May 2023
Welcome to the May edition of Cyber Adviser, a monthly readout of insights and expert analysis from the CyberCX Cyber Intelligence desk.
As the cyber environment continues to rapidly evolve, Cyber Adviser cuts through the noise and gives you visibility of what matters most – all in 5 minutes or less.
Last month by the numbers
Sabotage ready? Five Eyes agencies attribute critical infrastructure prepositioning to a Chinese nation-state actor
On 25 May, the Australian Cyber Security Centre and the New Zealand National Cyber Security Centre joined Five Eyes partner agencies in attributing a cluster of US critical infrastructure targeting to a Chinese nation-state actor. Industry sources assess that this threat actor (also tracked as Volt Typhoon, UNC3226 and Bronze Silhouette) is likely seeking capability to disrupt critical communications infrastructure between the US and Asia during future crises. Five Eyes partners have advised that the threat actor could apply the same techniques against the communications and other sectors worldwide.
This Chinese nation-state actor has been engaged in espionage and prepositioning activities since 2021 and uses living-off-the-land techniques to evade detection. It has a strong operational security focus and compromises commonly used small office/home office (SOHO) infrastructure to blend in with normal network activity.
Australia and New Zealand’s joint attribution of this activity reflects the region’s deteriorating geopolitical and cyber threat environment. Australian government officials have warned of the risk of foreign governments prepositioning in critical infrastructure for years, particularly in justifying the need for Security of Critical Infrastructure regulatory reform. The ACSC also warned last year that up to 200,000 Australian SOHO routers are vulnerable to compromise including by state actors.
But this is the first time Australia or New Zealand have publicly attributed behaviour that industry has associated with prepositioning for sabotage to a Chinese nation-state actor. CyberCX assesses that it is almost certain that nation-state actors have prepositioned in Australian critical infrastructure. The likelihood that this access is used for disruptive or destructive cyber attacks would increase should Australia’s geopolitical circumstances sharply deteriorate.
Canadian gas pipeline: Cyber criminals hand off access to Russian government
A leaked exchange between pro-Russian cyber criminal group, Zarya, and the Russian Federal Security Service (FSB) indicates that Russian intelligence services almost certainly cooperate with pro-Russian cyber crime groups. Zarya claimed to have access to a Canadian gas pipeline and the capability to “increase valve pressure, disable alarms, and initiate an emergency shutdown of an unspecified gas distribution station.” Zarya was apparently on standby for instructions from the FSB, which “anticipated a successful operation would cause an explosion”.
The exchange appeared in the “Pentagon leaks”, purported leaked US intelligence documents widely reported in media in April 2023. Commenting on the leaks, the head of the Canadian Centre for Cyber Security confirmed that an incident had taken place, but that no physical damage had occurred. He described the incident as “a call for action to the critical infrastructure sector”.
This incident likely represents the most significant instance of publicly known pro-Russian criminal activity against a NATO country since the start of the Russia-Ukraine war. It indicates that, among the torrent of low sophistication attacks and dubious claims by some pro-Russia groups, others have the intent and capability to conduct serious attacks that rise to the level of posing a risk to life.
Medusa Team
Cyber extortion group, Medusa Team, targeted two new Australian victims in the last month: a cancer treatment centre and a Catholic school.
In mid-May, Medusa Team published sensitive data it hacked from a gynaecological oncologist associated with the Crown Princess Mary Cancer Centre, including sensitive patient records. The cyber criminals had given the cancer centre a week’s deadline to pay a $100,000 ransom for the data.
On 22 May 2023, Medusa Team listed a $200,000 ransom for data from Loreto Normanhurst, the largest girls’ boarding school in NSW. The school has been given a week to pay the ransom or have their data published.
Several cyber criminal operations use “Medusa” as part of their branding, including Medusa Locker and Medusa Stealer. We assess there is a real chance Medusa Team is a standalone operation with discrete tradecraft and indicators.
Quality over quantity: New ‘big game hunting’ extortion group could target high-profile Australian and New Zealand organisations
A new cyber extortion group calling itself Money Message has been active since at least January 2023. As of May, Money Message has seven organisations listed on its dedicated leak site, including the Bangladeshi national airline and computer component manufacturer, Micro-Star International. The high rate of initial activity suggests that Money Message has the potential to become a prominent ‘big game hunting’ double extortion threat actor.
CyberCX is not aware of Money Message targeting Australian or New Zealand organisations. But we assess there is a real chance it will do so in the next three months.
CyberCX has not observed Money Message recruiting for affiliates, indicating that the actor may operate as a traditional criminal group rather than using the ransomware-as-a-service model. Money Message appears to prioritise quality of targeting over quantity. Large, high-profile organisations with substantial annual revenue are most at risk from this new actor.
About CyberCX Intelligence
CyberCX Intelligence is a uniquely Australia and New Zealand focused capability, with unparalleled visibility into the AUNZ cyber threat landscape. Our intelligence leverages CyberCX’s significant operational and advisory experience including:
- Case files from incident responses managed by our Digital Forensics and Incident Response practice, the largest DFIR team in the region.
- Telemetry collected by our Managed Security Services practice across 100+ Australian and New Zealand client networks.
- Insights collected by our Security, Testing and Assurance practice across 3,000+ penetration tests annually.