Attribution for an attack is notoriously difficult to get right so the Australian PM is probably wise not to point fingers. One of the trigger words for me when politicians speak about cyber attacks is ‘sophisticated’; the advisory notes that the attacks are using copy/paste code, which doesn’t indicate any higher level of sophistication than a teenager who knows what GitHub is…:
[…] He pointed to a “sophisticated state-based cyber actor” currently targeting Australian organisations, though – like on previous occasions – declined to attribute the cyber activity to any one nation.
“This activity is targeting Australian organisations across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure,” he said.
But Morrision said the “investigations conducted so far have not revealed any large-scale personal data breaches”.
An ACSC advisory [pdf] posted this morning indicates the actor’s “heavy use of proof of concept exploit code, web shells and other tools copied almost identically from open source”.
“The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI,” it said.
“Other vulnerabilities in public facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability.”