The Weekly Cybers #26
Australia and allies blame China for APT40 cyber espionage, dating apps agree to a code of conduct, and experts ask whether Australia needs an infowar militia.
Welcome
For the next few weeks we’re in the midst of Canberra’s winter break. This means there’s less than the usual amount of parliamentary and legislative action. But that hasn’t stopped some big stories emerging.
Top of the list is Australia leading a very public attack on China for sponsoring cyber espionage. Everyone spies one everyone else, of course, so while I can report the reporting, I’ll leave you to speculate on why this is being said in this way and at this time.
There’s also a discussion paper on setting up a national infowar militia, a new dating app code of conduct, and a plethora of smaller items. Enjoy.
Australia and friends blame China for APT40
Australia and a range of its allies have called out China for sponsoring cyber espionage group APT40. It’s the first time Australia has specifically blamed China.
The Australian Signals Directorate issued a detailed advisory directly naming the PRC Ministry of State Security (MSS).
The PRC state-sponsored cyber group has previously targeted organisations in various countries, including Australia and the United States, and the techniques highlighted below are regularly used by other PRC state-sponsored actors globally... This group has previously been reported as being based in Haikou, Hainan Province, PRC and receiving tasking from the PRC MSS, Hainan State Security Department.
Led by Australia, the advisory was jointly authored with cybersecurity and intelligence agencies from Canada, Germany, Japan, New Zealand, South Korea, US, and UK. It details the tactics, techniques, and procedures (TTPs) which the agencies say are a signature of MSS-sponsored cyber operations.
Unsurprisingly, China has denied the accusations, saying it is “firmly opposed to such repeated hypes”.
“We urge relevant parties to open their eyes and make the right judgement, rather than serving as the cat’s paw at their own expense.” — Chinese foreign ministry spokesperson Lin Jian.
APT40 is also referred to as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk in industry reporting.
Every cybersecurity company gives its own names to newly-discovered threat actors. Two of the most comprehensive cross-references are Malpedia and the groups database at MITRE ATT&CK.
While this is the first time Australia has formally named-and-shamed China, this approach has previously been used with Russia.
In 2018, Australia and its allies blamed Russia for the NotPetya cyber operation against Ukraine as part of a coordinated diplomatic act.
Does Australia need an infowar militia?
Australia should set up a “cyber intelligence and information militia”, according to a new discussion paper from the Social Cyber Institute titled Crowdsourcing an Australian cyber intelligence and information militia (PDF).
Such an organisation might be something like the renowned Coastwatchers of WW2, a volunteer organisation set up in the aftermath of WW1.
Indeed, in honour of the significant contribution made to Australia’s defence by the ‘coast watchers’, perhaps the proposed ‘cyber intelligence and information militia’ discussed here could be referred to as the ‘cyber watchers’?
The author, Professor Dan Svantesson of Bond University, notes that Australians are already volunteering in the ongoing information war — including in NAFO, the North Atlantic Fella Organization.
NAFO is a virtual community of like-minded people that was formed in response to the Russian 2022 full-scale invasion of Ukraine. Its members engage in the following activities: “countering Russian propaganda and disinformation; trolling of Russian officials and official Russian organizations; support of Ukrainian officials and organizations; and fundraising to support Ukraine and its army.”
On a possibly more serious note, Estonia has already established a cyber reserve capability, and in 2022 Sweden created its Psychological Defence Agency.
The idea of an Australian cyber militia isn’t new.
Professor Greg Austin, coincidentally a co-founder of the Social Cyber Institute, proposed an Australian Cyber Civil Corps in 2016.
And way back in 2012, cyber grandee Professor Bill Caelli pondered the possibility of a cyber posse. Under common law, on which the laws of the US and Commonwealth countries are based, a county sheriff or other law officer can conscript any able-bodied males to assist in keeping the peace, or to pursue and arrest a felon.
The Social Cyber Institute is hosting a webinar on Thursday 25 July, Is Australia prepared to defeat information warfare?, which will explore these ideas further.
On a related note, a recent episode of the Between Two Nerds podcast from Risky Business noted that if a nation state was sponsoring a physical attack we’d expect our armed forces to protect us, but for some reason when it’s a state-sponsored cyber attack we’re kind of on our own, and we’re just told that we need to fix our own cybersecurity defences.
