Assistant Defence Minister sounds alarm on cyber attacks
March 25, 2021 |
In today’s Australian Andrew Hastie, Assistant Defence Minister, has taken up the call in an Australian article, Cyber war puts business at risk of costly attack, that Australian businesses are at risk of being the subject of a cyber attack. The context of this call is the continuing exploitation of Microsoft Exchange zero day vulnerabilities that is causing real problems for businesses worldwide and leading to some spectacular ransomware attacks. The article is a rewarming of issues and incidents that are well known and ongoing.
The article provides:
Assistant Defence Minister Andrew Hastie has warned “many Australian businesses” are at high risk of having their operations disrupted and data stolen amid a wave of malicious state-sponsored and criminal cyber attacks targeting hospitals, parliaments and companies.
Mr Hastie, who has responsibility for cyber security under the Defence portfolio, has urged businesses not to leave the “door open for criminals to exploit their computer systems”.
Ransomware attacks in Australia, many of which have been linked to Chinese state-sponsored actors, have in recent weeks targeted the West Australian parliament and one of Victoria’s largest hospital operators.
The Australian understands that cyber attacks using the Microsoft Exchange vulnerability have increased in recent days, with the Australian Cyber Security Centre now listing the threat as “high”.
The government is concerned Australian businesses and individuals are vulnerable to being exploited or held to ransom because they have not updated their systems. Small businesses that cannot afford to have dedicated IT support have been identified as being most at risk.
The notorious REvil ransomware gang this week demanded a record $50m ransom after attacking the Microsoft Exchange server of Taiwanese computer manufacturer Acer. Hackers are also targeting Microsoft Exchange servers by deploying DearCry ransomware on victims’ systems, encrypting their computers and holding data for ransom.
Mr Hastie, a former chair of the parliamentary joint committee on intelligence and security, said it was critical for all businesses using Microsoft Exchange to install security patches and “move fast to shut this potential threat down”.
“There are many Australian businesses now at risk of having their business disrupted and their data stolen and ransomed by cyber criminals,” he told The Australian.
“My first priority is to keep Australians safe in both the physical world and online, and to do this I need everyone to listen to these warnings and follow the advice of the ACSC and strengthen our cyber defences.”
Mr Hastie said exploitation of vulnerable businesses could be “enormous for them and for the Australian economy”.
Microsoft’s Threat Intelligence Centre earlier this month attributed the attacks on its software to HAFNIUM, a “group assessed to be state-sponsored and operating out of China”.
The WA parliament incident, where its email network was hit by hackers in the middle of the state election campaign, has also been linked to Chinese actors. And Melbourne-based Eastern Health on Monday confirmed a number of its IT systems remained offline following a significant ransomware incident last week, which forced elective surgeries to be postponed at its Box Hill, Maroondah, Healesville and Angliss hospitals.
A Morrison government spokeswoman said it was aware of Microsoft’s attribution and that was “their call to make”.
“Cyber security is nation agnostic, and Australians and businesses should be alert to vulnerabilities. Our focus is on the businesses that may now be at risk of financial blackmail from malicious cyber actors,” the spokeswoman said.
Cyber Security Co-operative Research Centre chief executive Rachael Falk, who sits on the Cyber Security Industry Advisory Committee established by Home Affairs Minister Peter Dutton, said ransomware was evolving and becoming more sinister.
“We’re no longer just talking about ransom — we’re talking about extortion. These criminals can sit in networks for months undetected, all the while stealing data. Then, when systems are locked up, they use this exfiltrated data as a bargaining chip,” Ms Falk said.
She said ransomware was a key threat because of the minimal technical expertise needed to carry out attacks.
“This is cyber crime as a commodity. Ransomware can now be bought off the dark web and gangs are selling their services.
“It is a business — and a very lucrative one,” she said.
The ACSC, which falls under the Australian Signals Directorate, has identified “extensive targeting” by malicious actors exploiting vulnerabilities via compromised Microsoft Exchange servers. It has listed the threat as “high” and warned a large number of organisations had not patched their vulnerable versions of the Microsoft Exchange servers.
