Industry Perspectives Blog

The G20 and the New Reality of Cyber Espionage

Beginning in August 2013, the Advanced Persistent Threat (APT) nicknamed Moviestar breached nine government institutions across five European nations. Moviestar was a malware campaign initiated and supported by Ke3chang, an APT syndicate believed to be operating out of China. The malware’s name came from attackers who used revealing pictures of actress Carla Bruni to entice victims to click on files they shouldn’t. For weeks prior to the most recent G20 cyber campaign, attackers leveraged emails with updates on the escalating Syrian crisis to install malware on victim systems – the very topic that brought together delegates of the world’s 20 largest developed and emerging economies at the St. Petersburg, Russia, G20 summit.

With the November G20 summit planned in Brisbane, could it be Australia’s turn for a cyber attack? From past experiences, it is almost certain that state-sponsored APT campaigns and political activists will focus on the summit. The summit allows attackers to leverage hot politicaltopics, enticing individuals to open malicious emails or webpages that provide intruders with unauthorized network access. Tony Cole, the Global Government CTO of FireEye, recently visited Australia to advise major government and commercial institutions of the current threat landscape, with the upcoming G20 summit taking center stage. Cole is certain cyber attacks will stem from the G20 event, saying, “There's nothing in my mind, looking at the research done in this area, that would tell us that they're not going to try again.” Cole also mentioned that the computer systems being brought to the summit may already be compromised with malware, ready to infect the networks of world leaders.

Hosting the summit for 2014, Australia will be at the forefront of such cyber attacks; combined with evolving technology and increasing world tensions, we should assume that these attacks will build upon and become more sophisticated than previous efforts. This alone should warrant action, with the need for up-to-date security that can detect, prevent, analyze and respond to the APTs that go hand-in-hand with hosting the G20.

What will the APTs look like?  What will they go after? The past is prologue. The Moviestar campaign was not the first time that cyber threat actors set their sites on the G20 or other global gatherings. In 2012, two campaigns named Dream and Dolphin sent fake event schedules and updates about the 2012 London Olympics to trick individuals, leaving them open to system intrusion. The attacks focus on the topics and interests of the G20 to both access systems of commercial firms and infiltrate government agencies before, during and after the meeting for information on political agendas and confidential economic data. Attackers also intend to move laterally throughout networks to steal a wider range of documents and files related to research and development, defence and financial data. Summit-related events with specific agendas and specialized personnel are scheduled prior to the meeting in cities around Australia. The Australian government and event organizers will regularly update schedules through emails and websites, with government officials and summit attendees paying close attention. This opens another gateway through which hackers can cast socially engineered spear phishing or watering hole attacks to access the networks of targeted victims. The St. Petersburg G20 summit experienced persistent cyber attacks; in one case, an email titled Pre-Summit Meeting of G20 contained three malicious malware files.

And there was the French experience in 2011’s G20 meeting. The French government fell victim to the largest-ever cyber attack in domestic history, with the Finance Ministry bearing the brunt. Again, the attackers sent malicious emails to target-specific government employees by including information regarding the G20 event to gain control of 150 computers. Once in the network, the hackers copied documents related to the summit for nearly two months before being detected. The attack was described as ‘spectacular’ by French Budget Minister Francois Baroin, making it clear these cyber-threat campaigns are becoming increasingly sophisticated, and highlighting the need for even greater security as Australia takes the summit presidency from France.

The purpose of the G20 summit is worldwide economic growth and sustainability. Cyber attacks pose one of the largest threats to economic prosperity, and will increasingly do so as both international rivalry and technology evolve. While all G20 members must take precautions, we hope Australia can learn from history. Approaching November, both Australian commercial and government bodies can expect increased targeted attacks, luring victims by playing upon the multitude of global events to be discussed at the gathering. In light of past summit experiences, Australia must adopt a strict stance on cyber security to keep intruders from obtaining confidential information.