The most remarkable thing about the allegedly Chinese hack of the Reserve Bank of Australia in 2011, reported so breathlessly yesterday, is it isn’t the least bit remarkable whatsoever.
According to the incident report, which has been on the RBA’s website for two-and-a-half months, a routine attack was detected, dealt with and signed off as having had “minor” impact. As our once and potentially near-future prime minister Kevin Rudd might put it, everyone should take a long cold shower.
Let’s unravel the threads. Was there a so-called cyber attack on the RBA? Was it successful? Is China to blame? And where does this fit into the grand scheme of things? The answers are yes (definitely), no (probably), maybe (maybe) and … well, we’ll get to that.
There's more to Crikey than you think.
Get more and save 50%.
The RBA was certainly attacked. On December 21, following a freedom of information request, the RBA released information on security incidents that had occurred between January 1, 2008 and May 16, 2012. Starting on page 63 you’ll find the report on incident 2011066, “Targeted Email Virus Attack 17 November 2011”. The summary description of the incident and its cause reads:
“A targeted malicious email was sent to several Bank staff, including senior management up to Head of Department. The email was purported to be from [REDACTED] regarding ‘Strategic Planning FY2012’. The malicious payload was an Internet URL link to a zip file containing a trojan which, at the time, was not detectable by the Bank’s Anti Virus scanners. The six users that clicked on the link had their PCs isolated until such time [as] the AV vendors could deploy updated virus definitions. By close of business, the definitions were updated and over night [sic] virus scans were scheduled. Of note, all of the affected PCs did not have local administrator rights. This prevented the virus from spreading.
“Malicious email was highly targeted, utilising a possibly legitimate external account [REDACTED]. It included a legitimate email signature and plausible subject title and content.”
Bog-standard spearphishing, in other words, aimed specifically at the RBA. It’s just like the targeted attacks against US newspapers reported last month. The AFR reported the RBA had been “successfully hacked”, but the bank denied that yesterday. “At no point have these attacks caused the bank’s data or information to be lost or its systems to be corrupted,” it said in a statement — and the bank has confirmed to Crikey it meant no “data breach” and no “exfiltration” of data, to use the infosec jargon.
Under “actual impact”, the incident report reads:
“Bank assets could have been potentially compromised, leading to service disruption, information loss and reputation.”
Could have. Potentially. But not actually, the RBA reassures us. Can we believe them? Well, there’s always the chance the RBA, its security vendors and Defence Signals Directorate investigators all missed something. As it stands, though, this is the online equivalent of discovering that some bloke jemmied open a back window and walked the corridors trying the office doors, but they were all locked, and now he’s been chucked out and the window fixed. It’s a “successful” hack only in that the hackers got through the first layer of defences. It was presumably a failure in terms of its espionage goal. That espionage goal was reportedly to gather intelligence on G20 negotiations, and the cyberspy (sorry) was reportedly China. It could well have been. China has a massive electronic espionage program — but then, so does everyone else.
“Attribution is really difficult when we look at cybercrimes generally, particularly intelligence-gathering like this. It’s really hard to actually find out who’s behind the keyboard,” said Nigel Phair, a director of the Centre for Internet Safety at the University of Canberra, on 2GB last night.
The use of “Chinese-developed malicious software” isn’t proof it was China, no more than me using a black market AK-47 to hold up a bank would make it a Russian job. Even the involvement of Chinese computers means little, as network engineer Mark Newton explained in a series of tweets. There are more PCs in China than legitimate Windows licences to give them access to security patches, so a higher proportion of Chinese PCs can be infected and become part of the bad guys’ botnet. Newton writes:
“Now aim your botnet at some target … A disproportionate amount of attack traffic will come from China. Hey Presto! You’re now indistinguishable from a CHINESE GOVERNMENT SPONSORED FUNDED CYBERWAR DERP OUTFIT. Congratulations. Win a prize.”
Still, China has motive and capability, and “Blame China” is a simple narrative to tell politicians and businesspeople. Let’s just agree that maybe it was China. So there’s your yes, no and maybe. But the emphasis on this RBA attack seems out of place, given that the breach was found and fixed promptly with no data exfiltration. Those US newspapers were hit with 44 kinds of malware and pwned for months. Others have been hit even harder. Why this hack? Why now?
“This instance has raised G20 meetings. We’re hosting one shortly in Brisbane, so the vigilance would want to be quite high right now, I would suggest,” Phair told 2GB.
Cyber is certainly the flavour of the week, with the US saying China must stop the attacks and British MPs hiring an MI5 expert. As I’ve noted elsewhere, the cyber threat is being talked up hard. The questions to ask: “Who wants me to be scared?” and “Why?”