When Hong Kong pro-democracy activists last month received messages from Australia’s Finance Minister, Simon Birmingham, on encrypted messaging service Telegram, they were overjoyed. But it was too good to be true.
The activists quickly realised something was up when “Birmingham” requested they transfer money into a Hong Kong bank account. It was, in fact, a cyber hacker who had somehow managed to verify a Telegram account with Birmingham’s phone number, thereby stealing his contact book. This “phishing” scam also hit Health Minister Greg Hunt, Australia’s ambassador to the United States Arthur Sinodinos and a number of other senior diplomats.
Numerous politicians and diplomats including Finance Minister Simon Birmingham received messages asking them to verify Telegram.Credit:Alex Ellinghausen
The episode has sent shockwaves and paranoia through the senior ranks of the Australian government and diplomatic corps. It should serve as an early warning that we’re about to enter a new world of “deep fakes”, where we will need to go the extra step in verifying the person we’re talking to is, in fact, who they claim to be.
How did the hackers do it?
Applications such as Telegram, Signal or WhatsApp require you to verify your phone number – with your phone – before you can set up an account. In this instance, the cyber hackers somehow attained the phone numbers of scores of senior Australian politicians and officials and went on a phishing expedition on Telegram, an encrypted messaging app that was widely used in the Hong Kong protests. Numerous politicians and diplomats received messages asking them to verify Telegram. Senior security sources also confirmed WhatsApp, owned by Facebook, was a target but the hackers were less successful on that application.
Extremely busy and perhaps in a momentary lapse of judgment, some clicked on the link to download the Telegram app. Once they did this, they were verifying the account for the cyber attacker – uploading their contact book and giving the hacker the ability to impersonate them.
One of the dozen people caught up in the scam was The Sydney Morning Herald and The Age’s North Asia correspondent, Eryk Bagshaw. On the night of March 19, the person impersonating Birmingham sent Bagshaw a message on Telegram asking: “Do you have a contact in Hong Kong. An Aussie preferably.” After giving him a few names and phone numbers of activists, the fake Birmingham asked Bagshaw to reach out to the contacts as well to tell them he would be in touch. “Let me know if you have reached out to the both of them,” one message said.
When the Hong Kong contacts first began receiving messages from “Birmingham” on Whatsapp and Telegram, they were pleased to be put in touch. But soon the person started asking them to transfer money to a bank account registered to “Yat Ting Ho Laundry Co”. The account was with the Standard Chartered bank in Hong Kong. It was clearly a scam. As soon as Bagshaw was told of the suspicious messages he notified other affected contacts and Birmingham’s office that it appeared the minister was being impersonated. The other politicians and diplomats were hit in a similar way.
The Australian Federal Police was immediately called in and took the phones of the politicians and diplomats. They determined the phones had not been compromised in any way. While the contact books in the phones had been uploaded to the fake accounts, this was not a sophisticated hack whereby the cyber attackers gained access to the phone itself. But the episode has exposed the need for politicians, diplomats, business leaders and journalists to become better versed in cyber security.
Who was behind it?
The AFP believes a criminal syndicate was likely behind the operation. While security agencies haven’t ruled out the involvement of a foreign intelligence service, the fact the attackers were after sums of money and not state secrets suggests it was an act of criminality rather than espionage.
Fergus Hanson, the director of the Australian Strategic Policy Institute’s International Cyber Policy Centre, says it is difficult to discount the possibility a state actor was involved.
“Because they’re targeting politicians and key officials, you have to look at it through the lens of a potential state actor and espionage,” Hanson says. “It looks like the set-up of criminal activity but criminal activities often mask state-actor activities. Just because it has a criminal dimension or involves money doesn’t necessarily mean it’s not a state actor behind it.”
Regardless, Hanson says it should be a wake-up call for a world we’re about to enter where “deep fakes” will only increase and get more sophisticated.
“The way we typically verify identities is going to have to change. We just take it for granted that I can recognise your voice,” he says. “We need to be looking at an extra layer of authentication – especially for phone calls that involve commercial dealings and political dealings.
“With voice calls, voice is now easily synthesised, particularly when you’ve got a body of voice samples. Politicians and diplomats talk a lot publicly so that’s easy to do. So you could have a CEO ringing up a staff member asking them to make payment to a particular bank account. You could have a defence minister ringing the Chief of Defence Force asking them to do something.”
‘We’re coming up to that point where there’s going to have to be a constant interface where you’re ensuring what you’re dealing with is a genuine account and that makes it harder to fake.’
Hanson says extra layers of authentication now need to be considered, including mandating video calls where the person is moving around (which is harder to fake) and compulsory two-factor verification when making phone calls.
“We’re coming up to that point where there’s going to have to be a constant interface where you’re ensuring what you’re dealing with is a genuine account and that makes it harder to fake,” he says.
“We’re just at that point where a worse user interface is possibly not worth it, but we’re very close to the point where we will need it, particularly for security-minded individuals and officials. For them, we’re probably nearly at that point where they will want that service.”
Sense of paranoia
The phishing scam came around the time security agencies uncovered a number of attempts to bug diplomats and sophisticated hacks occurred on the computer networks of Parliament House and Nine News (owner of this masthead). This has fed a sense of paranoia within senior ranks of the government and the Department of Foreign Affairs and Trade.
For years, senior Australian officials and politicians have been hyper-aware about their phones being compromised. Mike Burgess, the head of Australia’s counter-espionage agency, ASIO, has warned there are more foreign agents operating in Australia than at the height of the Cold War. Cyber attacks and bugging devices are a significant part of this wave of espionage and foreign interference.
Hanson says the days of having a sensitive conversation on an open phone line are “long gone”, while apps such as WhatsApp and Signal are not as safe as they used to be. “For a while, they were the gold standard – there was a sense that if I’m using Signal or WhatsApp it’s end-to-end encrypted and that’s all good. But, ultimately everything is breakable: if everyone is pivoting to that platform, the people trying to break into that will put their energy into it and nothing is 100 per cent secure.”
“There’s an increasing awareness. Mike Burgess came out and said espionage was the worst it’s ever been. The fact you’ve got him saying that would have to be ringing alarm bells.”
Telegram did not respond to requests for comment on what it was doing to address the phishing scam. A spokeswoman for Facebook said the best way for people to protect themselves on WhatsApp was to use its two-step verification and never share registration codes with anyone. “We would also urge all users to be wary of anyone who contacts them to ask for money and to report all suspicious and problematic messages to WhatsApp.”
Start your day informed
Our Morning Edition newsletter is a curated guide to the most important and interesting stories, analysis and insights. Sign up to The Sydney Morning Herald’s newsletter here, The Age’s here, Brisbane Times’ here, and WAtoday’s here.
Most Viewed in Politics
From our partners
Source: Read Full Article