I’m sitting at the kitchen table, staring at my laptop screen and watching red dots pulse on a map of the world.
Each represents a cyber attack underway on one of 12 strategically-placed “honeypots'”, but not the kind Winnie The Pooh would seek out. These attackers are being lured by online sensors that are rigged to appear like computers loaded with the kind of information a cyber-criminal might go for.
As I watch, one or two red dots becomes 10, then 20, 30, until I lose count. At the bottom of the screen a list of attempted “new attacks” grows longer: Ireland to Australia, China to Australia, Russia to Australia.
Behind every one of these throbbing red dots sits a cyber criminal — maybe someone hidden in plain sight, perhaps stationed at his or her own kitchen table just down the road from me.
Or, the dot could represent a team of cyber criminals concealed in a high-security office building anywhere in the world, launching attacks on another country’s information systems on behalf of a nation state.
But who are these people? Who is directing them? What are they after? And most important of all — how can they be stopped?
The ‘three Ds’ of cyber crime
Questions like these have been asked more urgently since Scott Morrison announced that a “sophisticated state-based cyber actor” had launched attacks earlier this month on “all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure”.
Craig Valli, who left a teaching career 20 years ago for academia and is now Professor of Digital Forensics at Perth’s Edith Cowan University, has many of the answers.
It is a complex world that he explains with the sort of patience and relatability learnt from time corralling kids in a classroom.
“What we are experiencing is the three Ds of cyber-crime. Cyber criminals are attempting to Disrupt, Deny and Destroy our systems.” he says. “As Australians we have to wake up to the fact that this is happening every day and it’s like manure. Sometimes the only thing that varies is the depth and the stench.”
When Morrison dramatically announced the large-scale cyber-attack it was because “the depth and the stench from certain parts of the world had suddenly gone way up,” says Valli. “There was a large spike from all parts of the world but specifically China and some from Russia. We are experiencing a hot war in cyberspace for supremacy.”
But the PM’s concern was also due to the capabilities of the likely culprit.
The malware suspected to have been used in the attacks is known as Aria-body, developed by a Chinese cyber-crime group called Naikon, the same group that attempted to access the offices of WA Premier Mike McGowan in January. Aria-body has alarming capability to hand control of a computer to the hacker, including access to files, use of email and ability see what’s being typed in real-time.
Why China can’t be named
Yet it was widely noted that the PM was careful not to name China as the key perpetrator of these attacks, despite widespread assumptions.
Valli says the move was prudent.
“One of the biggest issues we have in cyberspace is attribution,” he says.
“To actually put the cyber criminal at the consul, with the mouse, directing the attack is very hard to do. From a legal point of view there’s no point naming them.
“Part of the reason why nation states want to use this as a vector is because it’s tightly cohesive and eminently, plausibly, deniable.”
Who are the hackers?
The reality is that these kinds of attacks are going on constantly. “Today 3.5 billion people will access the internet. That’s half the world’s population,” Valli says. Even if your “digital hygiene” ensured 99.9 per cent of those people were harmless “that leaves a lot of really nasty people that are trying to come after you”.
So who are these bad guys?
Cyber criminals come in two forms these days.
First is the lone actor, a bit like a Japanese “ronin” or a bounty hunter, Valli says, who scours the dark web for paid opportunities.
“There are markets for illegal arms and it’s the same for cyber information,” he says. “A message on the dark web might offer a bounty and it might say if you find us this or that piece of information and it validates, we will give you US$1 million in diamonds, cash, drugs, whatever you want.”
But beyond these lone rangers, cyber espionage is being linked more and more frequently to named groups. Known as an Advanced Persistent Threat or APT, they have links to specific nations. One of those nations is China.
There are uncountable numbers of recently-active groups with connections to different facets of the Chinese government, including the military and state security bureau. They go by names like APT10 with links to the Chinese Ministry of State Security, APT41 and importantly for Australia, Naikon APT Group — part of Unit 61398 — with tight links to the Chinese military.
“The targeted government entities include ministries of foreign affairs, science and technology ministries, as well as government-owned companies,” researchers from CheckPoint cyber security company wrote in a report on the group which was first identified in 2015 by another security firm, Threat Connect.