Perhaps this points to the need for something less like a cyber militia and more like a cyber State Emergency Service?
Dating apps adopt new industry code
A “world-leading code”, according to the government, has been adopted by a dating app industry group consisting of Match Group (check out all the services they own), Bumble, Grindr, Spark Networks, RSVP, and the ParshipMeet Group.
According to the press release, the companies have agreed to:
- Implement systems to detect potential incidents of online-enabled harm;
- Take actions against end-users found to have violated online safety policies, including terminating accounts across all services operated by that company;
- Implement prominent, clear and transparent complaint and reporting mechanisms;
- Provide support resources for Australian users in relation to safe dating practices and online enabled harms;
- Publish regular transparency reports detailing the number of Australian accounts terminated and content moderation processes; and
- Improve engagement with Australian law enforcement, including proactive escalation of complaints where there is an imminent threat to the safety of a complainant.
There will also be a independent Code Compliance Committee made up of three members of the public:
One person admitted to practice as a solicitor, one person with experience relating to online safety, sexual or gender-based violence or public policy, and one with experience in social networking technology platforms.
It’s meant to be operating in three months, and then nine months after that it’ll be reviewed by the eSafety Commissioner.
Also in the news
- NATO will launch four projects with Indo-Pacific partners, namely Australia, Japan, South Korea, and New Zealand, including AI and cyber. Remember, the NA in NATO stands for South Pacific.
- As InnovationAus reports, “Australia will spend almost $3 million on the development of digital identity infrastructure for Pacific Island nations as part of the Albanese government’s effort to counter China’s influence in the region”.
- Also, “Lax privacy and data laws mean Australians need to spend more than two minutes to adjust privacy settings on individual websites and apps, compared to just three seconds for Europeans, while terms and conditions would take 14 hours to actually read”.
- Bugs at the Australian Taxation Office incorrectly revived 600 historic tax debts, including some “false debts” that were higher than what was actually owed.
- Home Affairs secretary Stephanie Foster has ordered a comprehensive audit of all internet-facing technology used by Commonwealth agencies. As ABC News reports, the instructions come at a time of rising concerns about foreign interference and influence threats.
- The new Freedom of Information commissioner Elizabeth Tydd says they’re shifting the backlog of cases for the first time in eight years, even though applications have increased by another 7%.
- The Australian Digital Health Agency (ADHA) has budgeted $49 million for real-time monitoring of prescriptions, having recently taken over this task from the Department of Health and Aged Care.
- The Australian Communications and Media Authority has found that Telstra breached its licence after disclosing the details of more than 140,000 customers who requested to have their numbers unlisted.
- The commentary against the idea of social, media bans for your people continues, with LGBTQ+ advocates saying young queer people fear potential isolation and loss of connection.
- The rules for Australia’s Digital ID system were watered down to allow the data to be stored outside Australia. Electronic Frontiers Australia is not impressed, writing that the government has caved in to the banks and Big Tech.
- At The Mandarin, Julian Bajkowski has some excellent snark about the Digital Transformation Agency (DTA) and its thoughts on AI in the public service.
- Finally, Bajkowski also notes that Sunday 7 July “marked the passing of a full year since the release of the report of the Royal Commission into the Robodebt Scheme, and with it the prolonged absence of any tangible information, or indeed names of those public servants being investigated, sanctioned or cleared for alleged breaches of the Australian Public Service Code of Conduct”.
Data breaches and hacks of note
- Not a successful hack, but “Wesfarmers-owned Catch.com.au has undergone a web application protection upgrade, partially in response to its first significant distributed denial-of-service attack in 2022,” reports iTnews.
Elsewhere
- This year’s AusCERT 2024 cybersecurity conference was held in May and now we have all the videos.
- Certain OzBargain users have found a way to hack KFC for cheap chicken.
What’s next?
Parliament is on its usual long winter break until Monday 12 August.
Committee work continues, however. The Select Committee on Adopting AI has public hearings in Canberra on Tuesday 16 and Wednesday 17 July.
Any questions or comments? Just reply to this email. Cheers.
The Weekly Cybers is a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).
If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.
If you find this newsletter useful, please consider throwing a tip into the tip jar.
This is not specifically a cyber *security* newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.