Australian Cyber Crime Monthly Report: December 2023

Welcome to Cyber Daily’s second Australian Cyber Crime Monthly Report – a collection of incidents, hacks, and more collated from a range of open-source intelligence feeds to build a snapshot of malicious cyber activity targeting Australians and Australian organisations.

This data is gathered from several open-source intelligence services. You can read a full accounting of our tracking methods and tools here, but it should be pointed out that the team is starting to take advantage of the new VenariX beta, a similar service to FalconFeeds.io that we’re expecting to grow to be quite useful.

Regardless, the information presented here is as accurate as Cyber Daily can confirm, though it must be said that you cannot always rely upon the word of criminals, and navigating the darknet can lead to a lot of dead ends. This data is presented as a broad snapshot and should not be acted upon in isolation. This activity is what Cyber Daily has observed over the last month, the Christmas break notwithstanding, and there are doubtless a lot of cyber incidents that go unobserved every day.

The Australian Cybercrime Monthly Report is, as such, an ongoing work in progress. And it is later this month, thanks to a much-needed two weeks off over Christmas. We promise to be mostly on time for the rest of the year!

In all cases – with the exception of simple website defacements and some of the more fanciful claims – Cyber Daily has contacted the victims of each incident where possible.

You can read the November 2023 report here.

Ransomware

Operators: Akira, 8Base, Knight, DragonForce, LockBit, Cactus
Companies targeted: Nine
Total data allegedly impacted: More than 460 gigabytes

VIEW ALL

Ransomware operators were somewhat in abeyance over December, with both fewer individual instances reported and fewer actors targeting Australian organisations.

Nonetheless, after a slow start to the month – only the Akira gang had been active, with a hack against Nissan Oceania making headlines and another on a managed IT services provider before 12 December – 8Base, Knight, and DragonForce livened things up on the next fortnight with attacks on Tim Davies Landscaping, the Crace Medical Centre in Canberra, and Yakult Australia.

Yakult Australia suffered a 95.19-gigabyte breach that saw the “company database, contracts, passports and much more” all leaked online, according to DragonForce’s leak site. No data from the other two victims appears to have been published.

Cactus targeted hardware distributor Tridon Australia on 29 December and has since posted the 175 gigabytes of data, which appears to include some employee passports and a large amount of accounting data and customer-related documents. Tridon has not replied to Cyber Daily’s request for comment.

LockBit, however, was once again the most active ransomware operator in Australia, chalking up three alleged local victims.

Both automotive repairs company Scientific Motor Body Works and builder Sterling Homes fell under LockBit’s sights, with data published – though the datasets seem limited to internal information. Both companies appear to be operating normally, but LockBit’s third alleged victim, Eagers Automotive, was forced to halt trading on the ASX after it reported a “cyber incident resulting in an outage that is disrupting parts of the company’s operations across Australia and New Zealand”, according to the company.

Eagers did not elaborate on the culprit, but LockBit claimed the hack days after Eagers enacted the halt. LockBit did not share any further details of the hack or evidence that it even happened. It has since deleted any entry of the claim.

Data breaches

Claimed: 13
Apparently legitimate: Six

Popular musical instrument retailer Billy Hyde Music, collections agency CollectSmart, and builder Granvue Homes all suffered data breaches in the first week of December, with the data shared on either Telegram or a popular hacking forum. It’s interesting to note that there are two motives in play here.

One is simple monetary gain, with some hackers preferring to post their data on hacking forums in return for site credit or sometimes actual purchases with crypto or even cash. Others, however, are politically motivated, and we saw both motives in play in December.

A lot of these forum-based breaches are also quite small, measured in “just” megabytes, compared to the many gigabytes – even terabytes – of ransomware-based breaches.

It can also be difficult to confirm a breach, as some forums have been blocking our attempts to sign in and gain visibility of the for-sale posts made on them. We may get an alert on a threat tracker like FalconFeeds, but we prefer to confirm anything with our own eyes where possible – especially when it comes to reporting on a data breach in detail.

