Facebook Google Menu Linkedin lock Pinterest Search Twitter



Mar 12, 2013

Reserve Bank hacking raises questions -- and false alarm

Some malicious hackers -- potentially from China -- hacked the RBA in 2011. But is it really the international online security threat everyone is claiming?


The most remarkable thing about the allegedly Chinese hack of the Reserve Bank of Australia in 2011, reported so breathlessly yesterday, is it isn’t the least bit remarkable whatsoever.

According to the incident report, which has been on the RBA’s website for two-and-a-half months, a routine attack was detected, dealt with and signed off as having had “minor” impact. As our once and potentially near-future prime minister Kevin Rudd might put it, everyone should take a long cold shower.

Let’s unravel the threads. Was there a so-called cyber attack on the RBA? Was it successful? Is China to blame? And where does this fit into the grand scheme of things? The answers are yes (definitely), no (probably), maybe (maybe) and … well, we’ll get to that.

The RBA was certainly attacked. On December 21, following a freedom of information request, the RBA released information on security incidents that had occurred between January 1, 2008 and May 16, 2012. Starting on page 63 you’ll find the report on incident 2011066, “Targeted Email Virus Attack 17 November 2011”. The summary description of the incident and its cause reads:

“A targeted malicious email was sent to several Bank staff, including senior management up to Head of Department. The email was purported to be from [REDACTED] regarding ‘Strategic Planning FY2012’. The malicious payload was an Internet URL link to a zip file containing a trojan which, at the time, was not detectable by the Bank’s Anti Virus scanners. The six users that clicked on the link had their PCs isolated until such time [as] the AV vendors could deploy updated virus definitions. By close of business, the definitions were updated and over night [sic] virus scans were scheduled. Of note, all of the affected PCs did not have local administrator rights. This prevented the virus from spreading.

“Malicious email was highly targeted, utilising a possibly legitimate external account [REDACTED]. It included a legitimate email signature and plausible subject title and content.”

Bog-standard spearphishing, in other words, aimed specifically at the RBA. It’s just like the targeted attacks against US newspapers reported last month. The AFR reported the RBA had been “successfully hacked”, but the bank denied that yesterday. “At no point have these attacks caused the bank’s data or information to be lost or its systems to be corrupted,” it said in a statement — and the bank has confirmed to Crikey it meant no “data breach” and no “exfiltration” of data, to use the infosec jargon.

Under “actual impact”, the incident report reads:

“Bank assets could have been potentially compromised, leading to service disruption, information loss and reputation.”

Could have. Potentially. But not actually, the RBA reassures us. Can we believe them? Well, there’s always the chance the RBA, its security vendors and Defence Signals Directorate investigators all missed something. As it stands, though, this is the online equivalent of discovering that some bloke jemmied open a back window and walked the corridors trying the office doors, but they were all locked, and now he’s been chucked out and the window fixed. It’s a “successful” hack only in that the hackers got through the first layer of defences. It was presumably a failure in terms of its espionage goal. That espionage goal was reportedly to gather intelligence on G20 negotiations, and the cyberspy (sorry) was reportedly China. It could well have been. China has a massive electronic espionage program — but then, so does everyone else.

“Attribution is really difficult when we look at cybercrimes generally, particularly intelligence-gathering like this. It’s really hard to actually find out who’s behind the keyboard,” said Nigel Phair, a director of the Centre for Internet Safety at the University of Canberra, on 2GB last night.

The use of “Chinese-developed malicious software” isn’t proof it was China, no more than me using a black market AK-47 to hold up a bank would make it a Russian job. Even the involvement of Chinese computers means little, as network engineer Mark Newton explained in a series of tweets. There are more PCs in China than legitimate Windows licences to give them access to security patches, so a higher proportion of Chinese PCs can be infected and become part of the bad guys’ botnet. Newton writes:

“Now aim your botnet at some target … A disproportionate amount of attack traffic will come from China. Hey Presto! You’re now indistinguishable from a CHINESE GOVERNMENT SPONSORED FUNDED CYBERWAR DERP OUTFIT. Congratulations. Win a prize.”

Still, China has motive and capability, and “Blame China” is a simple narrative to tell politicians and businesspeople. Let’s just agree that maybe it was China. So there’s your yes, no and maybe. But the emphasis on this RBA attack seems out of place, given that the breach was found and fixed promptly with no data exfiltration. Those US newspapers were hit with 44 kinds of malware and pwned for months. Others have been hit even harder. Why this hack? Why now?

“This instance has raised G20 meetings. We’re hosting one shortly in Brisbane, so the vigilance would want to be quite high right now, I would suggest,” Phair told 2GB.

Cyber is certainly the flavour of the week, with the US saying China must stop the attacks and British MPs hiring an MI5 expert. As I’ve noted elsewhere, the cyber threat is being talked up hard. The questions to ask: “Who wants me to be scared?” and “Why?”


