Premier hit by hackers with China link

Australia was the target of a sophisticated cyber-attack by foreign hackers linked to the Chinese military designed to infect, infiltrate and take control of government computers according to a new US report.

The sensational claims that China-based hackers carried out a five-year cyber espionage campaign targeting governments in the Asia Pacific is outlined in The New York Times.

The report claims the hackers' new tool, Aria-body, "could penetrate any computer used to open the file in which it was embedded and quickly make the computer obey the hackers' instructions."

The claims are sourced to cyber-attack analysts Check Point, who claim the Indonesian embassy in Australia was targeted before the hackers tried to send an email to another office to infect computers there too.

The Times' original report claimed Prime Minster Scott Morrison's office was targeted on January 3, but it's now been confirmed the intended target was in fact the WA Government and Premier Mark McGowan's office.

The WA Premier confirmed today that authorities were now investigating.

"We have referred it to the director-general of the Department of Premier and Cabinet for investigation,'' he said.

"I don't know anything more about it than an article in the New York Times. As to who does these things or what happens or whether it is even true, we will try and get to the bottom of that.


Western Australia Premier Mark McGowan says the claims are being investigated.
Western Australia Premier Mark McGowan says the claims are being investigated.


"We will get to the bottom of whether it is true and what has happened, whether there are any further steps that need to be taken. Obviously cybersecurity is important."

The original Check Point report clearly refers to an "Australian state government" as the intended target and does not refer to the Morrison Government by name.

It warns the "Aria-body could attach itself as a parasite to various types of files so that it did not have a set pattern of movement. Its operators could change part of its code remotely, so that after attacking one computer, Aria-body would look different when it breached the next one."

"That could include setting up a secret, hard-to-detect line of communication by which data on the targeted computer would flow to servers used by the attackers.

"It could also replicate typing being done by the target user, meaning that had the Australia attack not been detected, the tool would have allowed whoever controlled it to see what a staff member was writing in the prime minister's office,'' the report states.

The New York Times' original report stated that on the morning of January 3, an email was sent from the Indonesian Embassy in Australia to a member of Prime Minister Scott Morrison's staff who worked on health and ecological issues.

The report states an invisible cyberattack tool called Aria-body, which had never been detected before and had alarming new capabilities

"Hackers who used it to remotely take over a computer could copy, delete or create files and carry out extensive searches of the device's data, and the tool had new ways of covering its tracks to avoid detection,'' the report states.

But last night, The Department of the Prime Minister and Cabinet, which manages ICT within the Prime Minister's Office, advised that there is no evidence of such an incident and there are robust cybersecurity arrangements in place to protect Prime Minister & Cabinet and PMO networks.


Scott Morrison’s office said the claims were not linked to the Prime Minister’s office.
Scott Morrison’s office said the claims were not linked to the Prime Minister’s office.


"The Australian Cyber Security Centre has engaged with Check Point and confirmed the incident reported by the New York Times did not involve the Prime Minister's Office or the Federal Government,'' a spokesman said.

The report follows increasing tensions between China and Australia over Mr Morrison's call for an independent inquiry into the origins of COVID-19.

The company, Check Point Software Technologies, claims the Chinese hackers also targeted state-owned technology companies in Indonesia, the Philippines, Vietnam, Myanmar and Brunei.

According to the report, the hacker then "found a document that the diplomat was working on, completed it and then sent it to the staff member in the prime minister's office, armed with the Aria-body tool."

"Our investigation started when we observed a malicious email sent from a government embassy in APAC to an Australian state government, named The Indians Way.doc,'' it states.

"This RTF file, which was infected (weaponized) with the RoyalRoad exploit builder, drops a loader named intel.wll into the target PC's Word startup folder. The loader, in turn, tries to download and execute the next stage payload from spool.

"This is not the first time we have encountered this version of the RoyalRoad malware which drops a filename named intel.wll - the Vicious Panda APT group, whose activities we reviewed in March 2020, utilizes a very similar variant."

Originally published as Premier hit by hackers with China link