And then some hackers will share just about anything they can find while fishing around, like the Cyber Operations Alliance – which appears to be an Indonesian hacking collective – which proudly shared a 2003–04 statistical report on responses to fire events that it managed to exfiltrate from Fire and Rescue NSW.

The other possible data breaches this month included an online swimwear retailer, a NSW taxi service, and the University of Western Australia – though in the latter case, the hacker was trying to pass off some truly useless data. It was just some dummy email addresses and what looked to be user IDs. The “full leak” was originally shared on Pastebin, but the file has since been deleted – probably due to lack of interest.

Defacements

Number of sites allegedly defaced: 14

We observed just two website defacements in November, but in December, that number jumped up to an alarming 14.

This increase has largely been driven by pro-Palestinian hacking collectives, mostly from Muslim countries in south-east Asia. In most cases, these are opportunistic attacks that take over a site’s main page with some anti-Israel propaganda and a lot of MySpace-grade animated gifs and are easily mitigated. The targeted sites are either only defaced for a short period, or the affected organisations can switch to a new domain they already own or control.

In some cases, we’re not even sure the claims are legitimate. For instance, on 9 December, a group calling itself Team 1722 claimed on its Telegram channel to have defaced the website of the Confederation of Greater Hobart Business – hardly a mighty blow against Israel, but it plays well with the script kiddies. The group was saying that it had targeted the website https://cghb.com.au/, which certainly remains defaced (pictured, though you’re really missing out on the fit-inducing gifs).

However, the actual Confederation of Greater Hobart Business website is still in operation on a .org.au address. The .com.au address does not even come up in a Google search, suggesting the URL has not been in use at all. It’s just plain opportunism on the hacker’s part.

In other instances, though, the impact of a defacement attack can be ongoing. Of course, forcing the Cat Association of the Northern Territory to shut down its website is almost certainly not going to affect Australian foreign policy, nor will it provide any succour to Palestinians suffering in Gaza.

Still, just the increase in alleged attacks alone tells a story, and there are certainly some groups that are more effective in their targeting than others. With global conflict on the rise, we expect to see more petty hacks such as these in the future.

Other incidents

Last month, we spotted two separate posts, both on Russian language forums, selling remote desktop access to Australian networks. Russian forums seem to be the place to go for such things. There was only one such post in December, by a forum user operating under the nom de hack FomaGaz. In this case, it was access to a company in the “sports” industry, with 44 computers on its domain, and protected by Windows Defender. The post does note that the Australian org “is in collaboration with” a US company.

It’s worth noting that such hacking forums are quite a professional operation. Like many darknet sites, escrow is offered for many purchases, which means the forum holds any money until the buyer is satisfied. They also tend to elaborate on the operating systems being used in the targeted environment and what antivirus software or security solutions might be in play.

How very kind.

Kudos, too, to the Indonesian hacker who managed to gain limited access to an Australian satellite that had been out of service for years – very indicative of the kind of hacks most smaller collectives are capable of. Small mischief, indeed.

The round-up

Overall, December was a much busier month when it came to malicious cyber activity, though, in many cases, the impact was minor at best. Cyber Daily observed at least 30 discrete incidents in November, while December saw that figure climb to at least 45.

Again, we saw a wide range of industries targeted, from small online retailers to far larger companies, Nissan Oceania and even Yakult Australia, falling victim to ransomware operations. In pretty much all cases, these attacks are opportunistic in nature, with the threat actors acting on weak security wherever they might find it, especially when it comes to politically motivated collectives trying to make a statement about Israel and Hamas.

It will be interesting to see the numbers for January – which we are in the middle of, we admit. Cyber Daily’s Christmas break meant we had to play catch on threat tracking in December, but we can at least give a hint of the month to come, and the number of incidents we’re tracking as of 24 January is 23.

See you again at the end of the month. If you’ve suffered a ransomware attack or any other form of cyber attack, please feel free to tell us your story – email [email protected] if you think there’s something we should be writing about.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.