March 2024
Your monthly readout of the Australia and New Zealand cyber threat environment from the desk of CyberCX Intelligence. Cyber Adviser cuts through the noise – delivering you insights and expert analysis in 5 minutes or less.
By the numbers
Case files
I-Know what you did last summer: Leaked documents highlight extent of private sector involvement in China’s state-sponsored cyber campaigns
In mid-February, two employees leaked a repository of internal documents and messages from the Chinese private security company I-Soon, an organisation believed to have conducted work for several Chinese government organisations, including the Ministry of Public Security, the Ministry of State Security and the People’s Liberation Army. Leaked documents indicated that I-Soon had capabilities for cyber reconnaissance and espionage. Chat logs confirm that at least one aspect of I-Soon’s revenue model involved contracts from a Chinese government agency to collect foreign intelligence that could then be sold to other Chinese government agencies. I-Soon’s targeting scope included at least 45 different countries, including Australia, and 15 different sectors.
So what? China’s government is known to leverage Chinese private sector organisations to conduct cyber-enabled espionage. By doing so, Chinese cyber and military agencies can benefit from industry capability to achieve strategic and economic objectives, while maintaining a degree of separation which clouds attribution.
They did SWAT?: Cyber extortion gang pressures individual patients after cancer centre attack
In late November 2023, the medical records of more than 800,000 patients of a US-based cancer centre were stolen by a cyber extortion group known as Hunters International. After the cancer centre refused to pay a ransom, Hunters turned their attention to individual patients in December 2023 and January 2024. Some patients were offered the “opportunity” to pay US$50 to have their personal and medical information removed from the dark web. Others were reportedly threated with violence and swatting – the act of making a hoax call to emergency services to trigger a high-impact police response to a specific location, typically the victim’s home.
So what? CyberCX Intelligence is tracking a trend of ‘harm maximisation’ among cyber extortion groups. Some groups continue to experiment with escalating (and morally reprehensible) tactics to increase pressure on victims to pay ransoms. Harm maximisation tactics can attract widespread media attention and have significant, lasting impacts on both victim organisations and the wellbeing and safety of their downstream customers.
Under the radar: Corporate espionage without a trace
In early February, security researchers from Group-IB uncovered hack-for-hire espionage campaigns targeting organisations in Southeast Asia and the Pacific, including Australia. The primary objective of the campaigns, carried out by Russian-language threat actor RedCurl, was obtaining commercially sensitive data. Targeted organisations spanned multiple sectors including construction, logistics, aviation and mining. First observed in 2019, RedCurl has exclusively engaged in corporate espionage, deploying custom tools and tradecraft in persistent and highly capable campaigns. RedCurl favours highly targeted social engineering and spear-phishing as initial access vectors.
So what? CyberCX Intelligence is advising Australian and New Zealand organisations in a range of sectors to consider updating their threat models to include hack-for-hire entities. These groups are accessible to everyone, operating for the highest bidder to acquire sensitive commercial information. Hack-for-hire threat actors like RedCurl are highly capable and designed to be stealthy; just because you didn’t see it, doesn’t mean it didn’t happen.
Environment scanning
In late January, the Australian Government made use of its 2021 cyber sanctions framework legislation for the first time, imposing sanctions on Russian national Aleksandr Ermakov for involvement in the Medibank Private cyber attack. The sanctions prevent Australian entities from paying future ransoms to Ermakov and reflect the Australian Government’s continued efforts to disrupt cyber criminals.
In mid-February, international law enforcement disrupted the prolific LockBit cyber extortion operation, taking down 34 servers, 200 cryptocurrency accounts and taking control of the group’s technical infrastructure and leak site. Within days, LockBit begun to re-constitute its infrastructure, underlining the robust business model of cyber extortion and the challenges of law enforcement disruptions in cyberspace.
In late February, the Australian Government endorsed a world-first cyber governance handbook for Australian company directors which sets standards on how to prepare for, and respond to, cyber incidents at the executive layer of an organisation. In the event of a dispute, a court might look to these principles to baseline what “reasonable steps” executives might take in relation to managing their company’s cyber risk.
In late February, Australia’s Director-General of Security, Mike Burgess, delivered his annual Threat Assessment. During his address, Burgess called out the prolific (and successful) targeting and recruitment of Australian individuals and organisations by the “A-team” to support espionage and foreign interference. It was later confirmed the A-team was a reference to China’s Ministry of State Security. Burgess also raised concerns about the threat of sabotage, confirming foreign nation-states have targeted Australian critical infrastructure with preparatory and reconnaissance activity.
In case you missed it: Get CORIE ready
In February, CyberCX Intelligence Technical Principal Diego Silva joined other CyberCX practitioner experts to deliver a webinar on what critical infrastructure organisations need to know about the Cyber Operational Resilience Intelligence-led Exercise (CORIE) Framework. CORIE has been specifically developed by Australia’s Council of Financial Regulators and reflects a global best practice approach to cyber exercises. You can watch on demand here, or check out this blog post.
In case you missed it: Finding the ‘floor’ in AI cyber risk
In February, CyberCX Intelligence Lead Analyst Oliver Smith released a blog post describing how he developed a malicious voice phishing AI capability using current generation, open source AI models operated on consumer-grade hardware. Oliver’s phishing capability showcases how current AI capabilities represent a ‘floor of risk’ in 2024, compared to what we can expect in future years. Read the blog post here.
Subscribe to Cyber Adviser
Receive the latest cyber insights and expert analysis, straight to your inbox.
About CyberCX Intelligence
CyberCX Intelligence is a uniquely Australia and New Zealand focused capability, with unparalleled visibility into the AUNZ cyber threat landscape. We have the information, access and context to give our partners a decision advantage. Our partners receive:
- Actionable, contextualised intelligence, analysed by experts in AUNZ threat analysis
- Sector and organisation-specific insights that are relevant and timely
- High value, low volume artefacts that help their information overload, not add to it
- A two-way partnership with intelligence designed for your organisation and how you plan to use it.