Lets talk about some ‘highly sophisticated’ cyber attacks…
News and information from the Advent IM team.
It seems to have become quite popular these days to refer to any attack on infrastructure, especially when it involves Government or Critical Infrastructure, as coming from a ‘sophisticated threat actor’. However, the truth is often that the attack has been facilitated by negligent but accidental internal behaviours, through poor management of the infrastructure itself or as a result of ransomware infiltration, which isn’t even strictly speaking an attack, and in most cases is definitely neither targeted, nor overly sophisticated.
The latest use of this rhetoric has been by the Australian PM Scott Morrison following an increase in ‘targeted and sophisticated state based cyber actor activity’. His justification for this statement being the ‘scale and nature of the targeting and the tradecraft used’. So effectively if it is largescale or uses good quality tradecraft it must be a state actor? Hmmm..
Let’s just examine that logic for a moment.
Largescale attacks have been around now for some time. The weak security on home computers and IoT devices has just magnified the number of devices and therefore the amount of computer power that can be harvested into distributed botnets; one of the more recent and most infamous being the Mirai Botnet. So, largescale does not necessarily automatically infer state actor.
Sophisticated nature of targeting and tradecraft being used. Actually, the increasing sophistication of many open source and free to use hacking tools, including improvements in user interfaces and better use of automated scripts, has significantly lowered the barriers to entry into this nefarious activity. In effect, we now live in a world of plug and play, point and click hacking.
Finally, let us turn our attention to the official statement put out by the Australian Cyber Security Centre (ACSC) into these latest attacks, titles Copy-paste compromises’.
The ASCS say that ‘The title ‘Copy-paste compromises’ is derived from the actor’s heavy use of proof-of-concept exploit code, web shells and other tools copied almost identically from open source.’
The Centre then goes on to say ‘The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI. Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability.’
So essentially the attacker is using open source and widely distributed attack code and tools, with no personalisation and no attempt to improve the tools to maximise their effectiveness…
And, the attacker is exploiting well known, widely documented vulnerabilities for which a fix currently exists, but has not been applied. A very familiar story.
Are there sophisticated state sponsored actors out there? Undoubtedly.
Is every attack on Government and Critical Infrastructure being carried out by them? Highly unlikely.
By using this lazy language whilst continuing to mismanage out infrastructure and fail to educate our workforce we risk giving every lazy opportunist out there more credence than they deserve.