Mar 12, 2013

Reserve Bank hacking raises questions — and false alarm

Some malicious hackers -- potentially from China -- hacked the RBA in 2011. But is it really the international online security threat everyone is claiming?

Stilgherrian — Technology writer and broadcaster


Technology writer and broadcaster

The most remarkable thing about the allegedly Chinese hack of the Reserve Bank of Australia in 2011, reported so breathlessly yesterday, is it isn't the least bit remarkable whatsoever. According to the incident report, which has been on the RBA's website for two-and-a-half months, a routine attack was detected, dealt with and signed off as having had "minor" impact. As our once and potentially near-future prime minister Kevin Rudd might put it, everyone should take a long cold shower. Let's unravel the threads. Was there a so-called cyber attack on the RBA? Was it successful? Is China to blame? And where does this fit into the grand scheme of things? The answers are yes (definitely), no (probably), maybe (maybe) and ... well, we'll get to that. The RBA was certainly attacked. On December 21, following a freedom of information request, the RBA released information on security incidents that had occurred between January 1, 2008 and May 16, 2012. Starting on page 63 you'll find the report on incident 2011066, "Targeted Email Virus Attack 17 November 2011". The summary description of the incident and its cause reads:
"A targeted malicious email was sent to several Bank staff, including senior management up to Head of Department. The email was purported to be from [REDACTED] regarding 'Strategic Planning FY2012'. The malicious payload was an Internet URL link to a zip file containing a trojan which, at the time, was not detectable by the Bank's Anti Virus scanners. The six users that clicked on the link had their PCs isolated until such time [as] the AV vendors could deploy updated virus definitions. By close of business, the definitions were updated and over night [sic] virus scans were scheduled. Of note, all of the affected PCs did not have local administrator rights. This prevented the virus from spreading. "Malicious email was highly targeted, utilising a possibly legitimate external account [REDACTED]. It included a legitimate email signature and plausible subject title and content."
Bog-standard spearphishing, in other words, aimed specifically at the RBA. It's just like the targeted attacks against US newspapers reported last month. The AFR reported the RBA had been "successfully hacked", but the bank denied that yesterday. "At no point have these attacks caused the bank's data or information to be lost or its systems to be corrupted," it said in a statement -- and the bank has confirmed to Crikey it meant no "data breach" and no "exfiltration" of data, to use the infosec jargon. Under "actual impact", the incident report reads:
"Bank assets could have been potentially compromised, leading to service disruption, information loss and reputation."
Could have. Potentially. But not actually, the RBA reassures us. Can we believe them? Well, there's always the chance the RBA, its security vendors and Defence Signals Directorate investigators all missed something. As it stands, though, this is the online equivalent of discovering that some bloke jemmied open a back window and walked the corridors trying the office doors, but they were all locked, and now he's been chucked out and the window fixed. It's a "successful" hack only in that the hackers got through the first layer of defences. It was presumably a failure in terms of its espionage goal. That espionage goal was reportedly to gather intelligence on G20 negotiations, and the cyberspy (sorry) was reportedly China. It could well have been. China has a massive electronic espionage program -- but then, so does everyone else. "Attribution is really difficult when we look at cybercrimes generally, particularly intelligence-gathering like this. It's really hard to actually find out who's behind the keyboard," said Nigel Phair, a director of the Centre for Internet Safety at the University of Canberra, on 2GB last night. The use of "Chinese-developed malicious software" isn't proof it was China, no more than me using a black market AK-47 to hold up a bank would make it a Russian job. Even the involvement of Chinese computers means little, as network engineer Mark Newton explained in a series of tweets. There are more PCs in China than legitimate Windows licences to give them access to security patches, so a higher proportion of Chinese PCs can be infected and become part of the bad guys' botnet. Newton writes:
"Now aim your botnet at some target ... A disproportionate amount of attack traffic will come from China. Hey Presto! You're now indistinguishable from a CHINESE GOVERNMENT SPONSORED FUNDED CYBERWAR DERP OUTFIT. Congratulations. Win a prize."
Still, China has motive and capability, and "Blame China" is a simple narrative to tell politicians and businesspeople. Let's just agree that maybe it was China. So there's your yes, no and maybe. But the emphasis on this RBA attack seems out of place, given that the breach was found and fixed promptly with no data exfiltration. Those US newspapers were hit with 44 kinds of malware and pwned for months. Others have been hit even harder. Why this hack? Why now? "This instance has raised G20 meetings. We're hosting one shortly in Brisbane, so the vigilance would want to be quite high right now, I would suggest," Phair told 2GB. Cyber is certainly the flavour of the week, with the US saying China must stop the attacks and British MPs hiring an MI5 expert. As I've noted elsewhere, the cyber threat is being talked up hard. The questions to ask: "Who wants me to be scared?" and "Why?"

