Australia joins chorus of condemnation over China’s role in malicious cyber attacks

The Australian government has joined a chorus of public condemnation from the likes of the US, the UK, New Zealand and other allies accusing the Chinese government of backing malicious cyber activity in regions around the world, including the global Microsoft Exchange Server hack earlier this year.   

“Today, the Australian government joins international partners in expressing serious concerns about malicious cyber activities by China's Ministry of State Security,” said Minister for Home Affairs Karen Andrews, Minister for Defence Peter Dutton and Minister for Foreign Affairs Marise Payne in a joint statement.  

“In consultation with our partners, the Australian government has determined that China's Ministry of State Security exploited vulnerabilities in the Microsoft Exchange software to affect thousands of computers and networks worldwide, including in Australia.  

“These actions have undermined international stability and security by opening the door to a range of other actors, including cybercriminals, who continue to exploit this vulnerability for illicit gain,” the trio added. 

Andrews, Payne and Dutton also stressed that the Australian government was also seriously concerned about reports from the country’s international partners that China's Ministry of State Security is engaging contract hackers who have carried out cyber-enabled intellectual property theft for personal gain and to provide commercial advantage to the Chinese government. 

“Australia calls on all countries – including China – to act responsibly in cyberspace,” the ministers said. “China must adhere to the commitments it has made in the G20, and bilaterally, to refrain from cyber-enabled theft of intellectual property, trade secrets and confidential business information with the intent of obtaining competitive advantage.” 

The ministers also noted that since 2017, Australia has publicly attributed malicious cyber activity to North Korea, Russia, China and Iran.  

Indeed, Australia recently joined more than 30 international partners to hold Russia to account for its harmful cyber campaign against SolarWinds. 

“Australia calls out these malicious activities to highlight the significant risk they can pose to Australia's national security or to international stability, which in turn can undermine business confidence and inclusive economic growth,” the trio said.  

“Australia's cyber security posture is strong, but there is no room for complacency given the online threat environment is constantly evolving.  

“Protecting Australia from malicious cyber activity – be it by state actors or cybercriminals – requires a continuous improvement approach to cyber security practices across all levels of society including government, business and households,” they added. 

On March 2, 2021 Microsoft detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server. 

Microsoft subsequently released security updates for Exchange Server to protect users against vulnerabilities in on-premises versions of the software, with the China-based state-sponsored actor Hafnium flagged as the primary group behind exploits targeting the flaws.

The vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 — affect Microsoft Exchange Server 2013, 2016 and 2019, and are part of an attack chain initiated with the ability to make an untrusted connection to Exchange Server port 443. 

By 4 March, Microsoft said that its Exchange Server team had released a script for checking Hafnium indicators of compromise (IOCs). The script was published on GitHub.

In a blog post published by the Microsoft Security Response Center on 6 March, the company detailed alternative mitigation techniques for customers that were not able to quickly apply updates and which needed more time to patch their deployments or were willing to make risk and service function trade-offs.

Microsoft subsequently released an updated script designed to scan Exchange log files for indicators of compromise (IOCs) associated with the zero-day vulnerabilities.