Australian Security Intelligence Organisation director-general Mike Burgess last week told The Weekend Australian the threat of nation-state espionage and foreign interference due to escalating regional tensions was on track to supplant terrorism as the greatest domestic security threat by 2025.
Mr Burgess warned that an emerging threat to Australia was the pre-planting of undetected malicious software into critical infrastructure that could be activated at a later date to cripple power grids, phone networks, water supplies and vital defence assets.
The problem is far from novel and there have been periodic statements made by political figures over the years. The solution is lifting standards through proper regulation and vigorous enforcement. That is happening more effectively in Europe and the United States than in Australia. Here the legislation has limited coverage, has extensive exemptions and contains less extensive powers for the regulator. What makes an unacceptable situation much worse is the timidity and ineffectiveness of the Information Commissioner. The office barely uses the powers it has so without a change of attitude within the organisation more powers do not translate into more effective regulation. That said there is much to criticise the Government about delivering on its long promised and, signficantly delayed, regime of new and increased penalties for data breaches. The article Govt drops ball on data breach penalty reform is quite scathing about the delays. Unfortunately the development of proper privacy and data protection laws in Australia has been a story of delay, minimal response and inadequate legislation which requires more legislation which comes with more delay and minimal responses. And so on.
The article provides:
Two years after promising “tough” new penalties for data breaches, the government is still yet to actually introduce the reforms, despite acknowledging at the time that the current scheme “falls short”.
In March 2019, Attorney-General Christian Porter and then-Communications Minister Mitch Fifield unveiled a new penalty regime under the Privacy Act, in the wake of the Facebook and Cambridge Analytica data scandal.
The government said it would increase the current maximum penalty for a data breach from $2.1 million to $10 million, or 10 per cent of the company’s annual domestic turnover.
The reforms would also see the Office of the Australian Information Commissioner (OAIC) with new infringement notice powers with new penalties of up to $63,000 for companies and $12,600 for individuals who fail to assist to resolve a breach.
A spokesperson for the Attorney-General’s department said draft legislation for the reforms would be released for consultation in May, after it was initially promised in the second half of 2019.
In Senate Estimates on Tuesday, representatives from the Attorney-General’s department said this delay was due to the focus on COVIDSafe and “other priorities”.
This is despite the draft legislation being promised well before the onset of the COVID-19 pandemic.
At the time, the federal government said that the “existing protections and penalties for misuse of Australians’ personal information under the Privacy Act fall short of community expectations”. These protections and penalties are still in place now, two years later.
Shadow assistant minister for cybersecurity Tim Watts criticised the delay, pointing to the fact the OAIC is still yet to seek a financial penalty for a data breach under the current scheme.
“In typical Morrison government fashion, despite tough talk and media fanfare these reforms were announced but never delivered,” Mr Watts said.
“The Attorney-General has acknowledged the problem but two years on has failed to get on with the job of making the necessary changes.”
At a Senate Estimates hearing on Tuesday night, Attorney-General’s deputy secretary Sarah Chidgey said the legislation had now been “substantially” drafted ahead of its release in the coming months.
“The team that works on the legislation and the Privacy Act review has also dealt with other priorities, for example the COVIDSafe legislation. That took quite a significant effort to deal with some of those issues,” Ms Chidgey told the Senators.
The department is undertaking a significant review of the Privacy Act following the competition watchdog’s digital platforms inquiry. The review was launched in late 2019. Submissions to this review have been used to inform the data breach penalties legislation, the department said.
The final report from this review is expected to be handed to the government by October.
Australian Information Commissioner Angelene Falk said she would welcome the increase in her powers to match those of the Australian Competition and Consumer Commission, and in the Europe Union’s General Data Protection Regulation (GDPR).
It’s fair to say that the GDPR does contain additional rights and obligations and it’s to that end that I’ve made a submission to the government’s review of the Privacy Act and made some recommendations that we ought to consider some of those international developments,” Ms Falk said at Estimates.
“I welcome changes and improvements to the regulatory toolkit that I currently have and I’m looking forward to the legislation that goes to these matters and the progress of the review that more broadly is being conducted by the department.”