23 June 2023

ACT Government cyber security breach suspected to originate in China

| Lizzie Waymouth
Join the conversation
1
data breach press conference

Digital and Data Special Minister Chris Steel with Chief Digital Officer Bettina Konti and Chief Information Security Officer Julian Valtas, Chief Information Security Officer outlining details of the security breach on 8 June. Photo: Claire Fenwicke.

A security breach affecting ACT Government ICT systems allegedly had links to China, according to researchers.

The ACT Government announced on 8 June that there had been a breach of its email gateway system Barracuda, which it uses to support some of its ICT systems. This essentially made data protected by the software accessible.

In an update issued late last week, Digital and Data Special Minister of State Chris Steel said, “The vulnerability has been eliminated and ongoing health checks reveal that the rebuilt system is showing no signs of any vulnerabilities”, and that the ACT Government has not been contacted by anyone claiming responsibility for the breach.

On the same day, Google subsidiary Mandiant said that through its investigations of the incident, it had “identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilise as a vector for espionage, spanning a multitude of regions and sectors”.

“Based on the evidence available at the time of analysis, earliest compromises appear to have occurred on a small subset of appliances geo-located to mainland China,” Mandiant said on its blog.

READ ALSO Personal details and ACT government information potentially accessed in cyber security breach

According to Mandiant, the attack affected public and private sector organisations around the world, with 22 per cent of affected organisations in the Asia-Pacific region.

“Almost a third of identified affected organisations were government agencies, supporting the assessment that the campaign had an espionage motivation,” it said.

“While Mandiant has not attributed this activity to a previously known threat group at this time, we have identified several infrastructure and malware code overlaps that provide us with a high degree of confidence that this is a China-nexus espionage operation. Additionally, the targeting, both at the organisational and individual account levels, focused on issues that are high policy priorities for the PRC, particularly in the Asia Pacific region, including Taiwan,” Mandiant said, explaining its reasons for attributing the attack most likely to China.

READ ALSO Auditor-General: CHS outpatient wait list reduction program during pandemic declared ‘ineffective’

Mr Steel said at the time there was a “likelihood” that information could have been accessed through the breach, but there was no evidence so far of personal details being taken.

“The type of information that we’re talking about is likely to come from a subset of automated emails related to government systems that have been impacted,” he said.

“At this stage, we have no definitive evidence that any information has been removed”, and the forensic investigation of the systems is still ongoing.

Users of Barracuda systems were made aware of the breach in May, but ACT Chief Digital Officer Bettina Konti said Barracuda first started noticing vulnerabilities in its system in October 2022.

“If it is back as far as October, then that increases the amount of data we need to trawl through to try to understand what may have been accessed, whether anything has actually been taken,” Ms Konti said at the time.

While the vulnerability has been eliminated, the ACT Government is continuing to conduct investigations.

“We are running increased monitoring and cyber security processes as well as continuing to investigate any systems that interact with the Barracuda gateway to determine any potential harm,” Mr Steel said.

“We are working closely with the Australian Cyber Security Centre and our Chief Information Officer network to complete these assessments as soon as possible.”

Mr Steel said there are currently no requirements for the community to take any action, but advised people to be vigilant about their personal cybersecurity and to monitor for any suspicious activity.

Join the conversation

1
All Comments
  • All Comments
  • Website Comments
LatestOldest

Sensational work by the ACT cyber security team.
Didn’t Barracuda themselves say that the devices had to be replaced as the flaw couldn’t be patched?
Amazing that the ACT managed to secure the gateways without replacing them.

Daily Digest

Want the best Canberra news delivered daily? Every day we package the most popular Riotact stories and send them straight to your inbox. Sign-up now for trusted local news that will never be behind a paywall.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.