but also Iran, where hackers were caught trying to break into the personal accounts of WHO staffers. In North Korea, the country’s most well-known hacking unit was caught ­targeting cryptocurrency exchanges to generate badly needed cash, and aimed its attacks at six countries – the UK, Singapore, the US, Japan, South Korea, India – that had announced ­financial support for businesses reeling from coronavirus restrictions.

But the virus also saw the emergence of state hackers that rarely make headlines. In Pakistan, a group of state-sponsored hackers used the pandemic to break into India’s defence agencies and embassies. In India, a patchwork of state-backed hackers were caught using Covid-themed phishing emails to target Chinese organisations in Wuhan. That attack, and a perilous standoff between Indian and Chinese soldiers on their mountainous border, triggered a swarm of ­attacks by Chinese hackers on India’s IT and banking infrastructure. Over a period of just five days, Indian police said that Chinese operatives mounted more than 40,300 cyber-attacks.

In Syria, hackers affiliated with the Syrian ­Electronic Army used Covid-19 themed emails and texts to entice victims in the Middle East to download mobile spyware. And in Nigeria, scammers used the pandemic to target unemployment insurance programs in a massive fraud that made off with as much as $100m from six US states.

But the damage from those attacks pales in comparison to the incalculable damage from ­Russian hacks, only recently discovered in the US and France, on software supply chains. The US is now unwinding a breach of some of its most ­critical government agencies, only detected after FireEye, a cybersecurity company, discovered that it was hacked last December. Only in dissecting its own attack did FireEye learn that the hackers – suspected members of Russia’s intelligence – came in through SolarWinds, a huge US software company, and had made its way into 18,000 SolarWinds clients, including Britain’s National Health Service and more than 400 of America’s largest corporations and electricity companies. But it appears the primary target was nine US government agencies. The goal, it appears, was espionage, in an attack that compromised the US Department of Energy, including its nuclear labs, the treasury, commerce, state and justice departments, as well as parts of the Pentagon and the Department of Homeland Security, the very agency charged with keeping Americans safe.

Last month we learnt that the US was not alone. Russian hackers targeted the French software firm Centreon, also in a supply-chain attack, to compromise clients including Airbus, Air France, Thales, ArcelorMittal (the world’s leading steel and mining conglomerate), telecom giant Orange, and Électricité de France, the world’s ­biggest maker of nuclear energy. That attack is believed to have started as far back as 2017 and is eerily similar to the attack on SolarWinds, but different in one disturbing way.

Russia’s SVR intelligence agency is the leading suspect in the attack on SolarWinds. That group, which was previously responsible for an attack on the White House and the US State Department, is known as a quiet prowler, and its attacks are designed primarily for espionage.

The same is not true for the Russian actor behind the attack on Centreon. That incursion, officials say, was the work of a disparate group of Russian hackers known as Sandworm, which operates on behalf of Russia’s military intelligence unit, the GRU. Sandworm is known for its destructive attacks, particularly in Ukraine, where it cut power to Ukrainians in the dead of winter, first in 2015 and again a year later in Kiev. Then in 2017 came the NotPetya attack, which decimated data at Ukraine’s government agencies and railways, and made it impossible for ­Ukrainians to take cash out of ATMs and pay for petrol at the pump. That attack also boomeranged out of Ukraine, hitting any business that had so much as a single employee in the country. It wiped data at the pharmaceutical companies Merck and Pfizer, FedEx, and shipping giant Maersk – and, most chilling of all, took out the radiation monitors at the old Chernobyl nuclear site.

Officials believe and hope that the attacks related to SolarWinds and Centreon were designed for espionage rather than destruction – but they are not ruling out the latter. The same accesses Russia already has could, with a few clicks, be used to wipe or manipulate data, or turn off the lights. Its hackers can and have used those same access points for devastation. It could be months, years even, before officials and private investigators can confidently say they have identified every last victim, discovered every last Russian back door. In the meantime they have to assume every network, every communication channel they use is untrustworthy.

Working our way back from the brink will entail difficult choices. It will be costly. In the US, President Biden squeezed $2bn in new cybersecurity funding into his Covid-19 recovery bill, which passed last week. But those funds – which fall well short of the $10bn Biden had first ­proposed – will only work if they are deployed efficiently, if governments can recruit individuals with the skills necessary to take stock of our ­digital inventory, our software supply chains, our electrical grids, our hospitals; if businesses adopt security by design instead of rolling out ­vulnerable software and updates to cars, planes, nuclear reactors, the grid; if individuals recognise their own role in our ­collective cyber ­predicament and deploy ­better password management, switch on multi-­factor authentication, run their software updates, and stop clicking on links and attachments that give hackers entry to everything they touch with a mouse. If our schools and companies adopt a culture of security awareness and training, and if we trade some of the conveniences we now take for granted for better security.

As I write these final words, I am still sheltering. The cyber-attacks have become so prolific that, from my quarantined perch, I have lost track. I am watching the world ask the same questions – Why weren’t we better prepared? Why didn’t we have enough testing? Better warning systems? A recovery plan? Why did we leave ourselves so ­vulnerable? – knowing full well that these same questions apply to the cyber industry too.

I am crossing my fingers that the next big cyber-attack won’t occur until this pandemic has passed – and that when it does hit, we will be ­better prepared. But finger-crossing has never taken us very far. It is time to act.