But the ACSC said it had not identified any intent by the actor "to carry out any disruptive or destructive activities within victim environments".
In a detailed statement last updated on Thursday well before Prime Minister Scott Morrison and Defence Minister Linda Reynolds addressed the media in Canberra, the ACSC said among the initial access vectors, the most common one used was a bid to exploit public-facing infrastructure.
This was "primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI".
Pardon my scepticism but the last time our government cried #CyberAttack it was lots of actual users were trying to access Centrelink at the same time— Belinda Barnet (@manjusrii) June 19, 2020
The attackers had shown agility in leveraging proof-of-concept exploit code that was already public in the search for vulnerable points of entry.
Also displayed was an ability to identify development, test and orphaned services that were not maintained by the organisations that were hacked.
"When the exploitation of public-facing infrastructure did not succeed, the ACSC has identified the actor utilising various spearphishing techniques," the agency said.
Cyber attack thwarted by NBN outage https://t.co/2dsoBrWl0x— ??? ?????? (@chaser) June 19, 2020
"This spearphishing has taken the form of:
- links to credential harvesting websites;
- emails with links to malicious files, or with the malicious file directly attached;
- links prompting users to grant Office 365 OAuth tokens to the actor; and
- use of email tracking services to identify the email opening and lure click-through events.
According to Wikipedia, "Telerik AD is a Bulgarian company offering software tools for web, mobile, desktop application development, tools and subscription services for cross-platform application development. Founded in 2002 as a company focused on.NET development tools, Telerik now also sells a platform for web, hybrid and native app development".
The ACSC said once initial access was achieved, the actor used both open source and custom tools to persist on, and interact with, the victim network.
"Although tools are placed on the network, the actor migrates to legitimate remote accesses using stolen credentials. To successfully respond to a related compromise, all accesses must be identified and removed," the centre said.
"In interacting with victim networks, the actor was identified making use of compromised legitimate Australian web sites as command and control servers. Primarily, the command and control was conducted using web shells and HTTP/HTTPS traffic. This technique rendered geo-blocking ineffective and added legitimacy to malicious network traffic during investigations."