Thankfully a bit of free time on the weekend has given me an opportunity to form a bit more of a detailed analysis of the information provided and hopefully put together a more comprehensive analysis.
A rough schedule of events
To draw out the events on a timeline from what has been provided, I reviewed the domains registered and also scoured through online systems for any of the indicators of compromise.
The first domain was registered on the 25th of March, with TLS certificates registered over the two weeks following, and the domain “updated” on the 8th of April. Around 2 and a half weeks later (sometime around the 26th of April), the second domain was registered and new TLS certificates created within 24–48 hours. Two additional files were created in the 48 hours after. 3 weeks later it appears the initial response had started. Outside of this, most other events and the flow appears consistent with what’s been published by the ACSC, and I won’t speculate or make comments without anything being qualified or without access to additional information.
I’ve put a timeline together here alongside a few other rough observations: https://docs.google.com/spreadsheets/d/1nwZqrfdae01BJBMtUyStK08up0peSYUvU9FM9ZRHngI/
The side observations
On top of what the ACSC has already provided, I’ve made a few “side observations” from the artefacts provided:
Additional DNS entries
There’s a bunch more domains that were created within the time frame of the events:
- The following domains were created and associated with 5.188.37.38 in May 2020: Freewalls.ml, www.freewalls.ml, www.mayaa.ml, v2.mayaa.ml, mayaa.ml, 1988free.gq
- 104.156.233.219 had 63 domains registered against the host in December 2019 which appear a little suspicious.
- A Chinese website appeared to be associated with one of the hosts 4 days after (xiaowann.xyz) and appears to be a domain registered in April 2020.
I’d be curious if these are part of the same threat actor or otherwise.
What else does Urlscan.io tell us?
Multiple artefacts from the list provided by the ACSC were scanned in a 1 minute period (manually) in urlscan.io on Friday the 12th of June allegedly from Israel. It was curious to note that these were scanned and not simply searched, a mistake I’ve made before. A few thoughts on this event:
- This was part of an incident response from Israel, who may be affected.
- An Israeli firm who had the indicators of compromise from the ACSC disclosed to them decided to copy/paste the provided data after it had been given, 1 week out from the Australian Governments disclosure.
I’ve also noted multiple scans on the artefacts, well after the fact.
So who was actually hit?
Whilst we cannot conclusively determine who was impacted, the following events roughly correspond to the time line above:
- Service NSW from the 22nd of April (announced May 15th).
- The ATO noted that there was fraud associated with superannuation accounts in early May, after the announcement on the 23rd of March.
- Bluescope had a cyber incident in May of 2020, however this was disruptive in nature, as was the event with Toll, and inconsistent with the Governments report.
These are only the high profile events, and no doubt there are more affected organisations.
Other rabbit holes
There are a number of areas to really dive into as part of the information provided. The domains associated with 5.188.37.38 for example appear to be employed with phishing against Chinese targets based on the site contents indexed in censys. One of the hosts appeared to have sent an email in February 2020 that was used in a defence industry related phishing campaign. Artefacts and submissions this year on open source locations also suggest that this was not just limited to Australia. Unfortunately without all the data I can’t make much in the way of a qualified statement, simply an observation.
Why I doubt this is of Chinese government origin
I doubt this is a Chinese APT (at the very least one from within the Government), this rationale is based on several activities.
Firstly, Government threat actors are often seeking information that requires an extended period of access, and will take efforts to conceal their actions. This does not appear to be the case here given:
- The domains were spun up and executed fairly quickly. Operational security would dictate these are left dormant for a period soas to appear legitimate.
- No effort was made to conceal the attack; exploit code can be readily detected (or should be) by most security software.
The context and information suggests that it was not of Chinese origin, based on the following facts:
- The initiation date was on or before the 25th of March. This does not correspond with any political or physical event associated with China, although I do note that from the 25th of March onwards, several events had taken place which could lead to this deduction or have been employed in concert with an escalation of events.
- The last alleged Chinese APT campaign reported by Mandiant, apt41, used code signing certificates on their executables, operationally sophisticated domain registration, multiple malware families, and other complex activities to achieve an effect, why would they step back on signing or other sophisticated measures to remain undetected?
- The report provided does not discuss motives, target industries or the information extracted.
Whilst the ACSC report and artefacts suggest operational sophistication, the lack of technical sophistication and operational security indicate that this may have been more of a “hit and run” style event that is more consistent with criminal elements. Having stated this, the absence of disruptive or destructive activities may suggest the usual criminal action of ransoming networks was not the intent, and this could be an information grab over an extended period of time, albeit from a low tier government, or a 3rd party in support of a government.
I would actually point this more towards criminal elements attempting early access to super, given the government’s announcement on the 23rd of March, the domain registration on the 25th of March, attempts to gain unauthorised access Service NSW (to gather information associated with identities that can be used to access Super) and the speed of the attack. However this is still speculative and would need more information to qualify if the Service NSW attack was the one that was in fact reported.
The didactic of attribution is one that needs to continue, and will perhaps be better informed as time evolves.
An analysis of our response
I think it’s important to observe that from the creation of the C2 infrastructure, submission of several artefacts to multiple locations and the speed of response was impressive. We’ve gone from taking months to identify and respond to events such as this down to a matter of weeks and I think it’s important to commend the ACSC and other organisations on this effort.
I believe that the buzz that was spun up on Friday in my industry was however counterproductive. During the course of the day I had 1x repurposed door to door salesman now cyber security thought leader offering “patch management services and 2FA as recommended by the government”, even though similar measures were not evident in their CRM environment. We’ve seen a policy institute jump to the conclusion of China with no qualification of fact. Another pundit had advocated “blockchain” as a means of addressing cyber security shortfalls. I do not doubt more money will be thrown at these individuals and other elements of our industry that do not provide a meaningful contribution or present anything with any intellectual rigor.
There is also of course the conspiracy theorists and usual train of opinion and logical fallacies that cyberspace is usually subjected to, however I like to think we can seperate the crazy from the manipulative.
On a final note, I think it’s important to note that the security controls recommended, namely 2FA and patching are fairly straightforward to implement and do not require vast sums of money to be thrown at system integrators. Additional detection mechanisms, such as detection, can also be implemented in a fairly cost effective manner.
Amendment 23rd of June 2020- A colleague pointed out that it was Bluescope not BHP that was affected by an incident in May 2020. This article has been updated.
