Weekly coverage of cyber events of interest in Australia
Hello and welcome to the start of a weekly newsletter that myself and another Australian threat researcher, arb0ur (https://twitter.com/arb0ur) are putting together.
The goal of this weekly newsletter is to provide an overview of cyber events of interest related to Australia over the previous week and when time permits, additional context and insights. This has been inspired by our drive to uplift the situational awareness and understanding of the threat landscape across Australia.
We are deeply passionate about informing and supporting the Australian community in understanding the ever evolving threat landscape and hope this will be of benefit to you regardless of your cyber maturity.
Cyber Events 8–31 July 2023 ( first edition so will include additional days)
July 8: Ventia reported a cyber incident impacting some of its systems. The company provides services to the Australian defence industry and a large number of critical infrastructure organizations.
July 8: The recently activated leak site for Cyclops ransomware gang posted Superloop — an Australian internet service provider to its leak site. Cyclops ransomware posted data at time of victim posting of Superloop.
July 16: Stormous (alleged ransomware) group posted a small Melbourne video production company — The Jasper picture company. At time of writing the Stormous leak site is down (it is one of the less reliable leak sites on the dark web)
July 17: Clop ransomware gang as part of the Moveit campaign posted Fortescue Mining group one of Australia and the worlds largest mineral companies. As of writing they have not yet released any data. Fortescue has confirmed the cyberattack, describing it as “a low-impact cyber incident” that occurred on 28 May, with the information stolen reportedly “was not confidential in nature”.
July 17: New Zealand Parliament and several other government websites were targeted by Noname057(16) in the first time New Zealand had been targeted by pro-Russian hacktivists during the Russia-Ukraine war.
July 18: AlphV ransomware gang posted all the data stolen from FIGG securities an Australian bonds company. The incident took place in June.
July 20: A newly created account on Breached forum called ‘Telstra’ claimed to be selling stolen data from Australia’s biggest telco. Telstra quickly declared the data was in fact scrapped from the reverse Australia directory and there networks were not impacted. The user deleted the post on breached forum and then their account.
July 20: Noname057(16) targeted the Australian government ‘Administrative Appeals Tribunal’ — this was the second time in several months that the pro-Russian hacktivist group had targeted the same website. As a result the site was down for maintenance for several hours.
July 20: A member of underground forum Xss blackh4t advertised Citrix access to the network of an Australian organization with a revenue of USD $25 million. The access allegedly includes databases and invoices and appears to be domain joined. The user blackh4t has a low reputation, with no previous sales or endorsements from other forum members. At the time of writing the advertisement has had no engagement from forum users.
July 23: A user on Breached forum was attempting to sell access to an S3 bucket of an Australian company with revenue over $10 billion, asking for 0.4btc — they have since offered to reduce the price.
July 27: 8base ransomware gang posted BoomData, an Australian analytics consultant company to its leak site.
July 28: Clop ransomware gang posted Aristocrat Leisure Limited to their leak site. At the time of writing, no data has been leaked on the site however it is alleged that Clop has access to 347GB of archived data from the organization. Aristocrat is a global gaming content and technology company and mobile games publisher headquartered in Australia.
July 29: A member of the underground forum Xss, SGL advertised Citrix access to the network of an Australian organization with a revenue of less than USD $5 million. The compromised host is joined to a domain of 57 other hosts and uses ESET Server Security. The user has a high reputation and has had 9 successful sales using the forum’s escrow service to date, which have included 2 other Australian networks.
July 31: Garuda Security, a hacktivist collective, claimed to have ’25 billion Data Australia’ on their telegram page with a video that skimmed through a large volume of personal information. It has nothing to do with Australia and instead could be data from Austria. It is likely to be merged previously exposed data.
If you found this useful, or have any suggestions/edits/additions or want to know more please reach out to our X (Twitter) accounts :