China’s actions in the massive Microsoft Exchange email server hack were akin to someone propping open the doors of people’s homes for criminals to enter, the head of Australia’s cyber warfare agency has said.
- Intelligence agencies say China intentionally propped open a door in Microsoft Exchange’s system that allowed criminals to exploit the company
- Agencies warn without more power to intervene during cyber attacks, it is harder for them to prevent additional victims
- They say early information on an attack saved aged care facilities during the COVID-19 pandemic last year
Telltale signs of how the attack was carried out enabled Australia to join an international movement to attribute the internet hack to China, according to the Australian Signals Directorate’s director-general, Rachel Noble.
Ms Noble said there were a number of characteristics about the hack that satisfied officials “from a technical point of view” that China could be blamed.
“It would be like if houses and buildings had faulty locks on the doors,” Ms Noble told federal parliament’s intelligence and security committee.
“What then happened was that there was opportunity for all sorts of criminals, other state actors, you name it, to pour in behind all those propped open doors and get into your house or your building.”
Ms Noble said there was a massive threat posed by the attack.
“We estimate in Australia that probably around 70,000 entities, companies, businesses in Australia, were using the Microsoft Exchange Server,” Ms Noble said.
“So it’s an attack at a scale that is extremely large and significant.”
Chinese officials have labelled the attribution as “fabricated”, accusing the United States of having “ganged up with its allies to make unwarranted accusations against Chinese cybersecurity”.
Push for ‘urgent’ powers to take over company response during an attack
The debate over attributing the Microsoft Exchange hack came during an inquiry into new legislation that would give the nation’s intelligence agencies greater powers to intercept cyber attacks.
The bill, proposed by the federal government, would allow officials to take over a company’s computer networks as they were coming under attack.
Home Affairs secretary Mike Pezzullo warned the threat of cyber attacks targeting critical infrastructure, such as power grids or major companies, was “overwhelming”.
“The clock is ticking,” he told the committee.
“The possibility of us waking up tomorrow and to be in the grip of such an attack was already last year, the year before.
“The urgency of this legislation frankly is, I would think, self-evident.”
The legislation has been criticised as giving government agencies far too much power to take over networks, and imposing too strict a regulatory burden on companies.
Companies have expressed concerns they would be directed not to act: for instance, being told not to pay a ransom, which could lead to further harm.
“These are foundational reforms for Australia and will have substantial implications for both our security but also our ongoing economic prosperity,” the Business Council of Australia said in a submission.
Mr Pezzullo told the committee the legislation would not give agencies the keys to any computer network at any time, and there would be a “dialogue” with companies.
“If you can actually keep this malware out, if you can actually defeat this actor through some magic of this network, tell us,” he said.
ASD intervention saved aged care facilities during Victoria lockdown
The Australian Cyber Security Centre (ACSC), which operates within ASD, said there had already been examples of cyber attacks where it prevented more victims by getting early information.
The ACSC’s head, Abigail Bradshaw, said aged care facilities in Victoria had been hit by a ransomware attack at the height of coronavirus lockdowns in 2020, and warnings had been issued to other facilities as a result of cooperation from the affected homes.
Ms Bradshaw also cited a cyber attack on media giant Nine, which crippled the network’s broadcast and publishing operations.
“They were in a position to actually pass us technical artefacts, and we were able to use the full range of ASD intelligence capabilities to determine the next victims within hours of receiving those technical artefacts,” Ms Bradshaw said
ASD boss Ms Noble previously raised concerns about a large company refusing to cooperate during an attack and said the new laws, which would force companies to notify them of an attack, could be used to prevent additional victims.
“What it enables us to do, which is additive to the nation’s security that any company can’t do, is to piece that input from that company with a similar input from four other companies,” Ms Noble said.
“At which point we will be able to derive a pattern to sometimes alert and notify other organisations in a sector who might be about to be hit, but haven’t been yet.”