Australian government faces epidemic of breaches

Long the proponents of good cyber security hygiene, Australian government agencies have been on the defensive after a series of successful cyber attacks that have left them red-faced and scrambling to maintain critical services.

The epidemic of breaches across Australian government agencies

Service NSW, the statewide digital-services branch of the New South Wales government, was caught flat-footed in late April after a successful phishing attack allowed an external hacker to access the email accounts of 47 staff members.

Compromised data was limited to email records and, the agency said in a statement that “customers should be reassured” that MyServiceNSW data had not been compromised—yet investigations were continuing with the help of police, state and federal cyber security agencies, and the state Information and Privacy Commission.

The breach comes days after the government was forced to suspend a COVID-19-related Australian Taxation Office (ATO) scheme providing early access to individuals’ superannuation funds, after revelations that the compromise of a third-party agent for the scheme had facilitated fraud.

As many as 150 victims were said to have been involved, authorities told a parliamentary inquiry into COVID-19, with Australian Federal Police freezing bank accounts containing around $120,000—and the ATO suspending the service while investigations proceed into the approximately 250 third parties that have access to the ATO systems.

The scheme had been a catalyst for a rising tide of scams but its direct manipulation reflects the rapidly changing landscape of compromise that government bodies have faced as COVID-19 disruption continues.

The office of Western Australia premier Mark McGowan was also facing the consequences of the changing landscape, with Chinese hacking group Naikon said to have targeted his office by inserting Aria-body malware into a draft email intended to be sent to the Department of the Premier and Cabinet (DPC).

The detection of the malware foiled that attempt, but the federal Department of Home Affairs wasn’t so lucky after it was revealed that poor security in a system for tracking skilled migrants had allowed confidential personal details of more than 700,000 people to be made publicly available.

Even digital health providers were being targeted, with the Australian Digital Health Agency confirming that hackers had been detected while trying, albeit unsuccessfully, to breach the security perimeter around My Health Record (MyHR)—the controversial system managing healthcare records for around 90 per cent of Australia’s population.

External hackers had tried to compromise “the external perimeter for our system”, national health CIO Ronan O’Connor told a parliamentary inquiry last week, but he said that the intruders had failed to access any data in the MyHR system.

Australian agencies have improved data security, but not enough

Foiling the breach extended the winning streak for MyHR, whose security has long been a sensitive issue—and which has not been hacked yet despite its concentrating an unprecedented amount of sensitive data in a single system.

Yet the sheer volume of breaches, and the variety of attack methods used, highlight the very real ongoing threat that Australian agencies face as the government works to navigate treacherous economic waters while maintaining service delivery, financial viability, policy continuity and, among other things, data security.

The high degree of scrutiny of the new COVIDSafe app, which is now tracking the close contacts of more than 5 million Australians, highlights the additional challenges that the pandemic has presented for a public service that has long been working hard to boost its security.

Some 427 cyber security incidents were reported to the Australian Cyber Security Centre (ACSC) in 2019, according to the agency’s recent report on the government’s security posture—with 18 per cent related to malicious email and 14 per cent stemming from scanning, reconnaissance or brute-force attacks.

Federal agencies had progressed in their implementation of the mandated ASD Essential Eight guidelines, the report found, with 50 per cent more entities improving the maturity of their user application hardening, 35 per cent showing improvements around multi-factor authentication, and a third improving their management of potentially malicious Microsoft Office macros.

However, the report found that agencies still suffer from inadequate visibility of their information systems and data holdings; struggle with obsolete and unsupported systems and applications; had “misunderstood, misinterpreted and inconsistently applied” the Essential Eight guidance; had “ineffective” risk management practices; and were still struggling to implement the Top Four core technological protections.

Government bodies, according to Verizon’s newly released Data Breach investigations Report (DBIR) 2020, continue to face a barrage of attacks. Public administration organisations are regularly targeted for theft of personal information—involved in 51 per cent of breaches in the sector—as well as credentials (33 per cent) and other information (34 per cent), Verizon found in analysing 6,843 reported incidents that included 346 with confirmed data disclosure.

External actors were blamed in 59 per cent of data breaches, with financial motives identified in 75 per cent of cases—compared with espionage, which was a motive in just 19 per cent of cases.

Web applications were the most frequently targeted, with misconfiguration of cloud services enabling some 30 per cent of data breaches. “There are security researchers out there who spend their time looking for just this kind of opportunity,” the report’s authors noted. “If you build it, they will come.”