Spear-phishers targeted Reserve Bank in 2011

news The Reserve Bank of Australia has on several occasions been the target of targeted malicious email traffic that sought to help external attackers breach the organisation’s IT security systems, it was revealed this morning, although it is believed the bank was able to fend off the attacks before they got access to any sensitive information.

This morning The Financial Review newspaper published an article claiming that the bank’s computer networks had been “repeatedly and successfully” hacked, including by “Chinese-developed malicious software”. The news comes as concerns continue to grow in Australia about shadowy cyber-espionage campaigns that seek to obtain sensitive information from Australian organisations.

The newspaper’s article is believed to have been based on two incidents, one of which the bank has publicly disclosed. In December last year, the RBA published an extensive document (PDF) consisting of incident report summaries put together by its risk management unit between 1 January 2008 and 16 May 2012. Most of the incidents listed in the report consist of examples where laptops, iPads or BlackBerrys belonging to the bank or its staff have been stolen in what are believed to be examples of petty theft. Other examples of potential information loss include situations where paper documents have accidentally been left in public locations.

However, one incident report summary which the bank disclosed detailed a more serious situation. The incident report notes that on 17 November 2011, a “targeted malicious email” was sent to several bank staff, including senior management up to head of department level. The fraudulent email was labelled ‘Strategic Planning FY2012’ and initially appeared to be genuine. However, it contained an Internet link to a zip file containing a trojan file, which the RBA noted at the time “was not detectable by the bank’s anti-virus” scanners”.

Six Reserve Bank staff clicked on the malicious link, and subsequently had their PCs isolated until the bank’s anti-virus vendors could deploy updated virus definitions. By the close of busines sthat day, the bank’s malware definitions had been updated, and overnight scans of the bank’s IT infrastructure were scheduled. Fortunately, all of the affected PCs did not have local administrator rights — meaning that the virus was prevented from spreading, according to the RBA.

The email’s innocuous nature, appearing to be from a trusted source and containing no attachments, meant that it was able to get past the bank’s malware scanning system to start with and that it didn’t initially appear suspicious to some of the bank’s staff.

The bank’s incident report recommended it update its security software to scan for embedded hyperlinks in emails that link to known applications and block them by default, requiring inspection by the bank’s security team before they’re cleared. The RBA has also considered blocking the download of all known application files via its web browsing infrastructure; using an exception list to allow certain types of trusted files.

Although the attack was targeted specifically at the RBA and tricked six staff, it is believed that no sensitive information was able to be accessed by the external attackers who had crafted the attack. It is believed that a similar attack took place around the time of the G20 summit in France in February 2011, but that that attack similarly was not able to access sensitive data at the RBA.

In this context, it appears that the AFR’s allegation that the Reserve Bank of Australia has been “repeatedly and successfully hacked” may be an exaggeration of the situation. The RBA has been invited to comment on the issue.

The RBA is different from Australia’s major retail banks in that it does not provide services directly to consumers. Instead, as the nation’s central bank and a government organisation, its role is, in its own words, to contribute to the maintenance of price stability, full employment and the economic prosperity and welfare of the Australian people.

It is involved in setting interest rates on cash, as well as maintaining and developing the nation’s payments system and issuing Australia’s banknotes. Its customers are predominantly the Federal Government and its agencies, as well as other organisations such as overseas central banks and other institutions. It also managed the nation’s gold and foreign exchange reserves. In this sense, it does keep a wide variety of sensitive information with relation to both the wider economic situation in Australia as well as certain clients.

The news of the attacks at the RBA comes as debate over the nature and extent of IT security breaches in Australia continues to grow. In late January, for example, Prime Minister Julia Gillard announced that the Federal Government would spend $1.46 billion through to 2020 on strengthening what she described as its “cyber security” capabilities, including establishing a dedicated Australian Cyber Security Centre.

However, it remains unclear whether such IT security breaches as have taken place so far have been able to do significant damage. At least ten parliamentary computers, including machines belonging to Prime Minister Julia Gillard, Foreign Minister Kevin Rudd and Defence Minister Stephen Smith, were suspected of being hacked in early 2011, and the ATO also suffered a minor IT security breach last month, but in both cases it is unclear whether any sensitive data was stolen or any business operations disrupted.

A major new study of the IT security habits and experiences of Australian organisations conducted by government group CERT Australia and published last month found the majority did not suffer an IT security incident over the past 12 months, and those that did mainly suffered minor breaches such as the theft of a laptop of smartphone, as was evident from the RBA’s incident reports disclosed under FOI laws.

Update: The RBA issued the following statement after this article was published:

As reported in today’s media, the Bank has on occasion been the target of cyber attacks. The Bank has comprehensive security arrangements in place which have isolated these attacks and ensured that viruses have not been spread across the Bank’s network or systems. At no point have these attacks caused the Bank’s data or information to be lost or its systems to be corrupted. The Bank’s IT systems operate safely, securely and with a high degree of resilience.

The Bank takes cyber security and its potential consequences extremely seriously. As part of its extensive efforts to ensure that security arrangements are best practice, the Bank routinely consults with the Defence Signals Directorate and draws on the expertise of specialist private firms. There is ongoing rigorous testing of the Bank’s IT systems and regular training of staff.

opinion/analysis
I’m not privy to the information the AFR based its report on this morning. However, what I will say is that if the newspaper based its report primarily on the two spear-phishing attacks which targeted the Reserve Bank’s operations in 2011, then the claim that the bank’s computer networks had been “repeatedly and successfully hacked” is on shaky ground.

It’s not a surprise that the RBA is being targeted by sophisticated spear-phishing attempts, and it certainly wouldn’t be a surprise if such attempts were being perpetrated by international interests, including agencies of foreign governments. I also wouldn’t be surprised if there were mere low-level hackers behind these attempts. If you had forward knowledge of the RBA’s moves on interest rates, for example, it should be a fairly easy matter to make quite a bit of money from that information.

But what I will say is that this kind of situation is yet another example of the kind of hyped-up security story which we see constantly in the Australian media at the moment. Everyone’s throwing money and press releases at “cyber-security” issues at the moment. And it is definitely an important issue. However, as I’ve written many times before, the sky isn’t falling: Australia’s computer networks, especially the ones relating to critical infrastructure, do generally have security controls around them, and we haven’t yet seen many examples of the kind of serious attacks which seriously damage infrastructure or steal highly sensitive information which everyone seems to be afraid of.

In fact, the RBA’s incident report log shows precisely what CERT Australia’s survey found: A lot of incidents of petty theft of laptops, smartphones and tablets, with the occasional more serious but usually unsuccessful attempt to steal more sensitive data or damage business operations.