Australian Cyber Crime Monthly Report: November 2023

Welcome to Cyber Daily’s first Australian Cyber Crime Monthly Report – a collection of incidents, hacks, and more collated from a range of open-source intelligence feeds to build a snapshot of malicious cyber activity targeting Australians and Australian organisations.

This data is gathered from several sources. Falcon Feeds is a huge source of information on cyber security incidents as they happen and an important part of the work that has gone into this report – as well as our regular reporting. Cyber Daily also tracks a number of Telegram channels belonging to both threat hunters and threat actors themselves, as well as the darknet leak sites of ransomware operators and other criminals.

Cyber Daily also monitors several clear web hacking forums, such as Breach Forums and Leakbase. Some forums, particularly Russian-language ones, are difficult to gain visibility into as they block access from some users – including our own reporters.

Regardless, the information presented here is as accurate as we can confirm, though it must be said that you cannot always rely upon the word of criminals, and navigating the darknet can lead to a lot of dead-ends. This data is presented as a broad snapshot and should not be acted upon in isolation. This activity is what Cyber Daily has observed over the last month and there are doubtless a lot of cyber incidents that go unobserved every day.

The Australian Cyber Crime Monthly Report is, as such, an ongoing work in progress. The data can and does change regularly. A criminal gang may boast it has gigabytes of purloined information one day, only to delete that same post the next – this could mean the victim has paid a ransom or it might mean that the data itself was trash and not worth the effort to follow up. Motives can be difficult to ascertain, but one trend remains constant.

Largely, overseas criminal groups are increasingly targeting Australian businesses and organisations, bent on either financial gain or causing politically motivated disruption. We hope the Australian Cyber Crime Monthly Report can give readers an insight into this ever-shifting threat landscape.

In all cases – with the exception of simple website defacements – Cyber Daily has contacted the victims of each incident where possible.

Ransomware
Operators: BianLian, LockBit, NoEscape, Cuba, Play, ALPHV, Akira, INC Ransom, 8Base
Companies targeted: 13
Total data allegedly impacted: Over 5.4 terabytes

VIEW ALL

Ransomware operators were very active in November, with a number of gangs claiming hacks on multiple Australian businesses.

LockBit was the top operator for the month, claiming to have targeted three Australian companies. Data belonging to an IT automation company and mining equipment repair firm was posted to the gang’s leak site, though not a huge quantity of it – less than two gigabytes between them – and while some employee information was published, including tax file numbers and passport scans, it’s not exactly a huge trove of information.

LockBit also posted a larger dump of data from Queensland’s Q Automotive Group. You can read more about the roughly 49 gigabytes of data breached in that incident here, but all up, it totalled over 91,000 lines of data.

In all three cases, the complete datasets were published – after the ransom deadline expired, presumably.

NoEscape and ALPHV tie for second place, each claiming to have successfully hacked two Australian companies.

ALPHV targeted a West Australian fishing tackle provider, as well as a four-wheel drive equipment supplier. These are much bigger incidents, however, with each hack allegedly containing more than 800 gigabytes of data.

As of writing, the full datasets have not been uploaded and entries on the ALPHV leak site – ALPHV is a ransomware-as-a-service operator, so the individual posts are likely made by or on behalf of other threat actors – suggest that some level of attempted negotiation is in progress.

That said, ALPHV has shared proof-of-hack details that appear legitimate. In the case of the four-wheel drive supplier, a passport scan of one of the company’s branch managers was posted online.

NoEscape appears to have been no less impactful but in rather different ways. It is currently claiming to have 20 gigabytes of data belonging to a NSW plumbing supplier, and the proof-of-hack data – which includes a screenshot of a file directory and internal documents – seems legitimate. As of writing, the ransom deadline is about six days away.

NoEscape’s second victim, however, seems to have been more severely impacted. In fact, its website appears to be offline completely. NoEscape says it has 17 gigabytes of data and has shared what appear to be scans of employee passports. More information is, according to NoEscape, “coming soon”.

“Last Warning!!!” reads the latest update on the gang’s darknet site. “We advise you not to bring the situation to a critical level and contact us soon is [sic] possiple.”

“Assign a peson [sic] to the postition [sic] of negotiator, and tell him to contact us, we will explain evrithing [sic] and help you solve this problem.”

The Play ransomware gang posted just over 200 gigabytes of data belonging to a Victorian glass manufacturer, while Akira claims to have 20 gigabytes of data exfiltrated from an aluminium design firm. And 8Base says it has data belonging to a clothing brand, all of which Cyber Daily is continuing to investigate.

