Australia is the target of a large-scale cyber malicious attack that spans all levels of government, businesses, political organisations, education and health, Prime Minister Scott Morrison has announced.
He said the attack, which was ongoing, also targeted essential service providers and operators of other critical infrastructure.
While China was blamed for significant attacks last year, including on the Australian National University and Parliament House, and Russia and North Korea have been named in cyber-espionage allegations, Mr Morrison stopped short of naming the country believed to be behind this attack. He said the threshold for naming an attacker was "very high".
He would only say that the attacker was state-based, adding it was a country with "significant capabilities and there aren't too many state-based actors who have those capabilities".
"We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the trade craft used," he said.
"Australia doesn't engage lightly in public attributions and when and if we choose to do so is always done in the context of what we believe to be in our strategic national interests."
Crossbench senator Rex Patrick called on Mr Morrison to name the country.
Failing to do so was against the national interest, he said.
"Other countries, the UK, the US, Canada, even the Czech Republic, call out the state actors and part of that is about naming and shaming and making state actors understand that it is unacceptable international practice to do this," he said.
"The bottom line here is the Prime Minister has pulled his punches."
Senator Patrick said naming the country responsible would avoid the threat becoming abstract in the minds of Australians, and enliven people to the risk and seriousness of the event.
Why announce a cyber attack by a state controlled entity without detail of by whom and of its impact and significance? Weren’t these already happening? Is this much more significant? Without detail reasonable to wonder whether announcement was just another distraction?— John Hewson (@JohnRHewson) June 19, 2020
Ben Scott, from the Lowy Institute, said it appeared Mr Morrison wanted to lay the groundwork for the detailed advice from the Cyber Security Centre on how businesses should boost security.
"It's a bit confusing because on the one hand, the Prime Minister's making a statement which gets a lot of attention; on the other hand, his tone was pretty subdued," he said.
In so far as he was delivering a warning to the assumed attacker, China, it was at any early stage, with no public attribution.
The message was, "we know what you're up to, don't escalate more".
"On the scale of messages that can be sent this would be right down the scale," he said. "Cyber attack sounds scary, but it can mean anything from espionage which is business as usual, to sabotage which is an act short of war."
In this case, the detailed advice referred to publicly known vulnerabilities and the need for basic updating in security.
ANU National Security College director Rory Medcalf said it would be surprising if the attacks weren't coming from China, although other countries like Russia, Iran and North Korea did have the capability to engage in such attacks.
Professor Medcalf said the decision not to name a country, and to instead refer to a sophisticated-state based actor, could be because of the high level of confidence needed.
"There has been a code of diplomatic politeness of these issues and I think the Australian government is still doing its best to adhere to that code," he said.
"If there's nothing to be gained by publicly naming the country then the government will be cautious.
"There's also a second factor, that sometimes there is genuinely not certainty as to the perpetrator. You can have a high level of suspicion or a high level of confidence but you may not have 100-per--cent smoking-gun proof."
Professor Medcalf said today's announcement was primarily to warn businesses and governments across the country they need to be vigilant and prepared for attacks.
"We have to stop essentially leaving our digital homes and digital factories unlocked."
[Businesses should] patch ... internet-facing devices promptly, ensuring that any web or email servers are fully updated with the latest software.Defence Minister Linda Reynolds
He also warned that in the context of the international push for a vaccine for COVID-19, health infrastructure is likely to be increasingly targeted.
"There's likely to be a major contest under way in cyberspace at the moment with states trying to essentially steal COVID-19 vaccine research," he said.
Mr Morrison wasn't more specific about the information targeted, but asked whether Australians' personal or financial details had been breached, he said the investigation had so far not revealed any large-scale breaches of personal data.
Asked whether the motivation was state secrets, business secrets or personal data, Mr Morrison said it was "difficult to understand" what the motivation might be.
He had spoken to British Prime Minister Boris Johnson last night and there were "a number of engagements" with other allies overnight, he said.
He had also briefed state and territory leaders, with all levels of government under attack. Today, there would be "further technical briefings" with the states and territories.
He said he was announcing the attack to encourage businesses, especially in health, critical infrastructure and essential services, to get advice and set in place defences to thwart the malicious attack.
He would not say when he had been alerted, nor when the attack had started, but said it was ongoing.
Last year, the Australian Parliament was the subject of a cyber attack, where malware was injected into the parliamentary computer network.
The government refused to release any detail about that attack or what was accessed, although Mr Morrison attributed it also to a sophisticated state actor.
In November 2018, the Australian National University was the target of an attack attributed to China, where hackers accessed the ANU system, used an old server to build operations from the inside, and eventually gained access to the university's HR database.
The ANU hasn't been briefed by the government about the current attack and believes it hasn't been targeted this time.
"We have not detected any suspicious or unauthorised activity," a spokesman said. "Nor do we have any intelligence at this stage to indicate any attempt against the ANU network."
Senator Patrick has already put questions to Senate President Scott Ryan asking whether Parliament was the subject of the latest attack, and if so what was accessed. Senator Ryan would not comment.
Defence Minister Linda Reynolds said businesses should "patch [their] internet-facing devices promptly, ensuring that any web or email servers are fully updated with the latest software".
They should ensure they were using multifactor authentication for internet access, infrastructure and cloud platforms.
The Australian Cyber Security Centre and the Department of Home Affairs have posted detailed advice today at cyber.gov.au.