Australia has accused China of backing a cyber espionage group. Here’s what you need to know
Australia and key intelligence partners on Tuesday accused a China-backed group of conducting a wide-scale cyber espionage operation.
The Australian Signals Directorate, Australia’s cyber intelligence agency, issued an advisory saying the hacking group known as APT 40 had “repeatedly targeted Australian networks as well as government and private sector networks in the region”.
According to the advisory, APT 40 is linked to Beijing’s Ministry of State Security (MSS) and “the threat they pose to our networks is ongoing”.
It is the first time Australia has directly and proactively attributed malicious cyber activity to a Chinese state-sponsored actor, and signals a major escalation of international pushback against Beijing’s activities.
China’s Foreign Ministry rejected the accusations, saying it was “firmly opposed to such repeated hypes about so-called ‘Chinese cyber attacks’ aimed to smear and frame China on cybersecurity”.
But what exactly is an APT and what do they do?
And what are the potential implications of Australia making these accusations?
What is APT 40?
APT stands for “advanced persistent threat” and usually refers to a stealthy hacker or group of hackers, often state-sponsored, who infiltrate a computer network undetected and mine private data.
The term is believed to have been coined by the United States Air Force in 2006, and is now typically used to describe a group that is carrying out targeted cyber attacks with specific goals in mind – whether those be stealing sensitive information or data, spying or disrupting activities.
“Usually, for example, a team of hackers in one unit of a foreign government, and often housed in just one building.”
There are APTs around the world, and Mr Austin explained that while the term is typically used by Western governments to refer to groups belonging to countries like China, Russia, North Korea and Iran, those same Western intelligence agencies often have APTs of their own.
China has at least 40 named APT groups, with APT 40 being the 40th one to have been identified by intelligence agencies.
“They are a group of hackers who work for the Ministry of State Security in China, undertaking a range of missions for the Chinese government,” Mr Austin said.
How does this type of hacking work?
While APT hacking can take on many forms, one of the more commonly recognisable is a phishing attack: a malicious actor will send out fraudulent emails or text messages to many recipients intending to steal sensitive information such as usernames, passwords or banking details.
“In brief, the hackers can find various ways into a target system,” Mr Austin explained.
“What generally happens is that these attacking organisations will send hundreds of thousands if not millions of search emails around the world to see what results they get.
“And they undoubtedly score quite considerable successes from those sorts of phishing emails.”
APT 40 is suspected of regularly targeting Australian government and private sector networks and attempting to exploit compromised office and work-from-home devices to gain access to sensitive IT networks.
It’s believed they have stolen hundreds of usernames and passwords across multiple countries.
In their advisory on Tuesday, the ASD referred to a specific case study where APT 40 allegedly used a compromised device – which “probably belonged to a small business or home user” – to exfiltrate data from a number of machines in a larger network.
“The investigation uncovered evidence of large amounts of sensitive data being accessed,” the advisory concluded.
“Findings from the investigation indicate the organisation was likely deliberately targeted by a state-sponsored cyber actor, as opposed to falling victim opportunistically to a publicly known vulnerability.”
It is these kinds of malicious activities that likely prompted the ASD to issue their advisory, according to Mr Austin.
“That’s the sort of thing that agencies like ASD have to protect against,” he said.
Why is Australia leading the advisory?
Among the more notable details of Tuesday’s advisory is the fact that, while co-signed by Five Eyes intelligence partners such as the US and UK as well as international allies such as Germany, South Korea and Japan, it is reportedly being spearheaded by Australia.
In a statement issued on Tuesday, Australian Defence Minister Richard Marles declared that: “The Albanese government is committed to defending Australian organisations and individuals in the cyber domain, which is why for the first time we are leading this type of cyber attribution.”
Mr Austin suggested that Canberra’s decision to take the reins in this case may have been spurred by threats that directly targeted Australia itself.
“This advisory specifically refers to attacks on Australia,” he said.
“So it might be that this is the first occasion on which Australia felt it necessary to issue an advisory, with the support of its allies, about this specifically egregious threat to Australia.”
Others have pointed out, however, that Australia isn’t the only country being targeted by these kinds of cyber attacks.
Lennon Chang, an associate professor in cyber risks and policy at Deakin University, told the ABC that Australia’s motivations for taking a stand against APT 40 may extend beyond those of national interest.
“The countries behind this joint advisory aren’t the only ones being targeted. Many democracies in the Asia-Pacific are potential targets of this type of cyber attack as well,” Dr Chang said.
“If you look at the 2023-2030 Australian Cyber Security Strategy, Australia wants to become a world leader in cyber security,” he added.
“I believe Australia will play a leading role in global cooperation on cyber security, particularly in the Indo-Pacific region.”
What are the implications?
While Mr Austin told the ABC that the process of attributions typically has “no deterrent effect on what the Chinese are doing,” there is also the view that if agencies like the ASD issue them regularly they show hackers and potential enemies that they’re aware of what they’re doing.
He also highlighted the diplomatic downside, though: namely, that stamping down on Chinese APTs may inflict collateral damage on Australia and China’s geopolitical relations.
It is these geopolitical considerations that may have deterred Australia from voicing similar criticisms towards French, Indian or Israeli cyber attacks against Australian targets, Mr Austin said.
But levelling such accusations at China may carry its own consequences.
Only weeks ago, the Australian government welcomed Chinese Premier Li Qiang on a visit to Canberra amid a continuing thaw in relations between the two countries.
“By criticising Chinese APTs, Australia is putting at risk the rapprochement between Australia and China that we’ve seen in recent months, after several years of being out in the cold,” Mr Austin said.
“That’s a choice that the government has to make. But what I’m trying to register is there are plus sides and downsides of having these advisories.”
Dr Chang also acknowledged the possibility that while the ASD’s accusations may dent relations between Canberra and Beijing, mutual interests could dampen the blowback.
“This advisory may have some negative impact on bilateral relations, but under the current Australian administration, I don’t think the relationship will go back to where it was,” he said.
“Of course this also depends on China’s reaction,” he added. “Considering that China is striving for a better economic relationship with Australia, I think they may be open to compromise.”
SOURCE: ABCNEWS