The attack on the NSW government was a significant reason behind Mr Morrison warning the nation about the spike in “malicious” cyber raids, according to senior federal government sources.
The Prime Minister made the public intervention after receiving briefings from security agencies this week.
Mr Morrison said investigations so far had found there had been no “large-scale” breaches of personal data.
The uptick in attacks from the state-based actor increased around the time Australia began pushing for a global inquiry into the coronavirus, which angered Beijing. The attacks bore many similarities to a cyber attack on Parliament House’s computer system in February 2019, which security agencies attributed to China although they never publicly revealed their determination.
Sean Duca, regional chief security officer with global cybersecurity company Palo Alto Networks, said the attacks were part of a “sophisticated attack that we have witnessed targeting organisations around the world”.
“From our analysis, there is similarity in the code reuse as the attacks made in February 2019 targeting the Australian Parliament House,” he said.
Former National Cyber Security Adviser Alastair MacGibbon said the threat was “likely a campaign by a sophisticated state-based actor” and part of a wider trend.
“It is an affront to our national interest and sovereignty that such events occur,” said Mr MacGibbon, who is now chief strategy officer at CyberCX after a long career in public policy including as head of the ACSC.
“And that’s why the Prime Minister has stood up to make a statement.”
Asked whether electricity assets were a target of the cyber attacks, a spokesman for the Australian Energy Market Operator said it took cyber attacks “very seriously” and was aware of the “sustained cyber campaign targeting Australia”.
“AEMO works closely with government and industry partners, and is following the advice provided by the Australian Cyber Security Centre to maintain the security of our critical services,” the AEMO spokesman said.
The Australian Cyber Security Centre said it was working with the organisations subject to the malicious cyber attack.
The ACSC named “copy-paste compromises“, where hackers subtly change open source code, as part of the state-based actor’s “heavy use of proof-of-concept exploit code, web shells and other tools” to enable the attacks.
Australia’s chief cyber agency said its investigations have so far found no evidence that the actor attempted to be “disruptive or destructive” once gaining access to a network.
“Cybersecurity risks hold a level of uncertainty, however this demonstrates the importance of a public-private partnership and how it will enable a new level of flexibility and strength through the opportunity of knowledge sharing as cyber threats become more sophisticated,” Mr Duca said.
Mr Morrison said the recent cyber attacks on Australia-based beverage giant Lion were not related to the malicious activity announced on Friday morning. The attack on Lion is believed to have originated from Russia, according to government sources.
Lion said its expert cyber team was investigating the ransomware attack that caused a partial IT outage last week.
Mr Morrison briefed all premiers and chief ministers on the cyber attacks on Thursday night.
Federal Labor Leader Anthony Albanese said he also received a full briefing on the cyber attacks by intelligence agencies.
Mr Albanese said there had “clearly been an increase” in the number of attacks.
NSW Premier Gladys Berejiklian’s office declined to comment.
Anthony is foreign affairs and national security correspondent for The Sydney Morning Herald and The Age.
David Crowe is chief political correspondent for The Sydney Morning Herald and The Age.