Free Trial

You've hit members-only content.

Sign up for a FREE 21-day trial to keep reading and get the best of Crikey straight to your inbox

By starting a free trial, you agree to accept Crikey’s terms and conditions


Leave a comment

17 thoughts on “Reserve Bank hacking raises questions — and false alarm

  1. j.oneill

    The final question posed is an important one. Ever since the events of 11 September 2001 governments in the so-called western democracies have mounted a sustained attack on constitutional and civil liberties. As Noam Chomsky recently observed, we are now back in the position we were in, as a people, prior to the signing of the Magna Carta by King John in 1215. This is astonishing and is happening with scarcely a ripple on the body politic.

    Part of that assertion of control by governments and the corresponding removal of traditional safeguards such as the presumption of innocence, due process, and executive accountability, is to seek to limit the greatest threat to their hegemony, the freedom of the internet.

    Hence, in this country we have seen attempts by Roxon, Conroy and others to limit the freedom of the internet. I think it can reasonably be argued that the current spate of cyber attack scares are part of that pattern of laying the groundwork for restricting the internet.

  2. Daniel Young

    Attempted attacks happen regularly to most large organisations. This would only be news if it had succeeded.

  3. AJH

    I have certainly seen evidence of attacks against Australian organisations that originated in the PLA’s network.

    I manage network security for an Australian research company, and I’ve spotted IP addresses that are assigned to the PLA’s Shanghai operations show up in our intrusion logs.

    However, the attacks seem random and opportunistic. I haven’t seen any evidence so far that they were targeted at our company, and none have even managed to get past the first hurdle. They were just your typical bot activity, trying to find vulnerable URLs on a web server.

    So, either the PLA is so lax in their security that some of their PCs are part of a botnet, or they are actually carrying out opportunistic attacks. Either option seems possible.

    Is this news? Not really. I see dozens of intrusions from Europe and North America every week… it’s just business as usual.

  4. michael crook

    Good article, good comment J.Oneill. Dont we have such a lot to be afraid of at the moment? However, as Michael Moore pointed out, frightened people are much more malleable.

  5. Nigel Bottle

    Has everyone forgotten Chris Joye’s other scoop? Remember the Chinese and the subs??

  6. Person Ordinary

    “Good article, good comment J.Oneill.” Agree

    Is it possible there is an urgent, secret and misguided move to head off the emergence of potential new media tools, that would inevitably emerge anyway? For example, media tools that are basically a convergence of Wiki style knowledge and new models to structure knowledge and opinion, that would effectively reveal all mistruth in online content, and so all mistruth in the public domain. In other words, an anti propaganda system, threatening to shine a light on the darkness that individuals and organisations with malevolent power depend on, everywhere in the world with uncensored internet access.

  7. AJH

    It could be a giant conspiracy headed up by a secret cabal of world leaders, that only Noam Chomsky can save us from…

    Or it could just be department heads in the security services lobbying for more power over internet communications, because that’s what they do. They see any restrictions on their power as pesky interference that stops them from gathering information.

    Government ministers, not so savvy about the technical details of their portfolios take it all at face value, and are panicked into overly-strong responses.

    Never attribute to conspiracy that which can be explained by lobbying from department chiefs.

  8. Person Ordinary

    This is not local. Roxon would never have walked away if that were the case?

  9. Scott

    Serious j.oneill? No progress in the rule of law since 1215? I guess the 798 odd years of common law has just disappeared from the memories and law books of our judges who protect our rights every day, without the need of a bill of rights.
    As for the freedom on the internet…no one is stopping you from performing any legal activity on the web. But there has to be some regulation. Too much business is transacted every day on the Internet for it to remain the wild west. Too many families and kids use the web for it to remain unpoliced. Where family and business travel, so do the guys in blue.

Share this article with a friend

Just fill out the fields below and we'll send your friend a link to this article along with a message from you.

Your details

Your friend's details