Chinese hackers attack Australia using ‘invisible’ tool
A group associated with the Chinese military used an "invisible" cyber-attack tool to try to hack into a computer in the office of an Australian state premier, giving the operative access to extensive data and files, according to a new report.
The only reason the attack failed on the office of WA Premier Mark McGowan, using a hack tool called Aria-body which has new capabilities to avoid detection, was because the attachment it was linked to was sent to the wrong email address, the New York Times reported.
The explosive claims come as tensions between Australia and China continue to rise over Beijing's refusal to co-operate with calls for an inquiry into the origins of the coronavirus.
And an Australian defence expert has warned that China has "industrial-scale" capacity to launch attacks against western governments, with "tens of thousands" of operatives working in cyber espionage.
According to the Times report, an email with a seemingly harmless Word document attached was sent from the Indonesian Embassy in Canberra on January 3 to a member of Mr McGowan's staff who worked on health and ecological issues.
The recipient reportedly knew the supposed sender.
But the attachment contained the Aria-body tool - which had never been detected before.
According to cyber security company Check Point Software Technologies, the hacker using Aria-body was able to take over the computer used by an Indonesian diplomat at the embassy in Canberra.
The hacker, believed to be part of the Naikon group tied to the Chinese military, found a document that the diplomat was working on, completed it and then sent it to the staff member in the WA Premier's office, armed with the Aria-body tool.
But the hacker made one simple error, sending it to the wrong email address. When the emial bounced back with a message saying the email address had not been found, suspicions were aroused and an investigation revealed the attempted attack, Check Point says in a report released today.
If it had succeeded, the hacker would have been able to see what the intended staff member was writing in the Premier's office, in real time.
WA has particularly strong ties with China through its massive iron ore mining industry, with the vast majority going to the communist nation.
Check Point says Aria-body can hack any computer used to open the file in which it was embedded and quickly make the computer obey the hackers' instructions, such as setting up a secret line of communication to allow data to flow to servers used by the attackers.
According to Check Point, Naikon has also used Aria-body to hack government agencies and state-owned technology companies in Indonesia, the Philippines, Vietnam, Myanmar and Brunei.
"The Naikon group has been running a longstanding operation, during which it has updated its new cyberweapon time and time again, built an extensive offensive infrastructure and worked to penetrate many governments across Asia and the Pacific," said Lotem Finkelstein, head of the cyberthreat intelligence group at Check Point.
Former Australian defence official Peter Jennings said: "We know that China is probably the single biggest source of cyberespionage coming into Australia by a very long way.
"People sometimes fail to see the industrial-strength capacity that China has to do this on a global scale. We're talking about tens of thousands of people who are operating in their signals intelligence unit and Ministry of State Security.
"China has both the capacity and a long-demonstrated intent to do this wherever it thinks it can extract useful information."
Beijing has maintained that it is opposed to cyberattacks of any kind and that the Chinese government and military do not engage in hacking for the theft of trade secrets.
The Times said China's cyberespionage efforts have shown no sign of relenting globally and may be intensifying as tensions with Australia, the US and other countries have risen over trade, technology and, more recently, disputes over the coronavirus pandemic. Experts say its aim is to steal vast amounts of data from foreign governments and companies.
"This may be different in design, but these attacks all have the same purpose," said Matthew Brazil, an American former diplomat and author of a new book on Chinese espionage, referring to Aria-body.
American cybersecurity company, ThreatConnect, reported in 2015 that Naikon was connected to China's People's Liberation Army and appeared to operate as part of the military's Second Technical Reconnaissance Bureau, Unit 78020, based mainly in the southern city of Kunming.
Naikon is said to be responsible for China's cyberoperations and technological espionage in Southeast Asia and the South China Sea, where Beijing is embroiled in territorial disputes with its neighbours.
A report by the Kaspersky Lab, a Russian cybersecurity company, called the group one of Asia's most active "advanced persistent threats," a term that security experts often use to describe state-backed hackers who run long-term campaigns of intrusion.
Since early 2019, according to Check Point, Naikon has bought server space from Alibaba, the Chinese technology company, and registered domain names on GoDaddy, an American web-hosting firm.
Aria-body can attach itself as a parasite to various types of files so that it did not have a set pattern of movement. Its operators could change part of its code remotely, so that after attacking one computer, Aria-body would look different when it breached the next one. Such patterns are often telltale signs for security investigators.
Originally published as Chinese hackers attack Australia using 'invisible' tool