We recommend

From around the web

Powered by Taboola


Leave a comment

17 thoughts on “Reserve Bank hacking raises questions — and false alarm

  1. j.oneill

    The final question posed is an important one. Ever since the events of 11 September 2001 governments in the so-called western democracies have mounted a sustained attack on constitutional and civil liberties. As Noam Chomsky recently observed, we are now back in the position we were in, as a people, prior to the signing of the Magna Carta by King John in 1215. This is astonishing and is happening with scarcely a ripple on the body politic.

    Part of that assertion of control by governments and the corresponding removal of traditional safeguards such as the presumption of innocence, due process, and executive accountability, is to seek to limit the greatest threat to their hegemony, the freedom of the internet.

    Hence, in this country we have seen attempts by Roxon, Conroy and others to limit the freedom of the internet. I think it can reasonably be argued that the current spate of cyber attack scares are part of that pattern of laying the groundwork for restricting the internet.

  2. Daniel Young

    Attempted attacks happen regularly to most large organisations. This would only be news if it had succeeded.

  3. AJH

    I have certainly seen evidence of attacks against Australian organisations that originated in the PLA’s network.

    I manage network security for an Australian research company, and I’ve spotted IP addresses that are assigned to the PLA’s Shanghai operations show up in our intrusion logs.

    However, the attacks seem random and opportunistic. I haven’t seen any evidence so far that they were targeted at our company, and none have even managed to get past the first hurdle. They were just your typical bot activity, trying to find vulnerable URLs on a web server.

    So, either the PLA is so lax in their security that some of their PCs are part of a botnet, or they are actually carrying out opportunistic attacks. Either option seems possible.

    Is this news? Not really. I see dozens of intrusions from Europe and North America every week… it’s just business as usual.

  4. michael crook

    Good article, good comment J.Oneill. Dont we have such a lot to be afraid of at the moment? However, as Michael Moore pointed out, frightened people are much more malleable.

  5. Nigel Bottle

    Has everyone forgotten Chris Joye’s other scoop? Remember the Chinese and the subs??

  6. Person Ordinary

    “Good article, good comment J.Oneill.” Agree

    Is it possible there is an urgent, secret and misguided move to head off the emergence of potential new media tools, that would inevitably emerge anyway? For example, media tools that are basically a convergence of Wiki style knowledge and new models to structure knowledge and opinion, that would effectively reveal all mistruth in online content, and so all mistruth in the public domain. In other words, an anti propaganda system, threatening to shine a light on the darkness that individuals and organisations with malevolent power depend on, everywhere in the world with uncensored internet access.

  7. AJH

    It could be a giant conspiracy headed up by a secret cabal of world leaders, that only Noam Chomsky can save us from…

    Or it could just be department heads in the security services lobbying for more power over internet communications, because that’s what they do. They see any restrictions on their power as pesky interference that stops them from gathering information.

    Government ministers, not so savvy about the technical details of their portfolios take it all at face value, and are panicked into overly-strong responses.

    Never attribute to conspiracy that which can be explained by lobbying from department chiefs.

  8. Person Ordinary

    This is not local. Roxon would never have walked away if that were the case?

  9. Scott

    Serious j.oneill? No progress in the rule of law since 1215? I guess the 798 odd years of common law has just disappeared from the memories and law books of our judges who protect our rights every day, without the need of a bill of rights.
    As for the freedom on the internet…no one is stopping you from performing any legal activity on the web. But there has to be some regulation. Too much business is transacted every day on the Internet for it to remain the wild west. Too many families and kids use the web for it to remain unpoliced. Where family and business travel, so do the guys in blue.

  10. Person Ordinary

    Here is a positive view of what may be at stake …

    Alternative public policy will be formulated in the public domain, using online collaboration and new media tools. These policies will be fully vetted and tested and improved by exhaustive debate, including a large number of “what if” scenarios and possible effects on other policy areas. It will be far superior to the old style, empire-building, self-serving, complex “solutions” put together in the shadows by the bureaucrats, and served up by short-term politicians, of whatever persuasion, with unhealthy doses of spin and awkward ritual.

    This new political process will be effective even with the participation of only a very small part of the population, and with voluntary contributions by people directly involved with the particular issues. With the new media tools it will be easy to hold governments to account to this superior policy, and so it will not matter whether the organised media cover it or not, or whether the public is generally well informed or not.

    Crikey and its competitors will either adopt the new media tools, or become increasingly irrelevant along with the old media. Instead of posting comments in one long thread of subjective and somewhat ignorant arguments, our inputs will be incorporated into the main argument constructed by the journalist – our opinions, our questions, our insights. That main argument will grow and evolve organically, and will serve as a base and a reference for future arguments on related issues. And throughout all the structured argument, whether contributed by professional content creators, or users, or automated content gathering services, all mistruth will be exposed.