Both INC Ransom and the BianLian operation claimed hacks of two other Australian companies, but those were confirmed by Cyber Daily to be false. Both companies were aware of the alleged incidents and told us no data was compromised at this time. It’s entirely possible these were simply attempts at extortion without any data to back them up. In one case, the company is pretty sure it may even be a matter of mistaken identity, possibly with an Austrian firm with a similar name.

The most curious ransomware incident belongs to the Cuba gang, which, on 13 November, claimed to have hacked the Port Adelaide Football Club, but then deleted the post the day after. Port Adelaide told Cyber Daily that the club was aware of the incident and that it was being investigated.

Data leaks
Claimed: 11
Possibly legitimate: Three

Hackers have been claiming to be spreading Australian data far and wide on several clear web hacking forums in November, but not all data breaches are what they may appear.

Cyber Daily observed 11 data-for-sale posts across a number of forums, but more than a few of them are overstating the data they have. For instance, one alleged hacker attempted to sell data belonging to a website listing Australian exporters, but the dataset was simply a scrape of information openly available on the website itself.

Another hacker was claiming to have customer data from Dymocks for sale, but it appears to be the same data first exposed back in September. Two hackers on two separate forums claimed to have three gigabytes of data from a car buying guide, but not only were both datasets identical, they were Jira support tickets from 2017.

However, some data leaks do appear legitimate. What looks like customer data from the crypto-based video game Illuvium was posted on two different forums, while a large SQL document from a Victorian university was also posted on a hacking forum.

There’s no denying that a lot of data belonging to a lot of Australians is circulating online. At any one time, hackers are claiming to be selling millions of lines of information. But this month – for the most part – the data is either from historic breaches simply being recirculated (which can still cause mischief, of course), or outlandish claims designed to impress and maybe make a few bucks selling it to script kiddies.

Other incidents

Several hacktivist groups have made loud claims over their intent to destroy Australian websites over the country’s support for Israel (and over its support for Ukraine, though that is coming somewhat second as a cause of concern of late), but not many are following through.

And, thankfully, those that did in November did not cause any lasting harm.

A collective calling itself Esteem Restoration Eagle briefly defaced the website of a Queensland patio builder, while Team Herox – both groups are loudly pro-Palestine – did the same, and just as briefly, to the website of a Victorian plastic surgery clinic.

These are hardly high-profile, high-impact targets, proving the opportunistic nature of such hacking groups. They target the lower-hanging fruit of smaller businesses in order to boast of their performance on their Telegram channels.

That said, two of the more alarming posts Cyber Daily has observed are both on Russian-language hacking forums, and both offer remote desktop access to unnamed Australian companies.

One hacker is selling access to a company with an alleged revenue of $5 million, offering local admin access to 30 host devices while also sharing the security applications in place on the target network. The price of access starts at $300 and goes up to $900, presumably based on how long a prospective hacker wants to have access. Another user on the same forum is selling access to a second Australian organisation, this time with access to 15 machines, for up to $300.

Last, but certainly not least, is the cyber incident that saw port operator DP World Australia shut down the entirety of its port operations. Operations resumed within days, but the disruption did cause a backlog. In the words of the previous National Cyber Security coordinator, this was a “nationally significant cyber incident”.

The Australian Cyber Security Centre issued an alert over the vulnerability that led to the cyber attack, and DP World later admitted that some employee data had been compromised. Investigations are ongoing and so far, no threat actor has taken responsibility. Whether the incident was financially motivated or state-based remains to be seen – no entity has yet been named as the culprit and it does not appear to have been any of the usual ransomware operators.

The round-up

With Black Friday and Cyber Monday sales now just past and Xmas shopping still in full swing, scams are on the rise as well, though far harder to track. Certainly, Cyber Daily’s reporters have noticed an uptick in the scams they are receiving, especially via SMS.

But at the same time, as the holidays approach, it’s clear that hackers and other cyber criminals are not planning on slowing down their activity any time soon.

It’s also worth noting the breadth of victims being targeted. From the national operations of a global port operator being disrupted to small businesses finding their sites defaced over a war they are far away from, Australian organisations seem to be a rich target.

That said, ransomware operators are almost certainly not targeting Australian companies specifically but rather looking for any network that is open to exploitation and that might be hiding a lucrative payday. But with many Australian organisations still making up ground on their cyber maturity journeys, it’s easy to feel like the nation does have a target painted on its back.

Making Australia the most cyber-secure nation in the world is a laudable goal, but getting there is going to take a collective effort from business and government alike.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.