[Infowarrior] - Aussie Central Bank Discloses Chinese Cyber-Attack

[Richard Forno]

Cyber-attackers penetrate Reserve Bank networks

PUBLISHED: 9 hours 39 MINUTES AGO | UPDATE: 1 hour 30 MINUTES AGO

http://www.afr.com/p/national/cyber_attackers_penetrate_reserve_FEdCLOI50owRMgI0urEYnK

The Reserve Bank of Australia’s computer networks have been repeatedly and successfully hacked in a series of cyber-attacks to infiltrate sensitive internal information, including by ­Chinese-developed malicious software.

The RBA is sufficiently concerned about these risks that it has had a private security firm carry out “penetration testing”, or authorised hacking, of its computer networks to assess the integrity of its digital defences.

After investigations by The Australian Financial Review, RBA officials disclosed that the central bank had been infiltrated by a Chinese-developed malicious software, or “malware”spy program that was seeking intelligence on sensitive G20 negotiations.

Multiple computers within the RBA’s network were compromised. The RBA would not comment on what information was stolen, which executives within the bank were targeted, or over what period the assailants had  access to its systems.

Asked about the RBA penetration, a Defence department spokesperson said: “The government does not discuss specific cyber incidents, activities or capabilities. [Doing so] could jeopardise ongoing investigations, monitoring of cyber incidents and the ability to protect information and networks.”

The Defence spokesperson did, however, warn that “the targeting of high profile events, such as the G20, by state-sponsored adversaries . . . is a real and persistent threat.” “Cyber intruders are looking for information on . . . the government’s intentions.”

In March 2011, Paris Match revealed, and the French government confirmed, that over 150 computers in its Ministry of Economy and Finances had been hacked for months before the French-hosted G20 summit in February 2011.

Tense negotiations with china

Many confidential government files were then “redirected to Chinese sites”. More than 10,000 state­ computers needed to be shut down.

The 2011 G20 summit involved tense negotiations with China over the level of its exchange rate, currency reserves and trade surpluses, which North Atlantic officials argue are being manipulated to China’s advantage.

Patrick Pailloux, director-general of the French National Agency for IT Security, said at the time that it was “the first attack of this size and scale against the French state” waged by “a number of professional, determined and persistent hackers”.

Australia’s cyber-spy agency, the Defence Signals Directorate, said “there are many examples of [Australian] entities being targeted due to involvement in high profile events” like the G20.

DSD has disclosed that in October 2011 “an Australian government agency was compromised when a socially engineered email was sent to an agency employee who worked on G20 matters”. “This email pertained to be about G20 matters and appeared to come from the employee’s general manager.”

It is not known whether this attack is related to the RBA incident.

DSD runs Australia’s cyber-espionage units, which includes the multi-agency Cyber Security Operations Centre, and considers itself a digital “poacher” of foreign intelligence and “game-keeper” of domestic assets.

In a second serious incident, the RBA revealed in an unreported Freedom of Information disclosure in December last year that it was subject to a sophisticated cyber-attack in November 2011 that allowed external parties to defeat two different anti-virus programs and install a “trojan” on six RBA computers.

executable malware application

RBA officials told the Financial Review that DSD was brought in to fix this problem.

In the incident report, in the FoI documents, the RBA said that over two days in November 2011 “highly targeted malicious emails were sent to several Bank staff, including senior management up to head of department”.

The emails used “a possibly legitimate external [email] account . . . legitimate email signature and plausible subject title and content . . . regarding ‘Strategic Planning FY2012’.”

“The malicious payload was found to be a compressed zip file containing an executable malware application [or] trojan which at the time was not detectable by the Bank’s anti virus scanners.”

“The email managed to bypass the existing security controls . . . by being well written, targeted to specific Bank staff and utilised an embedded hyperlink to the virus payload which differs from the usual attack where the virus is attached directly to the email.

“It was found that six users had clicked on the malicious link.”

Officials from the RBA’s Risk Management Unit said: “Bank assets could have been potentially compromised, leading to . . . information loss and reputation [damage].”

Richard Byfield, a former senior Australian defence official with cyber responsibilities and current government adviser, told the Financial Review central banks and listed companies were cyber targets “because they hold so much confidential information that has the potential to move markets”.

At the time of the November 2011 incident, financial markets were undecided about whether the RBA would cut rates for a second month in succession. The RBA’s board surprised some participants with its decision to lower the cash rate on December 6.

exponential growth in cyber-spying in financial markets

Mr Byfield, who now runs the cyber-security company Datacom TSS, which does penetration-testing for government, said there had been exponential growth in cyber-spying in financial markets. “We’re aware of sophisticated cyber incidents where the primary objective appears to be profiting from securing price-sensitive information” he said. “These include incidents where listed company CEOs are subject to intensive surveillance to gather intelligence on major deals, business strategy, financials, contracts and future plans.

“Resources companies and investment groups are being electronically targeted for the purposes of acquiring sensitive exploration results and time-sensitive trading data, respectively.”

Australia’s banking system, which national security officials told the Financial Review has some of the best cyber-protections around, is also being assaulted. “We’ve heard of cases where financial institutions have been targeted by what appears to be foreign entities seeking to access highly sensitive information on the financing terms they will be providing in M&A deals.” Mr Blyfield said.

In early January the Financial Review revealed that intelligence agencies were deeply concerned about escalating state and non-state cyber offensives, and had been trying to privately warn unware business bosses of these risks.

cjoye at fairfaxmedia.com.au

---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.