At a glance.
- Contact tracing systems and privacy.
- Influence operations shift tactics.
- Australia's government warns of an active state-directed cyber campaign directed at its agencies, universities, and businesses.
Contact-tracing apps continue to face privacy concerns.
The UK is the latest country to abandon a centralized approach to contact-tracing. The BBC reports that the government has decided to abandon its centralized NHSX-developed system in favor of adopting the decentralized Apple-Google contact-notification model. The Telegraph characterizes the attempt to develop a centralized tracer as a "fiasco," accomplishing nothing beyond losing months before coming around to an alternative system the government might have had at the outset.
Canada's contact-tracing app is due to be rolled out in beta on July 2. Global News writes that outside experts have given the app good reviews, but that Canada's federal privacy commissioner has yet to complete its own review.
Influence operations shift from "platform manipulation" to "overt state assets."
In a House Intelligence Committee virtual hearing yesterday, the Hill says that testimony from both Twitter and Facebook reported that state-run disinformation efforts haven't abated, but have instead exhibited a change in tactics. Because the platforms have become more vigilant for, and effective against, coordinated inauthenticity, intelligence services are making greater use of "overt state assets," that is, media outlets controlled by, and generally understood to be controlled by, their governments.
Australia doesn't say they've done so, but in effect they've fired a shot across China's bow.
Australia’s Prime Minister Morrison has said that Australia is under massive and sustained cyberattack. “We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used,” the Wall Street Journal quotes the Prime Minister as saying. He added that all levels of government and most economic sectors are among the targets.
The actor may be sophisticated, but most observers aren’t moving from that to a conclusion that the attacks themselves are advanced or complicated. (The Guardian’s discussion is representative.) To judge from yesterday’s Australian Signals Directorate advisory, the attacks for the most part hit known vulnerabilities with “copy-and-paste” open-source, proof-of-concept exploit code used against public-facing sections of the infrastructure. For the most part the state-based cyber actors are going after a remote code execution vulnerability in unpatched versions of Telerik UI. In other cases they’re chasing a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability, or a 2019 Citrix vulnerability.
When that approach fails, the attackers resort to familiar spearphishing. “This spearphishing has,” the ASD warned, “taken the form of:
- “links to credential harvesting websites
- “emails with links to malicious files, or with the malicious file directly attached
- “links prompting users to grant Office 365 OAuth tokens to the actor
- “use of email tracking services to identify the email opening and lure click-through events.”
The state-based actor has shown some talent for conducting reconnaissance of target networks to identify vulnerable services, and ASD thinks the actor may be assembling and maintaining a list of public-facing services so it can hit them quickly after new vulnerabilities are released and before the targets get around to patching them. They’re also pretty good at identifying development, test and orphaned services that tend to be overlooked or even forgotten by the organizations that own them. These activities do argue for a good degree of intelligence and sound management. If we understand “sophisticated” to refer to a solid understanding of how to service targets as opposed to the more usual connotation of exotically crafted, never before seen malware, then perhaps the Prime Minister has a point: in that sense, the state-based group can indeed be called “sophisticated.”
So, OK, we keep saying “state-based group” because that’s what Mr. Morrison calls them. But straight-up, friends, we’re obviously talking about China. The Prime Minister has refused to be drawn on attribution, but he’s generally believed to be describing a Chinese government campaign. ZDNet quotes think-tank sources to the effect that this particular “frog has been boiling for years,” which raises the question of why the Prime Minister would choose this moment to issue his warning. Other sources, for the most part former officials, are telling the Australian Broadcasting Corporation that the campaign may represent payback for Australia’s hard line on Huawei.
So there seems to be a mutual dance of deniable accusation going on here. China hasn’t yet commented on Prime Minister Morrison’s press conference, but it’s denied involvement in recent high-profile attacks on Australian institutions, including Parliament. Those denials haven’t been widely believed. The Prime Minister may have two motivations in making his statement. First, he’s offering China a veiled warning. And second, he’s also interested in changing behavior in his own government agencies: keep your systems patched and well-administered.