Executive summary

On an interview with security specialists and insiders, Four Corners also highlights specific high
level incident regarding Government departments. It further demonstrated how security systems
might have been breached. A hard truth facing these issues cannot be comprehended. Companies
refrain from speaking about the intrusion to avoid a setback from customers and stockholders.
The uncomfortable answer about the offender who keeps attacking has made the government and
organizations to remain silent on the matter. Most leads from reliable sources like former
government advisors in cyber security, indicates China as the main suspect. It has not been
proven whether the hackers works for the government of China, but it is likely that most
established companies in China stand to be a target of corporate espionage.

The implications of the inability to share secure communications in the event of a cyber-attack;
whether it is espionage or the use of espionage collected data for warfare, would be catastrophic
during a conflict. Giving an adversary the ability to monitor information sent via a computer
system and then providing them with the complete ability to shut down a critical system
remotely would be detrimental to the safety of any country. The impact of this could be
enormous if flight control systems, weapons systems, or other critical infrastructure is shut down.

1
Introduction
The ABC's Four Corners program, aired on 27 May, made a number of claims about intrusions
into Australian Government and commercial IT systems. The emphasis of the program was on
two specific cases - allegations that the plans for the new ASIO building were ex filtrated by
Chinese hackers and that Adelaide based communications company Codan had, as a result of
cyber intrusions, lost commercially valuable intellectual property information and export
contracts to Chinese competitors. Passing reference was made to allegations that sensitive
information was extracted from Department of Foreign Affair and Trade's network, but few
details were provided. Attorney-General Mark Dreyfus who was interviewed would not
comment on the claims. Interviewees expressed mixed views about international efforts to
address cyber threats, such as through new treaties.

Adelaide-based communications, metal detection and mining technology firm Codan was a
successful Australian multi-national electronics company that had offices in the US and the UK.
In 2012, sales figures for their famous and popular metal detectors started dropping and it took
some detective work to figure out why. The Australian Security Intelligence Organization
(ASIO) reported that the reason for the decline in sales figures was that their computer systems
had been hacked and blueprints stolen to sell cheap imitated product into global market. Codan
was a victim of cyber espionage and the cyber-attack allegedly came from China.

On one occasion, former president of US addressing tech-savvy campaign cautioned that he was
never obsessed with his BlackBerry but rather understood the security precautions needed with
government device while in office. On stage he pointed out that none had his email address to
digitally communicate with him neither did the Alfalfa Club crown obtain presidents email
address, but six years later, Russian spies obtain the address and even read the content of the
emails. They also gained access to White House communication system that staffers used for
legislative affairs, personnel developments, presidential scheduling, correspondence with
diplomats overseas, and more. (Buchanan, 2017).

2
Background information

Documents detailing the ASIO building's communication cable layouts, server locations and
security systems had all been illegally accessed, ABC TV's Four Corners reported. The new
building, which overlooks Canberra's Lake Burley Griffin and was due to open, could not be use
even after costing taxpayers $630 million which was $41m more than anticipated. The reason
was an act of espionage that took place in 2013.

Codan CEO, Donald McGurk, could not talk about the details of the attack on camera to Four
Corners, but said the company had taken serious steps to improve the security on its computer
systems with multiple firewalls. According to the report, an ASIO investigation found Chinese
hackers found a vector into the Codan network when an executive from the company visited
China and logged into the Wi-Fi at a hotel.

The hackers inserted malware on work laptop, which then infected the computer system in
Australia. The malware contained code designed to target files on the Codan system
specifically, design information regarding the secure military radio system used by Australia and
its allies. This were the two main incidents that were reported majorly, however their more issues
relating to the content in different scenario.

It is paramount for Australian government and businesses in general to put into consideration the
need of developing a safer and more secure network that can minimize intrusion and provide
business continuity roadmap whenever an incident has occurred. Government cyber security
agency should also provide standards to help secure business from being attacked. The recent,
WannaCry ransomware which recently infected 10,000 organizations and 200,000 individuals in
over 150 countries exemplifies the magnitude of threat to information security.

For any organization to have a standard network for information security, three major basic
requirements need to function. (Cheminod, M., Durante, L., & Valenzano, A., 2009).

The basic industrial requirements for information security include;

o Availability this is the ability of network information to be readily accessible and

useable upon request by other entities.

3
 o Integrity the ability to guarantee and protect the accuracy of requested data is actually
from the requested entity.
o Confidentiality this is a guarantee of secrecy. An assurance that requested information
is undisclosed to unauthorized processes and individuals.

In support of this assertion, (Mikko & Harri, 2007) also classifies confidentiality, availability,
integrity and non-repudiation of data to be the most valued constituent and requirement to
support secure communication across a network.

Vulnerabilities and impacts

According to a research done by Schneider (2012) it was noted that the registered number of
vulnerabilities found on websites, applications and browsers were higher than those found in
operating systems (Schneider, 2012). The figure 1.1 below shows the increase in malware on
downloaded web content, which has remained the greatest source of threat in government and
business network.

