Australia under state-based cyber attack

Prime Minister Scott Morrison has announced that Australia is under mass cyber-attack from a foreign state targeting all levels of government, industry and business. The attacks are not new but have been increasing in frequency over recent months.

"Australian organisations are currently being targeted by a sophisticated state-based cyber actor," he told journalists.

"This activity is targeting Australian organisations across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure. We know it's a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used.

Australian Strategic Policy Institute executive director Peter Jennings told The Australian newspaper it was “very clear” that China was behind the cyber attack on Australia, and that Prime Minister Scott Morrison was calling Beijing out.

Senator Linda Reynolds, Minister for Adefence, said, "There is no doubt that malicious cyber activity is increasing in frequency, scale, in sophistication and also in its impact.

"Today, the Australian Cyber Security Centre and the Department of Home Affairs have published a very detailed technical advisory which is available at Now, this advisory provides all the necessary steps that Australian organisations must take to detect and also to mitigate these threats."

The Australian Cyber Security Centre (ASC) issued an advisory overnight listing  tactics, techniques and procedures used to target multiple Australian networks.

It notes, "The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor.

"The title ‘Copy-paste compromises’ is derived from the actor’s heavy use of proof-of-concept exploit code, web shells and other tools copied almost identically from open source.

"The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI. Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability.

"The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases. "The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations."