[BreachExchange] Government computer networks breached in cyber attacks as experts warn of espionage threat

[Audrey McNeil]

http://www.abc.net.au/news/2016-08-29/chinese-hackers-
behind-defence-austrade-security-breaches/7790166

Sensitive Australian Government and corporate computer networks — including
those holding highly confidential plans for a privately financed
geostationary communications satellite — have been penetrated by
sophisticated cyber attacks, a Four Corners investigation has established.

Austrade and the Defence Department's elite research division, now named
the Defence Science Technology Group, both suffered significant cyber
infiltrations in the past five years by hackers based in China.

Intelligence sources say they suspect the attackers in these cases were
sponsored by Beijing.

Four Corners has also confirmed Newsat Ltd, an Australian satellite company
whose assets were sold off last year after the company went into
administration, was so comprehensively infiltrated three years ago that its
entire network had to be rebuilt in secret.

But these incidents, revealed for the first time, are only a fraction of
the cyber attacks being waged against Australian governments and companies.

The Prime Minister's cyber security adviser, Alastair MacGibbon, told the
program the Australian Government was "attacked on a daily basis".

"We don't talk about all the breaches that occur," he said.

Former Central Intelligence Agency boss Michael Hayden, who also served for
six years as the head of the US electronic spying division, the National
Security Agency (NSA), said both Australia and the US had to harden up
their defences and "protect their data" from foreign cyber attacks.

"What my dad told me when I came home beat up from a fight once when I was
about 10 years old: 'Quit crying, act like a man and defend yourself'.'"

A spokesman for the Chinese Embassy in Canberra denied China had conducted
any cyber espionage against Australian interests, calling such allegations
"totally groundless" and "false cliches".

"Like other countries, China suffers from serious cyber attacks and is one
of the major victims of hacking attacks in the world," he said.

Defence assets may have been target in BoM hack

Four Corners has also been given fresh details about the high-profile hack
of the Bureau of Meteorology (BoM), which was officially confirmed by Mr
Turnbull earlier this year.

Government and industry sources said the true targets for the cyber attack
may have been defence assets linked to the BoM and its vast data-collection
capabilities.

One was the Australian Geospatial-Intelligence Organisation, an
intelligence agency within the Department of Defence which provides highly
detailed mapping information for military and espionage purposes.

The other was the Jindalee Operational Radar Network (JORN), a high-tech
over-the-horizon radar run by the Royal Australian Air Force.

JORN provides 24-hour military surveillance of the northern and western
approaches to Australia but also assists in civilian weather forecasting.

Four Corners was told the cyber attack failed to reach into these networks,
and that it was "sandboxed", or contained within the BoM.

Intelligence sources confirmed the attack was attributed to China, which
was again denied by Beijing.

Mr MacGibbon said he did not know what the intention was of the people who
compromised the system.

"I would say to you that people who compromise systems will usually try to
find a way to move laterally through it. If that means through a third
party that's what they'll try to do," he said.

The Australian Signals Directorate (ASD) has conducted detailed
investigations into the cyber intrusion, but its boss, Dr Paul Taloni,
declined to comment.

A former high-ranking intelligence officer told Four Corners the Defence
Department itself had significant, unresolved, cyber-security issues and
had "to look at itself".

He confirmed that in about 2011 the Defence Science Technology Organisation
had been successfully hacked by China-sponsored hackers, but declined to
provide any further details citing national security concerns.

A spokesman for the Defence Science Technology Group said: "Defence policy
is to not comment on matters of national security."

Sensitive information 'stolen for profit'

Mr Hayden said, however, China's efforts against Australia had been
primarily focused on "the theft of information, and really by and large the
theft of information for commercial profit", activities which he said go
beyond acceptable state-on-state espionage.

The Newsat attack by China-based hackers may be a case in point.

"Given we were up against China, state-sponsored, a lot of money behind
them and a lot of resources and we were only a very small IT team, it
certainly wasn't a fair fight for us," Newsat's former IT manager Daryl
Peter said.

While the company carried communications for resources and fossil fuel
companies, as well as the US military's campaign in Afghanistan, Mr Peter
said the real target for the cyber infiltration was its plans for a
Lockheed Martin-designed satellite dubbed Jabiru-1.

"A company like Lockheed Martin, they have restrictions on the countries
where they can build their satellites," he said.

"So a country like China being able to get a hold of confidential design
plans would be very beneficial for them because it's not something they
would see or be able to have access to."

Mr Peter was first told about the hack of the company in 2013 at a
top-level meeting with ASD. The issue had come to a head because of
Newsat's advanced plans to employ a restricted encryption tool for use with
the new satellite designed by the US Government's NSA.

ASD refused to release the tool to Newsat until it tackled the
sophisticated cyber intrusion, with intelligence officials telling the
company its networks were "the most corrupted" they had seen.

"They actually said to us that we were the worst," Mr Peter said.

"What came out of that meeting was we had a serious breach on our network
and it wasn't just for a small period of time, they'd been inside our
network for a long period, so maybe about two years. And the way it was
described to us was they are so deep inside our network it's like we had
someone sitting over our shoulder for anything we did."

To rid the network of the infestation, Mr Peter had to build a parallel
network in secret so as to not tip off the hackers that had been identified.

That work took almost a year and cost the better part of $1 million.

Mr MacGibbon said the revelations were no surprise.

"I can't say which particular nation state would get involved in getting
into a telecommunications system but I can understand why a nation state
would," he said.

"If you wanted to listen to someone's communications that's probably a good
place to start."

Austrade regularly challenged by security issues

Australia's trade and investment commission, Austrade, has had persistent
problems with cyber security, Four Corners has learned.

The discovery of a major infestation in the Austrade network was made
during work that began in 2013 within the department to develop a new data
centre and a redesigned IT infrastructure.

In March 2014, the agency's cyber security regime underwent an ASD-designed
security assessment required because Austrade not only carries sensitive
communications but works closely with the Department of Foreign Affairs and
Trade.

An intelligence community figure said the tests resulted in a "series of
red flags". He said the infiltration was "covering the network".

Austrade brought in UXC Saltbush, a cyber security contractor, to
investigate its networks and put mitigation works in place to prevent
future breaches

A former high-ranking intelligence official said the Austrade breach
followed a previous problem in 2011, which was a textbook example of a
"successful [and] deeper penetration".

Jim Dickins, an Austrade spokesman, said the organisation "faces ongoing
and fluid challenges to its information technology security".

"Austrade has worked with the Australian Signals Directorate on occasion to
contain and eradicate threats but is unable to comment on specific
instances. Mitigation strategies developed on those occasions are applied
on an ongoing basis."

The intelligence community figure said the problems had still not been
entirely addressed because of the high cost of a comprehensive network-wide
security upgrade, but Mr Dickins denied there were any "significant"
persistent issues.

A third intelligence source told Four Corners that "Austrade is inherently
vulnerable" because of its international footprint and reliance on
locally-employed staff.

"People are getting breached all the time," he said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160829/58e8091f/attachment.html>