Australia's Department of Defence becomes latest victim of regional ransomware attacks
Military information was not stolen in the breach, which may affect the records of 40,000 defence personnel
Australian defence e-communications platform ForceNet has reportedly been hit with a ransomware attack, in yet another attack of a similar nature on an Australian organisation.
ForceNet, a service used by the Australian Department of Defence for auditable communications and personnel information sharing, has been revealed as the subject of a ransomware attack carried out by as-yet-unidentified threat actors.
Although there is no indication that sensitive data belonging to the military was stolen in the attack, it's believed that between 30,000 and 40,000 staff records may have been contained in the affected data set. Both current and former military personnel, as well as public servants, could be affected by the potential data breach.
"I want to stress that this isn't an attack or a breach on defence (technology) systems and entities," said assistant minister for defence Matt Thistlethwaite, on Australian Broadcasting Corporation (ABC) Radio.
"At this stage, there is no evidence that the data set has been breached, that's the data that this company holds on behalf of defence".
Employees within the Australian DoD have been ordered to change their passwords, and an investigation into the precise nature of the data set is ongoing.
The Australian Signal Directorate (ASD), the agency responsible for military signals intelligence and cyber warfare, had posted an advisory in November 2021 warning that software suite SiteCore contained a remote code execution vulnerability. Tracked as CVE-2021-42237, the vulnerability affected SiteCore Experience Platform, and had been actively exploited by threat actors to install malware and webshells on the websites of victims.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
SiteCore was used to build ForceNet, along with some other Australian public organisation websites. No link has yet been conclusively drawn between the advisory and the reported attack, although the degree to which the ASD was aware of a potential weakness in ForceNet is likely to become a matter of interest to security teams.
“The most important step the Australian government could take towards both preventing and mitigating breaches such as this is mandating MFA,” said Rob Griffin, CEO of MIRACL.
"Password abuse remains the number one means of installing malware and is the cause of 70% of all breaches. Moreover, in mitigation, any user credentials that malware captured would be of little value if MFA had been in place. We can see from the report that the Assistant Minister for Defence has suggested that potential victims should change their passwords - this wouldn’t now be necessary.
"If the Australian government or ForceNet wanted to go the extra mile, they would implement single-step MFA, meaning they would not have to sacrifice the service’s accessibility for the added security.”
Australian firms have faced a wave of malicious activity in the past few months. On 26 October, health insurance provider Medibank revealed a widespread hack, with attackers gaining access to around 3.9 million customer records — around 15% the population of Australia. In September and October, Australia’s second-largest telco, and Singtel subsidiary, Optus confirmed a cyber attack, and the largest telco Telstra suffered a data breach of its own.
The former prompted a government minister to criticise Optus for having caused ‘systemic ID problems for 10 million Australians’, with at least 2.1 million customers directly impacted by the breach. The same month, another Singtel subsidiary Dialog discovered that its employee information had been posted to the dark web, following a “cyber security incident”.
In response to the attacks, the Australian government recently increased the maximum penalties for serious breaches of privacy, through the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022. Whereas the maximum is currently A$2.22 million, the new limit will be the greater of either A$50 million, three times the value obtained by the company as a result of the breach of privacy, or 30% of the adjusted turnover during the breach period.
Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.