On 19 June, Prime Minister Scott Morrison mentioned that the source of the attacks is thought to be a nation-state with “significant capabilities”. Generally, health, education, and government-industry are found to be targeted.
The attackers seem to have an “aptitude” for seeking out test and development environments and orphaned services that are no longer being tended to by their owner organizations. When access cannot be gained by these means, spear-phishing techniques are then utilized to trick end-users into handing over their login credentials.
Upon gaining access to the organization's data, the attackers deploy a mix of open source and custom tools to interact with the victim network and take over the websites of compromised organizations to run command-and-control servers.
Currently, The Australian Cyber Security Centre (ACSC) has issued the “copy-paste compromises”, as a protective measure that users can adopt to protect themselves from the attack.
