NewsBite

Exclusive

Sensitive NSW documents posted on dark web after Accellion hack

Sensitive documents have been posted on the dark web after two NSW government ministries were hacked in a major security breach.

Inside the Australian Cyber Security Centre operations

Massive amounts of sensitive NSW government documents have been published online by hackers attempting to extort the authorities for cash.

The sporadic leaks to the dark web have continued in the past few days and it’s understood the files totalled some 250 gigabytes as of Wednesday.

And as the scale of the hack, which occured in December 2020, becomes clearer, questions are emerging about whether a NSW ministry failed to immediately alert the state’s cyber investigations team about what had happened.

NSW Police said in a statement its joint investigation with Cyber Security NSW, dubbed Strike Force Martine, didn’t begin until February, at least six weeks after the US company Accellion said it first communicated to customers in relation to the hack which impacted NSW Health and Transport for NSW among dozens of global victims.

The hack targeted Accellion and its product File Transfer Appliance, a system used by companies and government agencies worldwide to transmit data.

The header of a Transport for NSW document understood to have been posted on the dark web.
The header of a Transport for NSW document understood to have been posted on the dark web.

Brett Callow, threat analyst with the cyber security firm Emsisoft, said the ransomware group Clop had uploaded samples of NSW Transport documents claimed to have been stolen in the Accellion hack, including government tenders and steering committee papers.

“They post the data in a series of instalments in order to gradually ramp up the pressure,” Mr Callow said.

“The first instalment is basically the equivalent of a kidnapper sending his or her captive’s little finger.”

It wasn’t clear whether Clop was involved in the actual breach or just hired by the hackers to extort the victims afterwards, Mr Callow said.

The state government has been tight-lipped about what sort of documents were stolen, but said hackers had not accessed driver’s licence, Opal card or medical records systems.

The health ministry’s top public servant, Secretary Elizabeth Koff, told budget estimates the Health files accessed by hackers were predominantly “corporate files”.

It's understood the Transport documents leaked online included steering committee meeting papers from 2016, a 2019 document relating to a government tender, and a 2020 letter from the NSW parliament’s upper house to the former Transport Secretary for information about the former MP Daryl Maguire, who had a relationship with the Premier.

Though it was also breached, NSW Health is not among the Accellion clients whose data has been posted online by Clop.

On the website where the NSW Transport documents were uploaded, the group posted the message: “Want to delete a page or buy data? Write to the email indicated on the home page.”

A public alert issued by the US Cybersecurity and Infrastructure Security Agency in February, partly based on federal Australian government information, confirmed attackers had extorted money from some “victim organisations”.

However NSW Customer Service Minister Victor Dominello told budget estimates that state agencies were not among those who had paid the criminals.

NSW Customer Service Minister Victor Dominello spoke about the hack at budget estimates. Picture: NCA NewsWire / Dylan Coker
NSW Customer Service Minister Victor Dominello spoke about the hack at budget estimates. Picture: NCA NewsWire / Dylan Coker

Meanwhile, as a joint Cyber Security NSW and NSW police investigation continued, parliamentary evidence emerged that made it appear as if the cyber cops were kept in the dark about the December hack until the following month.

NCA NewsWire can reveal that NSW Health learned of the attack against the ministry in December but didn’t notify the cyber security investigations team until January.

Ms Koff told budget estimates earlier this month that the cyber attack was “discovered” by NSW Health on “Christmas Day or Boxing Day”, prompting Health Minister Brad Hazzard to confirm: “It was December 25.”

But Cyber Security NSW said this week it wasn’t told about the incident until January.

An excerpt from a transcript of a budget estimates hearing into the NSW Health portfolio.
An excerpt from a transcript of a budget estimates hearing into the NSW Health portfolio.

After NCA NewsWire asked about the reporting delay, a government spokesman implied Ms Koff either misspoke or misunderstood the question.

According to the spokesman, she meant to say Christmas Day was the date the data theft likely happened, rather than the day the ministry found out.

A spokeswoman for Mr Hazzard said he, likewise, didn’t mean to say the government found out about the attack on December 25.

Rather, he meant to say the “fact that it had occurred on Christmas Day” was discovered later, the spokeswoman said.

It wasn’t clear whether Mr Hazzard or Ms Koff would seek to correct the record.

A government source said the delayed response may have been due to the NSW government shutting down much of its activity over the Christmas and New Year period.

NSW Health Minister Brad Hazzard and Health Secretary Elizabeth Koff said the attack occurred in December. Picture: NCA NewsWire / Gaye Gerard
NSW Health Minister Brad Hazzard and Health Secretary Elizabeth Koff said the attack occurred in December. Picture: NCA NewsWire / Gaye Gerard

The reporting timeline is murky over at Transport for NSW as well.

Accellion told NCA NewsWire it sent out emails to its “full list of FTA customers” in December, and again in January when its product was targeted by hackers again.

That would have meant NSW Health and Transport for NSW would both have been notified as early as December.

Asked when the transport ministry became aware of the incident, acting NSW Transport Secretary Peter Regan told budget estimates: “More information has become available over the past couple of months that it has been around.

“I am not sure of the exact date, which was a little bit before — I was not fully in the loop on it. The initial incident is understood to have occurred at the back end of last year or early January.”

He asked to come back to the committee with a more detailed answer and was expected to do so by the end of this week.

Mr Hazzard with Premier Gladys Berejiklian at the NSW Ministry of Health in the Sydney suburb of St Leonard’s. Picture: NCA NewsWire / Dylan Coker
Mr Hazzard with Premier Gladys Berejiklian at the NSW Ministry of Health in the Sydney suburb of St Leonard’s. Picture: NCA NewsWire / Dylan Coker

According to Accellion’s timeline of events, the company found out “anomalous activity” had occurred on December 16, and the company then spent the next three days patching up the security loophole the hackers exploited before issuing a system update along with a warning email to customers on December 20.

Two more security updates were made on December 23 and 24, the company said.

On January 22, the company learned of a new breach, which led the company to issue an “urgent security alert to FTA customers advising them to shut down their FTA systems immediately”, Accellion said.

The Reserve Bank of New Zealand, which was also a victim of the hackers, has disputed that timeline.

“We had no warning to avoid the attack which began in mid-December. Accellion failed to notify the bank for five days that an attack was occurring against its customers around the world, and that a patch was available that would have prevented this breach,“ Reserve Bank governor Adrian Orr told the New Zealand Herald last month.

Accellion has said it had urged clients for years to upgrade to newer and safer products than the 20-year-old FTA system, which is being phased out of use and will no longer be supported after April 30.

The NSW government has said all state agencies have stopped using Accellion since the hack occurred.

Originally published as Sensitive NSW documents posted on dark web after Accellion hack

Original URL: https://www.heraldsun.com.au/technology/sensitive-nsw-documents-posted-on-dark-web-after-accellion-hack/news-story/41a9583257bace94095f7ae7ee749139