Not-China launches cyber attack on Australia

Not-China up to no good again:

The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor.

The title ‘Copy-paste compromises’ is derived from the actor’s heavy use of proof-of-concept exploit code, web shells and other tools copied almost identically from open source.

The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI.

Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability.

The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases.

The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations.

When the exploitation of public-facing infrastructure did not succeed, the ACSC has identified the actor utilising various spearphishing techniques. This spearphishing has taken the form of:

  • links to credential harvesting websites
  • emails with links to malicious files, or with the malicious file directly attached
  • links prompting users to grant Office 365 OAuth tokens to the actor
  • use of email tracking services to identify the email opening and lure click-through events.

Once initial access is achieved, the actor utilised a mixture of open source and custom tools to persist on, and interact with, the victim network. Although tools are placed on the network, the actor migrates to legitimate remote accesses using stolen credentials.

To successfully respond to a related compromise, all accesses must be identified and removed.

In interacting with victim networks, the actor was identified making use of compromised legitimate Australian web sites as command and control servers. Primarily, the command and control was conducted using web shells and HTTP/HTTPS traffic.

This technique rendered geo-blocking ineffective and added legitimacy to malicious network traffic during investigations.

During its investigations, the ACSC identified no intent by the actor to carry out any disruptive or destructive activities within victim environments.

What a marvelous strategic partner the CCP makes.

David Llewellyn-Smith
Latest posts by David Llewellyn-Smith (see all)


  1. tripsterMEMBER

    I am sure that they have also targeted a number of high profile businesses recently. I suspect that the hack of Lion Nathan was done in an effort to weaken it ahead of its possible acquisition by China.

    Toll was hacked during the COVID lock down. That reeks of deliberately trying to disrupt logistics during a period when it was more important than usual.

    Bluescope also suffered a major hack.

  2. I have a brilliant, absolutely foolproof plan.

    Let’s invite 200,000 Chinese citizens susceptible to the influence of the CCP into our country every year to study and live and buy property and invest in our companies.

    And then we’ll close down all of our key manufacturing sectors, and increase imports from China.

    And then we’ll defund our universities and make them reliant on Chinese students.

    All we need to do is keep our mouths shut and behave as compliantly as a small, frightened child.

    And all will be well

    • Absolutely, when will we wake up that 21st century wars don’t need to involve boots on the ground cornering strategic targets. These intrusions are invasions and seizure of sovereign assets. Just because these are digital intrusions and digital assets should not diminish the significance of the malicious intent of a foreign government behind it.

    • Ronin8317MEMBER

      There is no ability to pinpoint where the cyber attack comes from. Anyone who says they ‘traced it to a lab in China’ is simply lying because you can’t traceroute past the ‘Great Firewall of China’ to anything sensitive.

      • PaperRooDogMEMBER

        There are ways to identify possible actors.

        Anyhow whoever is doing this is obviously preparing for some future “action” why else would you spend the time otherwise without trying to extract money etc. That narrows it down to a very small group of suspects.

    • BubbleyMEMBER

      Hey socal, while I agree with your tweet, I always associate being told “wake up Australia” with bored angry white old guys on social media.

      It might just be me, don’t know if anyone else has noticed that on various comment sections.

      • SoCalSurfCreeperMEMBER

        Racism is ok if it’s directed at white males. But yeah ok the phrase irritates you. I can see that. It may be a cliche but you can’t deny it’s appropriate under the circumstances.

  3. You’re missing the dog that didn’t bark here, David.

    Scomo did NOT name China. Why? Because then we’d face more Chinese sanctions. This is a kow-towing exercise, showing weakness, not strength.

  4. After reading that gobbledygook I’d be confident this is an act in the minor league, ACSC engaging in a little hand waving. If there was serious cyber attack it would be order of magnitude impactful.

    Might be China. Might be a false flag. Might be kids in the basement!

    • T-Mobile and several other carriers were down last week, – it was absolutely massive.

      There is some very serious global hacking going on – I very much doubt it is China – they are going to be blamed for everything of course because people have the political horizon of a mole hill. Everything to lose nothing to gain.

      Looking at the things which were taken out – primarily non network things based around actual hardware it looks like a reconfigured Stuxnet variant so very well could be Iran or someone similar – there was a huge response from North Korea as well recently along with their “decommissioning” of the North South liaison office.

      I reckon it was Iran or someone similar in that region flexing a boner over the Israeli annex of the West Bank about to take place – makes the most sense.

      • He’s just hoping that once the great invasion begins he will be able to keep all the property he’s been busy acquiring with funny money fiat.

  5. ‘During its investigations, the ACSC identified no intent by the actor to carry out any disruptive or destructive activities within victim environments’

    No, coz it was a warning…….f*ck with us and at any point in time we can get into your systems both Govt and private at the higheset of levels and do whatever we want!!!

    Tread carefully ahead regarding both what you do and what you say, we own you one way or the other!!!

    BTW this happened 2 weeks ago (inside info) and it has taken this long to become MSM info….

    • Don’t believe you.

      This was part of the issue that impacted T-Mobile across the entire US along with several other carriers knocking out voice, data and even messaging for huge sectors of the US just two days ago.

      Its more than likely part of the Israeli annex of the West Bank which is underway and will be the cause of the next hot war.

      Everyone is looking at India, China, even Brazil and Huawei – but its Israel as always were its going to kick off.

      Come to think of it – it was probably Israel, which is their normal method of doing things, attack America, blame someone else, get America distracted – steal land.

  6. Fromi 1st hand experience, there are guys walking around the hallways of some of our biggest, absolutely critical utilities (which are CCP company owned) who can’t speak a lick of English. They aren’t there for a cultural exchange or tea and biscuits. These people are plants.

    When all this gets serious, and I suspect it will, Australia will feel so utterly stupid and defenseless.

  7. Strikes me there is an excellent option available. In the covid world, the government announces that all ports in Australia need to be reviewed and audited for health and safety and that this might involve disruption of shipping and if there are breaches of H&S protocols the ports may need to be temporarily closed to rectify. Then announce that the Ports of Headland and Darwin are first up.

    Then kick back and watch iron ore go to $130/MT. It’s not something that can be repeated in a game but as a one off game, it’d squeeze commodity prices sharply higher, and the signal would be very clear.

Leave a reply

You must be logged in to post a comment. Log in now