Australia's Department of Defence becomes latest victim of regional ransomware attacks

Australian defence e-communications platform ForceNet has reportedly been hit with a ransomware attack, in yet another attack of a similar nature on an Australian organisation.

ForceNet, a service used by the Australian Department of Defence for auditable communications and personnel information sharing, has been revealed as the subject of a ransomware attack carried out by as-yet-unidentified threat actors.

Although there is no indication that sensitive data belonging to the military was stolen in the attack, it's believed that between 30,000 and 40,000 staff records may have been contained in the affected data set. Both current and former military personnel, as well as public servants, could be affected by the potential data breach.

"I want to stress that this isn't an attack or a breach on defence (technology) systems and entities," said assistant minister for defence Matt Thistlethwaite, on Australian Broadcasting Corporation (ABC) Radio.

"At this stage, there is no evidence that the data set has been breached, that's the data that this company holds on behalf of defence".

Employees within the Australian DoD have been ordered to change their passwords, and an investigation into the precise nature of the data set is ongoing.

The Australian Signal Directorate (ASD), the agency responsible for military signals intelligence and cyber warfare, had posted an advisory in November 2021 warning that software suite SiteCore contained a remote code execution vulnerability. Tracked as CVE-2021-42237, the vulnerability affected SiteCore Experience Platform, and had been actively exploited by threat actors to install malware and webshells on the websites of victims.

SiteCore was used to build ForceNet, along with some other Australian public organisation websites. No link has yet been conclusively drawn between the advisory and the reported attack, although the degree to which the ASD was aware of a potential weakness in ForceNet is likely to become a matter of interest to security teams.

“The most important step the Australian government could take towards both preventing and mitigating breaches such as this is mandating MFA,” said Rob Griffin, CEO of MIRACL.

"Password abuse remains the number one means of installing malware and is the cause of 70% of all breaches. Moreover, in mitigation, any user credentials that malware captured would be of little value if MFA had been in place. We can see from the report that the Assistant Minister for Defence has suggested that potential victims should change their passwords - this wouldn’t now be necessary.

"If the Australian government or ForceNet wanted to go the extra mile, they would implement single-step MFA, meaning they would not have to sacrifice the service’s accessibility for the added security.”

Australian firms have faced a wave of malicious activity in the past few months. On 26 October, health insurance provider Medibank revealed a widespread hack, with attackers gaining access to around 3.9 million customer records — around 15% the population of Australia. In September and October, Australia’s second-largest telco, and Singtel subsidiary, Optus confirmed a cyber attack, and the largest telco Telstra suffered a data breach of its own.

The former prompted a government minister to criticise Optus for having caused ‘systemic ID problems for 10 million Australians’, with at least 2.1 million customers directly impacted by the breach. The same month, another Singtel subsidiary Dialog discovered that its employee information had been posted to the dark web, following a “cyber security incident”.

In response to the attacks, the Australian government recently increased the maximum penalties for serious breaches of privacy, through the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022. Whereas the maximum is currently A$2.22 million, the new limit will be the greater of either A$50 million, three times the value obtained by the company as a result of the breach of privacy, or 30% of the adjusted turnover during the breach period.