CEO and founder of StickmanCyber, Ajay Unni, reflected on 2021 with Daily Straits, taking them through some of the most talked-about attacks of the year, what was stolen and how the victims recovered their data and got their systems back online.
Read the full article below as featured in Daily Straits.
Cyberattacks have increased exponentially in the past year with the Australian government noting a 13 per cent increase in reported attacks and a 15 per cent rise in ransomware attacks.
The Australian Cyber Security Centre (ACSC) believes cybercrime has cost Australian businesses and individuals $33 billion over the past year with the global cost of cybercrime expected to rise to $2 Trillion by the end the year up from $400 billion in 2015.
CEO and founder of StickmanCyber, Ajay Unni, takes us through some of the most talked about attacks of the year, what was stolen and how the victims recovered their data and got their systems back online.
Nine Network
In March this year, Nine Network was at the centre of the largest cyber attack on a media company in Australia’s history, resulting in the network’s news production systems around the country coming to a grinding halt for more than a day with the broadcaster unable to air several programs.
The Sydney Morning Herald, owned by Nine, reported the infection as “some kind of ransomware” attack, albeit using a malware strain not previously seen in Australia, with sources reporting to media that the ransomware had impacted several thousand machines.
While it’s still not clear if all the infected machines were shut down to prevent the malware from spreading further it is understood at least part of the environment was powered down as a precautionary measure.
UnitingCare Queensland
UnitingCare Queensland became the victim of notorious cyber group REvil in April with a ransomware attack shutting down many of their core systems and forcing them to resort to paper-based and manual workarounds to continue operating. REvil like their name suggests uses a type of malware called Sodinokibi/REvil, which encrypted the health care providers files and attempted to delete backups. This led to a nearly two month long ordeal for the health provider to regain control of its systems.
While the hospital and aged care facilities managed to bring most of its applications and systems back online, the attack led to them being suspended from the national My Health Record system, which allows patients to view their records online.
UnitingCare has since confirmed that there was no evidence that any patient’s health had been compromised by the cyber incident and they continue to work with the ACSC and technical and forensic advisors to respond to the attack.
ASIC
The Australian Securities and Investments Commission (ASIC) was hit by a data breach in January that saw attackers gain access to files relating to credit license applications. The incident was related to a vulnerability in vendor Accellion’s legacy File Transfer Appliance (FTA) software that is used for storing and sharing documents. This software was vulnerable to the common SQL injection attack vector where hackers gain access to hidden parts of a database or file system.
Oxfam Australia
In February, Oxfam Australia investigated a suspected cyber-attack on their database that allegedly impacted the information of 1.7 million supporters, with hackers accessing files containing data on supporters who had signed petitions, taken part in campaigns and made donations or purchases.
While passwords weren’t compromised, names, addresses, dates of birth, email, phone numbers, gender, and in some cases donation history, may have been accessed.
The charity launched an investigation after becoming aware of the incident and notified supporters of the potential risk and referred the breach to the ACSC and the Australian Information Commissioner’s Office.
Transport for NSW
In February around 250GB of information including confidential emails and files, was stolen from Transport for NSW and dumped on the dark web, appearing on a leak site belonging to ransomware and extortion group CL0P in downloadable chunks of roughly 4GB each.
The data theft was part of a larger breach relating to the Accellion File Transfer Appliance (FTA) with CL0P publishing data from dozens of organisations in an extortion attempt after a vulnerability was discovered in the legacy Accellion service.
Cyber Security NSW managed the NSW Government investigation with the help of forensic specialists, to understand the impact of the breach, including to customer data.
Eastern Health
Earlier this year, one of Melbourne’s largest metropolitan public health services, Eastern Health, was forced to shut down some of its IT systems and postpone elective surgeries following a widespread ransomware attack that crippled its server.
Although no patient data was lost, ransomware forced the shutdown of IT systems across the hospitals operated by Eastern Health. The incident removed staff access to patient records, booking and management systems and prompted the cancellation of non-urgent surgeries, causing additional frustration for patients whose procedures had already been delayed due to COVID-19.
Back-up processes were implemented during recovery efforts, including the use of paper-based documentation, and some non-critical appointments were delayed. The support of the state and federal governments alongside IT experts, helped Eastern Health to bounce back from the attack and resume normal functionality.
Swinburne University
In April, Swinburne University of Technology revealed that it had responded to a data breach that had made information about more than 5,000 people available online.
Swinburne was advised that some information, such as names, email addresses and phone numbers of around 5,200 Swinburne staff, 100 Swinburne students and some externals had been inadvertently made available on the internet. This data was event registration information from multiple events held from 2013 onwards.
The university’s investigation into the breach shows that the source of the data was an event registration webpage that is no longer available.
The Melbourne-based institution said it took immediate action to investigate and respond to the breach, including removing the information and conducting an audit across other similar sites.
Northern Territory Government
The Northern Territory Government’s system was hit by a ransomware attack in January and was down for three weeks after the attack hit one of its suppliers and forced its sensitive database to be taken offline.
The NT Government confirmed that in spite of the government system being down for three weeks none of the data it is responsible for protecting was accessed by unauthorised third parties.
Rather than paying the ransom, a spokesperson for the NT Government Department said that they worked alongside the ACSC to remediate the ransomware attack.
Sunwater
Queensland’s largest regional water supplier, Sunwater, was targeted by hackers in a cyber security breach that went undetected for nine months. The breach had occurred between August 2020 and May 2021 and involved unauthorised access to the entity’s web server that stored customer information.
The hackers left suspicious files on a web server to redirect visitor traffic to an online video platform with the Brisbane Times reporting that the hackers had used the infrastructure to boost the Google search ranking of a Youtube video.
A Sunwater spokesperson said no financial or customer data had been compromised and immediate steps had been taken to improve security once the unauthorised access to an online content management system was detected.
JBS Foods
In June, JBS Foods were the victim of a ransomware attack which led to a partial shutdown of their operations in the USA, Canada and Australia over a five day period. The company was targeted by a group of hackers who they labelled as some of the most specialised and sophisticated cyber criminal groups in the world. The FBI later attributed the attack to REvil/Sodinokibi, a ransomware tied to some of the largest attacks on critical infrastructure, finance and healthcare.
The five-day shutdown threatened Australia’s meat supply chain, with temporary staff lay-offs at some of the company’s plants and reports from farmers that their shipments of livestock were cancelled.
To get their systems back online and resume operations, JBS Foods were forced to pay the ransom to the criminal group in Bitcoin, an amount equivalent to $AUD14.2 million.
Ambulance Tasmania
In January it was revealed that the private details of every Tasmanian who had called an ambulance since November 2020 had been published by a third party to an online list that was continuing to be updated each time paramedics were dispatched.
The information made public included a patient’s HIV status, gender, and age, raising concerns it could lead to discrimination or stigmatisation, with suggestions the breach could see the Tasmanian government open to litigation.
The source of the breach was found to be the ambulance provider’s paging system, used to convey critical health information between dispatch and paramedics. Tasmania’s outdated ambulance communication network is but a single example of the old systems currently running the state’s emergency services, making them especially vulnerable to cyber attacks.
Since the site was brought to the attention of the Tasmanian government it has been taken down and the ACSC has been authorised to remove it should it reappear. Cyber-security professionals have called for Ambulance Tasmania to update its outdated communication systems to prevent any more cybercriminals from stealing data.