“Interestingly, the group has been observed expanding its footholds on the various governments within [Asia Pacific] by launching attacks from one government entity that has already been breached, to try and infect another.”
Why attack Australia and what do they want?
Groups like Naikon APT are not after your credit card number.
As soon as you mention cyber-crime “people go for their wallets”, says Valli. And sure, some of the bounty hunters out there want to take small sums from thousands of credit cards and make a killing. There are also cyber criminals who will dump ransomware on a computer and destroy a small-to-medium-sized company unless they pay up.
But the kind of cyber espionage Morrison flagged is what SPECTRE was to James Bond back in the day, with fewer martinis.
“I would speculate that the attacks could be a nation state flexing its muscles but instead of a display of military force it will use cyber force,” Valli says, but he stops short of naming China as the culprit.
Let’s not be coy — China is not the only country undertaking cyber espionage against other nations. There’s unlikely to be a single country in the world that’s not using the internet as a tool in modern-day spycraft, and that includes Australia.
But Tom Uren from the Australian Strategic Policy Institute says China’s tendency to use these strategies to steal business secrets — not just state secrets, the stock-in-trade of a spy — leads to what he calls a “scope mismatch”
This is a particular concern at the moment with COVID-19 related research emerging as a key target for Chinese cyber spies.
“Think about this,” he says. “We invest hundreds of millions in private industry, government academia and research. Then one second to midnight before the breakthrough — along comes (the cyber criminal)…and steals that IP.”
Uren says word in cyber circles is that the recent attacks on Australia were broad and shallow — implying a generalised sweep that aimed to pick up as much information as possible as fast as possible.
The list of companies and organisations suffering data breaches in 2020 alone is vast — ranging from the Australian Department of Defence and Service NSW to Optus and Zoom.
Can they be stopped?
The problem for the average Aussie who may be accessing an email account or posting on social media is they become collateral damage in the cyber spy’s search for information.
“A lot of people say “why me” when they are hacked. But they are not after [you]” says Valli. “They are after your trust relationships with someone higher up. They use you as a pivot point to leapfrog through the system with relative impunity.”
With patience, the random hack of someone’s email account can lead to contacts and passwords that could deliver access to an entire company’s network or — in the case of the recent attack on Australia — access into the heart of Government and key infrastructure.
Attacks are launched in ways that are now familiar to most Australians: an email phishing for password and login information, an email attachment loaded with malware, or hacks of cookies and other saved account information.
And with essential infrastructure — from medical equipment to transport and sewerage systems — all automated, it doesn’t require much imagination to see how a clever cyber attack could kill thousands or disable an entire city.
“Disrupting or destroying a really critical system is not something we’re likely to see unless we are close to some sort of imminent conflict,” says Uren. “But it’s a genuine concern.”
Valli agrees: “These days disabling a power plant by dropping a bomb is a bit unimaginative.”
It is also striking how few people are required to inflict the kind of damage that would previous have taken entire armies.
“A team of 30 to 50 good people, a couple of good leaders, and cause disruption and mayhem on the internet at the state level,” says Valli.
Speed is also a factor he says, citing the example of a global law firm that lost its entire database across 120,000 computers less than five minutes after a cyber attack was launched.
In the case of the attack on the WA Premier’s office, it is alleged that hackers from Naikon Group gained access to the computer of an Australian diplomat in Indonesia, completed an email and added an attachment that included the Aria-body malware. The email was sent to an employee in the Department of Premier and Cabinet.
‘We must stop being naive’
Verifying this chain of events is difficult, and China has strongly denied any involvement in cyber attacks or cyber theft.
In the case of McGowan, security systems ultimately worked to block the email. This delivers a vital, if humdrum, lesson on the way forward.
Relying on the law to police cyber crime is naive, Valli believes. “Try finding the last person who’s serving a significant sentence for cyber-based crime,” he asks wryly.
Instead, he says, “good people … must stop being naïve about their place in cyberspace”.
“Do backups. Apply updates. This will have a huge impact on us as a society,” he says.
Uren agrees: “[Scott Morrison’s] announcement was to send a message about cyber security. It has the same risk profile as a pandemic. [A cyber attack] is likely to happen but we don’t know how bad it will be, when it will come and what it will affect. That’s hard to deal with.”