Australia takes rare step of blaming China for backing cyberattacks
By David Crowe
The Albanese government has taken the rare step of blaming China’s Ministry of State Security for backing malicious cyberattacks by a hacking group on Australian computer systems.
Defence Minister Richard Marles and Foreign Minister Penny Wong went public with the alert on Tuesday morning in a co-ordinated move with overseas security agencies to release details about the way hacking group APT40 managed to exploit Australian systems.
It is the first time Australian agencies have taken the lead in attributing cyberattacks to APT40 and naming the Ministry of State Security as a sponsor of the operations, after two years of diplomatic work to improve relations with China.
The Australian move comes four months after the New Zealand government blamed the same hacking group for attacks on the Parliamentary Counsel Office and the Parliamentary Service, while the United Kingdom has also blamed it for targeting members of parliament.
Marles flies to the United States this week to represent Australia at the NATO summit, as the North Atlantic security alliance considers the impact on global security of China’s rise and its support for Russia in its war in Ukraine.
“The Albanese government is committed to defending Australian organisations and individuals in the cyber domain, which is why for the first time we are leading this type of cyber attribution,” Marles said in a statement.
“This attribution is a product of the Australian Signals Directorate’s diligent work to uncover this malicious cyber activity and is a key part of ensuring Australians remain safe from cyberattacks.
“In our current strategic circumstances, these attributions are increasingly important tools in deterring malicious cyber activity.”
Wong said the government engaged with China “without compromising” on what was important for Australia, while Home Affairs Minister Clare O’Neil said in the same statement that cyber intrusions from foreign governments were one of the most significant threats the country faced.
None of the ministers named APT40 or the Chinese ministry in their public remarks, but the formal notice from the Australian Signals Directorate – an agency that reports to Marles as defence minister – issued details about specific attacks naming the hacking group and the ministry.
“APT40 is actively conducting regular reconnaissance against networks of interest in Australia, looking for opportunities to compromise its targets,” the agency said.
“The group uses compromised devices, including small-office [and] home-office devices, to launch attacks that blend in with legitimate traffic, challenging network defenders.”
The Chinese embassy in Canberra said China was a major victim of cyberattacks and used lawful methods to tackle them.
“We oppose any groundless smears and accusations against China. Keeping the cyberspace safe is a global challenge,” the spokesman said.
“China does not encourage, support or condone attacks launched by hackers.”
In a detailed technical explanation of the attacks, the agency outlined separate incidents during 2022 in which APT40 accessed Australian systems, changed passwords and operated within the networks for some time.
The alert did not mention any incident since 2022, but it said APT40 “continues to find success” in exploiting vulnerable systems, such as old devices that were no longer maintained or were “unpatched” with the latest security upgrades.
Prime Minister Anthony Albanese sought to improve relations with Beijing three weeks ago during a visit to Canberra by Chinese Premier Li Qiang, highlighting the easing of Chinese trade restrictions while emphasising the need for a “secure and stable” region.
The Australian security alert on Tuesday morning was co-ordinated with agencies in the US, UK, Canada and NZ – the other members of the Five Eyes intelligence alliance alongside Australia.
In a sign of increasing co-operation on cyberattacks, the Australian Signals Directorate also worked with agencies from Japan, South Korea and Germany in tracking APT40.
“Notably, APT40 possesses the ability to quickly transform and adapt vulnerability proofs of concept for targeting, reconnaissance, and exploitation operations,” the US Cybersecurity and Infrastructure Security Agency said in a statement.
“APT40 identifies new exploits within widely used public software such as Log4J, Atlassian Confluence and Microsoft Exchange to target the infrastructure of the associated vulnerability.”
Cut through the noise of federal politics with news, views and expert analysis. Subscribers can sign up to our weekly Inside Politics newsletter.