SYDNEY—Businesses and government agencies in Australia are being targeted by a sophisticated state actor in a large-scale cyberattack, the country’s prime minister said, raising alarm that disruption caused by the coronavirus pandemic is increasing the vulnerability of institutions.
Prime Minister Scott Morrison didn’t identify the country responsible on Friday, but said not many countries have the resources to mount such a wide-ranging cyber assault. All levels of government, political organizations, education and health-care providers, infrastructure operators and others are being targeted, he said.
“We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used,” Mr. Morrison said, adding that the attacks have been increasing over a period of months.
Linda Reynolds, the defense minister, said all Australian organizations should be aware to the threat and take steps to protect their networks.
Security agencies have ramped up warnings about potential malicious cyberattacks in recent weeks, specifically on hospitals, medical-research facilities in addition to power and water networks. Staff members who would normally be located in control rooms or worksites—protected by both digital and physical security barriers—are now working remotely because of the pandemic, Australia’s lead cybersecurity agency said last month.
“There’s been a huge increase in the number of Australian businesses notifying their insurers that they’ve been the victim of a cyberattack,” said Ahmed Khanji, the chief executive and founder of Sydney-based Gridware Cybersecurity, which investigates attacks on behalf of insurers. “We’ve been doing all-nighters at least once or twice a week.”
Mr. Morrison said there was no evidence yet of major personal-data breaches. He said the government plans to release a new cybersecurity strategy in the coming months that will include significant investments.
Some analysts said China is one of the few countries with both the resources and motivation to mount such a broad campaign. Last year, Mr. Morrison also declined to identify which country was behind a cyberattack on computer systems in the country’s Parliament, though a security official at the time said certain shortcomings associated with that attack were similar to previous Chinese efforts.
Having the defense minister appear with Mr. Morrison on Friday underscored the seriousness of the issue, said Tom Uren, a senior analyst in cybersecurity at the Australian Strategic Policy Institute. Mr. Uren said Mr. Morrison’s remarks, in which he said the attack could only have come from a few well-resourced countries, sought to warn the perpetrator that Australia could publicly name it if the attacks don’t stop.
“The prime minister talked about it going on for months, increasing in scale, and affecting so many industries,” said Mr. Uren. “Those are all groups that the Chinese have hacked in the past, and for all of those to be ongoing at the same time means it’s a country with a large capability.”
Mr. Uren said the attackers were likely seeking information that could give their country a strategic advantage—perhaps even information about which coronavirus vaccines are most promising.
China denied being responsible for the cyberattack on Australia’s parliament. The Chinese Ministry of Foreign Affairs in Beijing didn’t have an immediate comment Friday.
Tensions between the two countries have been rising since Australian officials pushed for a global investigation into the origins of the pandemic, which first emerged in China. Chinese officials threatened a boycott of Australian beef and wine and placed a tariff on barley exports. Earlier this month, China warned its citizens not to travel to Australia due to what it said is a rise in racial discrimination.
“There’s lots of different ways in which you can hide your footprint, but increasingly some nations are deliberately leaving their footprint in order to make a statement,” said Alana Maurushat, professor of cybersecurity and behavior at Western Sydney University.