The most remarkable thing about the allegedly Chinese hack of the Reserve Bank of Australia in 2011, reported so breathlessly yesterday, is it isn’t the least bit remarkable whatsoever.
According to the incident report, which has been on the RBA’s website for two-and-a-half months, a routine attack was detected, dealt with and signed off as having had “minor” impact. As our once and potentially near-future prime minister Kevin Rudd might put it, everyone should take a long cold shower.
Let’s unravel the threads. Was there a so-called cyber attack on the RBA? Was it successful? Is China to blame? And where does this fit into the grand scheme of things? The answers are yes (definitely), no (probably), maybe (maybe) and … well, we’ll get to that.
The RBA was certainly attacked. On December 21, following a freedom of information request, the RBA released information on security incidents that had occurred between January 1, 2008 and May 16, 2012. Starting on page 63 you’ll find the report on incident 2011066, “Targeted Email Virus Attack 17 November 2011”. The summary description of the incident and its cause reads:
“A targeted malicious email was sent to several Bank staff, including senior management up to Head of Department. The email was purported to be from [REDACTED] regarding ‘Strategic Planning FY2012’. The malicious payload was an Internet URL link to a zip file containing a trojan which, at the time, was not detectable by the Bank’s Anti Virus scanners. The six users that clicked on the link had their PCs isolated until such time [as] the AV vendors could deploy updated virus definitions. By close of business, the definitions were updated and over night [sic] virus scans were scheduled. Of note, all of the affected PCs did not have local administrator rights. This prevented the virus from spreading.
“Malicious email was highly targeted, utilising a possibly legitimate external account [REDACTED]. It included a legitimate email signature and plausible subject title and content.”
Bog-standard spearphishing, in other words, aimed specifically at the RBA. It’s just like the targeted attacks against US newspapers reported last month. The AFR reported the RBA had been “successfully hacked”, but the bank denied that yesterday. “At no point have these attacks caused the bank’s data or information to be lost or its systems to be corrupted,” it said in a statement — and the bank has confirmed to Crikey it meant no “data breach” and no “exfiltration” of data, to use the infosec jargon.
Under “actual impact”, the incident report reads:
“Bank assets could have been potentially compromised, leading to service disruption, information loss and reputation.”
Could have. Potentially. But not actually, the RBA reassures us. Can we believe them? Well, there’s always the chance the RBA, its security vendors and Defence Signals Directorate investigators all missed something. As it stands, though, this is the online equivalent of discovering that some bloke jemmied open a back window and walked the corridors trying the office doors, but they were all locked, and now he’s been chucked out and the window fixed. It’s a “successful” hack only in that the hackers got through the first layer of defences. It was presumably a failure in terms of its espionage goal. That espionage goal was reportedly to gather intelligence on G20 negotiations, and the cyberspy (sorry) was reportedly China. It could well have been. China has a massive electronic espionage program — but then, so does everyone else.
“Attribution is really difficult when we look at cybercrimes generally, particularly intelligence-gathering like this. It’s really hard to actually find out who’s behind the keyboard,” said Nigel Phair, a director of the Centre for Internet Safety at the University of Canberra, on 2GB last night.
The use of “Chinese-developed malicious software” isn’t proof it was China, no more than me using a black market AK-47 to hold up a bank would make it a Russian job. Even the involvement of Chinese computers means little, as network engineer Mark Newton explained in a series of tweets. There are more PCs in China than legitimate Windows licences to give them access to security patches, so a higher proportion of Chinese PCs can be infected and become part of the bad guys’ botnet. Newton writes:
“Now aim your botnet at some target … A disproportionate amount of attack traffic will come from China. Hey Presto! You’re now indistinguishable from a CHINESE GOVERNMENT SPONSORED FUNDED CYBERWAR DERP OUTFIT. Congratulations. Win a prize.”
Still, China has motive and capability, and “Blame China” is a simple narrative to tell politicians and businesspeople. Let’s just agree that maybe it was China. So there’s your yes, no and maybe. But the emphasis on this RBA attack seems out of place, given that the breach was found and fixed promptly with no data exfiltration. Those US newspapers were hit with 44 kinds of malware and pwned for months. Others have been hit even harder. Why this hack? Why now?
“This instance has raised G20 meetings. We’re hosting one shortly in Brisbane, so the vigilance would want to be quite high right now, I would suggest,” Phair told 2GB.
Cyber is certainly the flavour of the week, with the US saying China must stop the attacks and British MPs hiring an MI5 expert. As I’ve noted elsewhere, the cyber threat is being talked up hard. The questions to ask: “Who wants me to be scared?” and “Why?”
The final question posed is an important one. Ever since the events of 11 September 2001 governments in the so-called western democracies have mounted a sustained attack on constitutional and civil liberties. As Noam Chomsky recently observed, we are now back in the position we were in, as a people, prior to the signing of the Magna Carta by King John in 1215. This is astonishing and is happening with scarcely a ripple on the body politic.
Part of that assertion of control by governments and the corresponding removal of traditional safeguards such as the presumption of innocence, due process, and executive accountability, is to seek to limit the greatest threat to their hegemony, the freedom of the internet.
Hence, in this country we have seen attempts by Roxon, Conroy and others to limit the freedom of the internet. I think it can reasonably be argued that the current spate of cyber attack scares are part of that pattern of laying the groundwork for restricting the internet.
Attempted attacks happen regularly to most large organisations. This would only be news if it had succeeded.
I have certainly seen evidence of attacks against Australian organisations that originated in the PLA’s network.
I manage network security for an Australian research company, and I’ve spotted IP addresses that are assigned to the PLA’s Shanghai operations show up in our intrusion logs.
However, the attacks seem random and opportunistic. I haven’t seen any evidence so far that they were targeted at our company, and none have even managed to get past the first hurdle. They were just your typical bot activity, trying to find vulnerable URLs on a web server.
So, either the PLA is so lax in their security that some of their PCs are part of a botnet, or they are actually carrying out opportunistic attacks. Either option seems possible.
Is this news? Not really. I see dozens of intrusions from Europe and North America every week… it’s just business as usual.
Good article, good comment J.Oneill. Dont we have such a lot to be afraid of at the moment? However, as Michael Moore pointed out, frightened people are much more malleable.
Has everyone forgotten Chris Joye’s other scoop? Remember the Chinese and the subs??