#OpAustralia — Hacktivist Campaign Against Australia — March 2023

Cyberknow
6 min readApr 19, 2023

A look at recent targeted cyber-attacks against Australia

TL:DR

  • Australia was targeted by multiple allegedly religiously motivated hacktivist groups over several days during March 2023.
  • There were close to 300 attacks including DDoS, Defacement, Doxxing and Breach and Leak attacks.
  • Around 200 attacks were successful — meaning they achieved the goal of the attack, despite overall impact.
  • Some attacks were unsuccessful or in the case of the breach and leak and dox attacks were fake — using open source information and claiming they were private.
  • Unlike recent opportunistic ransomware and cyber-criminal attacks in Australia this was a genuine targeted campaign to try and impact the day-to-day lives of Australians.
  • While the majority of the groups involved were religiously motivated it did also spread into the pro-Russian hacktivist groups engaged in the Russia-Ukraine war, however this involvement was confined to one group.
  • Most significant attacks were the DDoS attacks that took down the Port of Melbourne and Royal Adelaide Hospital websites.
  • #OpAustralia has now ended with all groups involved shifting to targeting other countries they have grievances with.

Caveats

#OpAustralia like most other hacktivist campaigns is an exercise is intent over capability. When we talk in terms of threat-actors the often accepted measure is their capability, however when I look at hacktivist groups and more broadly any threat actor I look at intent first. The reason for this is that:

  • Intent leads to capability which in turn provides more opportunities.

One argument against reporting like this is that the goal of these campaigns is to generate media attention, while that is the case it is also worth providing insights and situational awareness about these campaigns as they are part of the cyber threat landscape.

#OpAustralia

On March 17 2023 the first reported group to declare #OpAustralia as an active campaign was Team_Insane_pk. A collective of hacktivists from Pakistan who are driven by religious motivations to target countries they believe are offensive to the Islamic religion. They were then joined by dozens of other groups, who operate in a loose collective — it also included Anonymous Sudan, a sub-group of the Killnet collective of pro-Russian hacktivists.

The trigger for the campaign was a Melbourne based fashion designer who created a dress that displayed the Arabic text ‘Allah’. This news was spread by several fashion bloggers which then triggered the start of #OpAustralia by a large collective of hacktivist groups.

For more details see the thread I ran on Twitter during the campaign.

There was also a video released at the height of the campaign to call out the Australian government.

DDoS Attacks

There were over 200 successful DDoS attacks against Australian websites during the #OpAustralia campaign. A good amount of these were small and medium businesses which may not have any cyber security capability in place.

There were several regional airports, universities, some local councils and at least one small internet provider who were impacted by DDoS attacks.

However, there were three successful DDoS attacks on pieces of Australian critical infrastructure:

  • Royal Adelaide Hospital — The largest hospital in Adelaide, South Australia.
  • Royal Children’s Hospital — The largest children’s hospital in Melbourne, Victoria.

Both of these DDoS attacks saw the sites impacted for a limited time, but the fact they were impacted raises concerns.

The most significant attack was on:

  • Port of Melbourne — The busiest port in not only Australia but also in Oceania — it handles one-third of Australian contain trade.

The DDoS attack was conducted after-hours at night, but it does raise concerns. If the countries busiest port was to suffer a significant cyber-attack then it would quickly impact day-to-day living in Australia.

Website Defacement

The defacement attacks, which were largely successful, provided the groups involved in #OpAustralia the greatest opportunity to promote their cause. However, these attacks were almost exclusively against small and medium businesses despite the defacement message being directed to the Australian government.

Below is a sample of some of the posts:

Eagle Cyber website defacement post
SynixCyberCrime website defacement post

Attempted Doxxing:

One of the lesser active groups involved in #OpAustralia attempted to dox (the act of publishing private information of an individual) two high-profile Australian Defence Personnel. The result appeared to be a mix of highly generic details and publicly known information, however, the intent behind the attempts highlights an ingrained appetite to expose or threaten those who make high-level decisions.

Blackshinchan attempted dox of Australian Defence Official

I have redacted some information, while it is not private information and has been scraped from open sources I don’t think providing all the details value adds. The redacted version provides enough insight into the intent of the group.

Blackshinchan attempted dox of Australian Defence Official

The second attempt was even more generic and leveraged information not even related to the alleged dox target.

Note: This group appears to attempt a large amount of dox attacks, these are not isolated to these two individuals.

Claimed Breach and Leak Attacks

There were at least five reported breach and leak attacks (when a threat actor gets access to data and leaks it without seeking a financial payment). Of the five alleged all appeared fake, using documents, in particular PDFs that can be found with a simple google search. The most high-profile of these was the alleged Australian Councils leak — which turned out to be a series of public PDFs.

Below is the alleged leaked data:

Alleged breached data of an Australian government organization

As you can see these are a series of PDF documents.

A very quick search on the Australian Councils website for ‘Harradine Report’ and it is confirmed that:

https://australiacouncil.gov.au/about-us/corporate-documents/disclosures/harradine-reports/

The reports are publicly disclosed every six months.

One of the interesting leaks was the alleged leak of student data from the University of Western Australia — which actually turned out to be data that was part of a project run by the university.

This is the data that was claimed to be exposed data ( I have still redacted usernames)

Alleged University of Western Australia data

This is a screenshot of the project from the University:

https://teaching.csse.uwa.edu.au/units/CITS1402/projects/

What does this tell us? It tells us that these were not legitimate data breaches. What it also tells us is that hacktivists out there have been motivated enough to collect this open source data and package it. Highlighting an intent to inflict damage and impact the day-to-day lives of Australians.

Confirmed Unsuccessful Attacks:

Some of the attacks were easier than others to confirm unsuccessful, these were often when a ddos or defacement attack was attempted against a piece of hardened Australian infrastructure such as the following:

  • Australian Department of Defence — Attempted DDoS.
  • Australian Department of Health — Attempted DDoS.
  • Police Federation of Australia — Attempted DDoS.
  • news.com.au — Attempted DDoS.
  • magohsc.sa.gov.au — Attempted DDoS.
  • directory.gov.au — Attempted DDoS.

Note: It can be difficult to confirm or deny DDoS attacks without getting confirmation from the targeted organization as the site can be down for different time lengths. However, I was able to monitor these sites during the alleged attacks and from what I saw the sites were not impacted.

Conclusion

Intent drives capability and it will always lead to opportunities. The #OpAustralia campaign was a mix of successful attacks on small/medium businesses and unsuccessful or fake attacks against more high-profile targets. This campaign had limited day-to-day impacts on Australia, but it does showcase that under the right conditions we can be a target by highly motivated threat groups.

--

--

Cyberknow

Situational Awareness Updates | Threat Intelligence | OSINT | Threat Research | Memes | Cybersecurity