Table 1.1 shows threat face by different organizations with the magnitude of impact
Threats Impacts
Cyber espionage Bluescope Steel was one of the contractors involved in the construction of
on Bluescope the new ASIO headquarters; it was among several companies that were
hacked by the Chinese for military and/or political advantages.
The ASIO building, was being built near the location of Australias top-
secret Defense Signals Directorate, was supposed to have some of the most
sophisticated hacking Defenses in the country, which was part of a global
electronic intelligence gathering network including the US and the UK.
(Agencies, 2013)

Vulnerabilities and countermeasures

Developing countermeasures against the identified vulnerabilities to the network can help
organizations to be remaining safe when attacked. The table 2.1 below highlights the impacts and

4
countermeasures of threats faced by Australian Government Departments and business
organizations as explained by four corners video.

Table 2.1 impacts against countermeasures

Vulnerabilities Counter measures
Compromised It was presumed that the entire amount of information stored within the
Network Defence Restricted Network had been leached out over a number of years.
information The government should increase the capacity to trace cyber threats and make
security Australia harder target for malicious cyber incidents while reinforcing the
standards. ability to engage international and industry Partners.
It should allow sharing of cyber issues with a range of countries, including
China with an approach of constructive engagement that aims at achieving
practical outcomes.
Recommendation;
Developing a common understanding on the application of existing
international law, including the UN Charter, to cyberspace.
Consulting closely with alliance partners like US on issues of cybercrime.
Weak links used The Australian Government agencies should develop strategies to mitigate
in cyber targeted cyber intrusions and also standard procedures to deal with internal
espionage risk assessments which will help to improve protection against cyber
espionage activities.
Recommendation;
Using Application Whitelisting in an appropriate and well managed
computing environment it is possible to identify every executable file which
should be allowed to run on a system. This means that any unidentified
executable file can be treated as suspicious at a minimum and should be
prevented from running.
Daily backups of important new/changed data, software and configuration
settings, stored disconnected, retained for at least three months. Test
restoration initially, annually and when IT infrastructure changes.
Denial of On one hand, affected businesses like Codan should embrace good practice

5
services attack of have powerful and multitasking servers with capacity of processing a large
chunk of request that might be originating from the attackers end.
On the other hand, across the network, servers should be connected to
Gigabit per second Ethernet channels on full duplex mode to enable these
severs packet switch frames as soon as possible. This is in bid to avoid link
congestion and free up the communication channel as much as possible even
during attack.
Recommendation;
Using light web server Nginx as front end to apache while deploying Apache
at back end is highly recommended. This is due to Nginx advantage of high
fault tolerance and consuming lesser system resource and memory for
multiple requests. (Ihor & Yuri, 2012)
Developing and implementing business continuity and disaster recovery
plans which are tested, documented and printed in hardcopy with a softcopy
stored offline. Focusing on the highest priority systems and data to recover.
Unsolicited User training education and awareness would have ensured staff understood
email how personal information can be openly accessed, and made them suspicious
attachments of unwelcome email with unexpected attachments and that could run
executable files to their systems.
Recommendation;
Configure Microsoft Office macro settings to block macros from the Internet,
and only allow vetted macros either in 'trusted locations' with limited write
access or digitally signed with a trusted certificate.
Failure to ensure It was discovered that the blueprint of new ASIO headquarter building was
that contractor stolen, together with communications cabling structure, server locations,
services are floor design plan and security systems. This was as a result of cyber hit on
adequately the tendered contractor and eventually exported to a server in China.
secure Recommendation;
Contractor working for government project should be vetted to meet the set
standards of information security.

6
Skills and These groups are increasingly professional and have industrialized their
sophistication of criminal activity so they can act at scale. Some of these groups are now so
cyber-crime well established and business-like that they have well-defined organizational
groups structures, access to specialist skills and functions like call centers and
translators.
Recommendation;
Operating system hardening based on a Standard Operating Environment,
disabling unneeded functionality e.g. RDP, AutoRun, LanMan,
SMB/NetBIOS, LLMNR and WPAD would serve a great deal of network
protection. Networks with classified information should be isolated from
accessing internet. VPN encryption should be considered for communication
over internet.
Theft on As stated, intellectual properties of great value to the companies have been
intellectual stolen and therefore significantly reducing their return on investments which
property and data negatively impact the economy. The government should establish National
Cyber Security Centre to act as a single point of contact to simplify and
strengthen government effort on cyber security and improve engagement
with industry.
Recommendation;
Mounting personal firewall on computers connected to the Internet.
Update antivirus software with the latest virus signature or malicious
code definition.
Installing intrusion prevention system on the computer network in the
organization to detect and prevent further attacks by eavesdroppers.
Eavesdropping It was presumed that a factor of ten times the entire database, or the entire
amount of information stored within the Defense Restricted Network was
leaked out several years; this included classified emails, basic reports and
administrative information.
Recommendation;
o Deployment of encrypted connection, e.g. Hypertext Transfer Protocol

