The Australian government has made some statements over the past week about the increased activity of the country’s cyber-attacks – organizations and companies – recently. Behind the attacks in Australia is a “sophisticated” opponent based on a slightly modified proof-of-concept code for past vulnerabilities, the government says. But unofficial sources appear to be blaming China.
The attacker targets public infrastructure with remote code execution – a common choice is the uninformed versions of the user interface Telerik (UI).
All of the tools used by the invader make it difficult to carry out attacks in any particular direction, although the Australian government is confident that the enemy is someone associated with a state.
While the prime minister has declined to comment on the allegations, he said: “There are not many people who can carry out such attacks.
One link to China is the fact that the threatening agent uses malware linked to Chinese hacking teams, with some believed to be operating on behalf of the government.
In the list of Compromise Indicators (IoC) provided by ACSC, there is a sample that stands out. For example, Korplug – the name appears in a report by ESET on OceanLotus, which is believed to be based in Vietnam.
However, this particular sample is the PlugX and ESET classifies it as Korplug because the two malware families share a specific DLL side loading technique.
PlugX has been around since at least 2008 and has been cited by many cybersecurity companies in connection with Chinese-linked offensive campaigns. In the attacks reported by ACSC, the malware was used to load a Cobalt Strike payload.
A report from Palo Alto Networks in 2015 links malware to DragonOK, which they linked to China two years later.
In a newer report released this year, Avira says the Mustang Panda threat group used PlugX and Cobalt Strike payloads against victims in Hong Kong, Vietnam, China, and Australia.
There are at least 10 threatening agents linked to China involved in spy campaigns using PlugX. See below what these threatening factors are:
- Deep Panda
- Mustang Panda
- Tiger Roaming
The fact that it is used by so many groups makes it difficult to attribute specific responsibility for cyberattacks in Australia, but based on the presence of PlugX alone, it is easy to see why senior government officials would single out China as the first suspect.