HOW THE CHINESE HACKED AN AUSTRALIAN COMPANY
* In March 2017, the Australian Cyber Security Centre received a report that a computer belonging to the Australian arm of a multinational construction services company was hit with malware known to be used by Chinese hackers working for the APT10 group.
* The malware was a version of the well-known ‘PlugX’ remote access tool (RAT). The hackers used a legitimate administrator account within the company’s managed service provider to remotely connect into the company’s network and install the RAT.
* The hackers then accessed sensitive data and commercial secrets.
* It was discovered the first hack attempt on the company had occurred in September 2016, when within the space of 25 seconds PlugX malware was installed under the innocent-sounding name ‘Corel Writing Tools Utility’.
* Over the next two months more PlugX malware was installed, using the name ‘Quick CreateInstall Installer’.
* Data then began to be gathered by the hackers and stored in text files.
* Three weeks after the ACSC received its report, it was noticed a new piece of malware known as RedLeaves was installed, which security experts believe was a response to the hacking being reported.
* In May 2017, the hackers deleted evidence from the initial host computer.
* The affected company was advised to take a range of security steps including: regularly patching its software, restricting administrative privileges, using multi-factor authentication (such as a hardware ‘token’), setting aside a specific workstation for sensitive tasks, and segregating computer networks.