7
 Secure (HTTPS) and Secure Shell (SSH) would offer better security, to
encrypt the data transmitted on the Internet. Even if attackers can
intercept the data, they cannot read or deface the information easily.
o Employing use of Internet services with mutual authentication such as
Public Key Infrastructure (PKI) to reduce risk of Man-in-the-Middle
attacks can be reduced.
Firewalls & According to Kurpjuhn (2015) SMEs should use an advanced type of
Anti-Virus firewall called Unified Threat Management (UTM). UTM is an improved
version of the traditional firewall which encompasses several functions
including; gateway anti-virus, gateway anti-spam, VPN, data leak prevention
and network intrusion prevention.
Recommendation;
Apply email content filtering that check on Whitelist allowed attachment
types. Analyze hyperlinks, PDF and Microsoft Office attachments.
Quarantine Microsoft Office macros. Antivirus using heuristics and
reputation ratings to check a file's prevalence and digital signature prior to
execution. Use antivirus from different vendors for gateways /computers.

Mapping time lines against the incidence

The table 3.1 below shows mapping of timeline incidents against failures of the company in
regard to information security which led to the incidence of mentioned. The cyber threat is real
and ever present. Australia experiences increasing sophisticated attacks in the public and private
sectors as shown in the table.

Table 3.1 maps time line against incidence that happen

Time lines Incident that happened
2009 Exclusive images from Astrium, using the French Spot satellite,
show the plant when a virus called Stuxnet hit the nuclear
facility's control systems.
The shutting down of the satellite and the attack on the Iranian
facility served as a warning, that infrastructure is in the front line

8
September 2011 China reportedly modified the virus and disabled an Indian
telecommunications satellite.
February 2013 An American cyber security firm called Mandiant, released a
report directly implicating China in cyber espionage, hacking
into American government and corporate websites.
May, 2013 ASIO reported that an employee of the company that was
Malware attack on Codan visiting China had malware inserted into the company laptop
company. whilst staying at a hotel and it was this initial attack that
unlocked the front door to all of the companys data.
In a 2013 Meeting called by the Australian Signals Directorate, former IT
manager Daryl Peter was told the company had been seriously
infiltrated by foreign hackers. Mr Peter believed the hack was
from China.

The table 3.2 shows the risk matrix on the impact on attack and controls

Likelihood

Low Medium Medium High/Medium High Very High

The figure 2.1 below demonstrates how teams of information security personnel must guard their
respective organizations against dangerous and debilitating threats.

9
Mitigation Strategies to protect Information Systems

Restricting administrative privileges for accounts with prime privileges in organizations and
government departments, this is main target for attackers, limiting and tightly controlling will act
as first line of defense.

Perform and enforce application whitelisting to organizations and government network. Only
allows authorized applications to run.
Implement defense in depth to affected organizations and government departments. Do not rely
on one single technology or defensive measure; have multiple security controls in case one
approach fails.

Figure 2.2 shows different level of security that can be implemented to harden IT systems

(wsu.edu, 2017)

Conclusion
The attack on government departments has significant impact on Australias national security
and economic prosperity. Therefore, more robust network security implementation should be
considered. By accessing the state departments attackers gain advantage over Australia
economic, foreign policy, defense and security information.

References
Schneider, D. (2012). http://ac.els-cdn.com/S1353485812700168/1-s2.0-S1353485812700168-
main.pdf?_tid=4f5972213f6c73424a377aa3639e4d06&acdnat=1342459789_2caf69b6920cf6114
9028623c865b481. Retrieved July 26, 2012, from http://ac.els-cdn.com/S1353485812700168/1-
s2.0S1353485812700168main.pdf?_tid=4f5972213f6c73424a377aa3639e4d06&acdnat=134245
9789_2caf69b6920cf61149028623c865b481

S. Todd, M., & M. Rahman, S. (2013). Complete Network Security Protection for SME's within
Limited Resources. International Journal Of Network Security & Its Applications, 5(6), 1-13.
http://dx.doi.org/10.5121/ijnsa.2013.5601

http://www.foresightconsulting.com.au/resources/docs/T4MM.pdf

10
Wahlert, G. (1998). Crime in Cyberspace: Trends In Computer Crime In Australia. Conference
paper: Internet Crime held in Melbourne, by the Australian Institute of Criminology

(2017). Retrieved 8 May 2017, from

Whitman, M., & Mattord, H. (2012). Principles of information security (1st ed.). Boston, Mass.:
Course Technology.

(2017). Retrieved 18 May 2017, from

https://conferences.wsu.edu/forms/emergencyprep/presentations12/E5_Cliff%20Glants.pdf

11