    The same media tool will be used to construct an organic argument on the question of what the government should do in each policy area. That argument will evolve and mature, to the point where it becomes the alternate public policy.

    The result is the best possible approach to every policy area worth debating, in real time and with little need for bureaucrats, influence from commercial media, lobby groups, public relations services, etc.

  11. AJH

    @Person Ordinary

    The PLA has been hacking a number of large corporations, and the security services are in a tizzy worldwide because they think it is somehow their responsibility to respond to this attack by a rival government.

    Unless you’ve been involved with the security services, you don’t realise how much of a game they treat things like this as. The PLA has them beaten 5-0 with their latest attacks, and they’re clamouring for a chance to get a goal back. That means they all go lobbying their relevant ministers for more resources, more powers, and start calling for a co-ordinated response.

    Of course, it’s absolutely not their responsibility to do anything about this. It’s the responsibility of CIOs to make sure they have assigned adequate resources to computer security.

    However, that means creating a panic at a management level every time there is a tiny attack… going to the CEO and the directors and pointing out any little intrusion. Basically beating up the situation just like the security services do, for basically the same reasons (more resources, more power, less chance of losing face over an unchecked intrusion).

    With all this paranoia, being created by security chiefs in the services and in corporations (because that’s what we have to do to get additional resources), you can bet ministers and corporate bosses are stressing right now, thinking we’re all about to have our laptops explode in our faces.

  12. Person Ordinary

    All that may be true, but I think there is a bigger picture …

    You seem pretty quick on the trigger.

  13. AJH

    @Person Ordinary

    That’s because I’ve got all these arguments ready to trick people who are on to the cabal’s evil scheme. I can’t believe you caught me out.

    Or maybe its because I do network security all day, and I know the (very real) issues.

    I’ve been on both sides of the fence, public and private, black hat and white hat, and I just hope all this coverage results in some extra funding for ICT departments to allocate to network security… because that’s where the solution lies. It won’t be solved by public policy.

    However, I’m a bit annoyed at the conspiracy theories. Some attacks do originate from IPs associated with PLA networks (I’ve seen them). Some originate from organised criminals running botnets. Some originate from bored students in universities. Regardless of all that, the discussion should be on how companies can develop adequate responses, not on whether it is being caused by the illuminati.

    As for the document detailing the spearfishing attempt on the RBA… the document in question was the result of an old FoI request. It has just become relevant now because of the breathless hysteria about major US companies being attacked by hackers who may possibly be affiliated with the PLA. Personally, I’m happy about the coverage, and I’m happy for it to be played up, because it means when I go asking for extra network security resources, I’m more likely to get them.

  14. Person Ordinary

    @AJH So what Chomsky called the “culture of terror” is actually a good thing? You seem to have mastered your doublethink, but I am sure you are aware that inflating simple argument into conspiracy theories is probably not going to be effective ridicule in this context.

    @Scott I think you missed the point that the new powers undermine all that legal progress

  15. j.oneill

    Scott, “person ordinary” is correct. You clearly didn’t ‘t read what I said, which was to quote Chomsky to the effect that because of the rolling back of all the common law (and constitutional) safeguards put in place over the past several centuries we are now, legally speaking, worse off than before the signing of the Magna Carta in 1215. In the USA for example, the NDAA gives the President power to order the detention without trial, indefinitely, of any citizen, or simply to have him/her killed. That power exists without judicial review. It doesn’t even require there to be evidence. The President’s belief is sufficient. That is the kind of arbitrary power not wielded in the UK since 1215.

    You may be comfortable with that and all the other abuses of power (drone attacks, assassinations , arbitrary detention without trial indefinitely, etc etc. I for one am not. Hence my profound suspicion at all attempts by this or any other government to fetter what I might wish to read or say, subject to the obvious caveats.

  16. Person Ordinary

    … just to add some clarity to my previous comments

    There must be limits on exactly what is appropriate for public online debate, and what should remain secret, whether in regards to privacy or security, and those bounds themselves need to be determined by exhaustive public collaboration using the emergent tools.

    Governments that are usually portrayed in the West as secretive and malevolent may in fact be enthusiastic about new opportunities. China has many growing problems, not least the widespread environmental impacts of its economic development, that may be most effectively addressed by its own citizens, subject to limits it deems appropriate. The same for India. America could obviously benefit from more effective policy development in many areas, and may even find some middle ground solutions to break the deadlock.


https://www.crikey.com.au/2013/03/12/reserve-bank-hacking-raises-questions-and-false-alarm/ == https://www.crikey.com.au/free-trial/==https://www.crikey.com.au/subscribe/

Show popup

Telling you what the others don't. FREE for 21 days.

  • This field is for validation purposes and should be left unchanged.