The BoM hack: infiltration and attribution

The Wednesday hacking of the Bureau of Meteorology (BoM) by apparent ‘Chinese’ actors was another example, if one was needed, of the persistent threat to Australian computer networks, both government and private sector. It’s a stark reminder that Australia needs to continually up its game and shines a firm spotlight on the Government’s Cyber Review and what it will deliver. Cyber incidents aren’t uncommon; in its unclassified threat assessment the Australian Cyber Security Centre stated that it had to respond to 1,131 cyber security incidents involving Australian Government networks and other networks of national importance during 2014, equating to an average of three per day. So in many ways it’s surprising that more incidents of this nature aren’t receiving greater publicity.

We should be circumspect in our attribution of this incident to China. Making a firm attribution case is time consuming and often filled with difficulty in making an absolute judgement. Masking the true origins of a cyber incident is easy—states often use proxies or compromised computers in other jurisdictions to cover their tracks. As such, more detail is required before we can categorically state that China was the source.

A plausible reason for any group to have hacked into the BoM network is an interest in BoM’s customers. BoM provides predictive weather services to a range of Government and private sector clients, and in some cases, will have direct linkages into their networks to deliver their most up to date forecasts and weather data. Those private sector clients include aviation, energy, mining, offshore platforms and marine industries, all of whom would be of interest to a state-based hacker.

This provides an avenue of exploitation for a person or group to access more sensitive networks. That isn’t an uncommon modus operandi—why try to break down complex cyber defences when you can go in via the weakest link? Examples of this stretch back over 10 years: Titan Rain, a US Government codename for a series of attacks on government military systems which took place from 2003-06, is a prime example. Defence contractors were targeted as an easier avenue into Pentagon networks and led to extensive sensitive data extraction.

Another possibility is that whoever hacked into the BoM could be seeking information on Australia’s negotiating position at the Paris climate talks, which would use the data collected and analysed by BoM on Australia and the region’s weather and climate. It’s been observed that cyber espionage activities often increase immediately prior to major international bilateral and multilateral discussions. In a report released earlier this year, cyber security firm FireEye identified a cyber espionage group dubbed APT30, which specifically targeted Southeast Asian and Indian officials holding key political, economic and military information. FireEye believes APT30 is a state backed group from China, and noted that its activity peaked around important regional summits, particularly ASEAN meetings. Similarly, The New York Times recently reported on Iranian backed hackers who identified and targeted US State Department officials involved in implementing the nuclear deal with Iran.

While a pre-summit infiltration on a national weather service may seem like a peculiar espionage target, this isn’t the first time that such an institution has been in the cross-hairs. In December last year, the US government’s National Weather Service (NWS) was compromised by external attackers. Like our own BoM, the NWS provides climate, water, and weather data, and forecasts and warnings to the public and several government and non-government customers. More interestingly, the infiltration took place three months before the UN’s massive Lima Climate talks. The summit saw 194 country delegations descend on the Peruvian capital to thrash out an agreement on climate change, and was one of the largest negotiations of its type.

Four months before the US NWS compromise, alarm bells were ringing in New Zealand when someone tried to infiltrate a supercomputer based at the National Institute for Water and Atmospheric Research in Wellington. The computer, worth $12.7m, dubbed FitzRoy, is one of the most sophisticated computers in the world dedicated solely to environmental research and forecasting. New Zealand’s National Cyber Security Centre was called in by Prime Minister John Key to discover what the attackers were after, but were unable to find a logical explanation.

It could be the case that Australia has fallen victim to a group with similar intentions in the lead up to the Paris talks with the aim of collecting as much information possible on Australia’s negotiating position, and its basis in climate data, to influence the outcome of the talks. However it would be expected that other countries around the world would be similarly targeted, and if this is the case, it hasn’t been widely reported.

Regardless of who the perpetrator is behind the BoM infiltration, it’s easy to logically deduce several reasons why such an organisation presents an appealing infiltration target. Hopefully this serves as a wake up call for all government agencies, regardless of the size or classification level of their work, that their information and networks are valuable to foreign actors, and as such, they should do their upmost to protect them.