Overview:
Australias Fire Rescue Victoria has disclosed a recent data breach.
Technical Summary:
Fire Rescue Victoria was hit by a data breach in December. The cyberattack that caused the data breach has been claimed by the Vice Society Ransomware group. Fire Rescue Victoria operates 85 stations in Australia, and the corporation has around 4,500 employees.
The cyberattack was discovered on December 15, 2022, the attack causes widespread IT outages. But the agency’s emergency response services have not been affected by the impact. Vice Society was able to affect multiple internal servers, including the fire station’s email system.
The threat actors were also able to steal data from FRV’s computers, including information about a current and former employees, secondees, contractors, and job applicants. Since Vice Society gained access to the FRV’s email system there may be a chance the group accessed or stole sensitive email communications.
The email system remains offline. The breach notifications come after the Vice Society ransomware group claimed the attack, and that they would start to leak the company’s data. January 10th is when Vice Society put Fire Rescue Victoria on their Tor data leak site.
Attack Tactics, Techniques & Procedures:
Resource Development (TA0042)
- Compromise Accounts (T1586)
- Compromise Infrastructure (T1584)
Credential Access (TA0006)
- Exploitation for Credential Access (T1212)
- Credentials from Password Stores (T1555)
Impact (TA0040)
- Data Manipulation (T1565)
- Data Destruction (T1485)
- System Shutdown/Reboot (T1529)
Reconnaissance (TA0043)
- Gather Victim Identity Information (T1589)
- Gather Victim Identity Org Information (T1597)
Initial Access (TA0001)
- Valid Accounts (T1078)
Affected Assets & Organizational Impact:
The threat actors were able to steal multiple accounts of information from staff and applicants. The information that was stolen included full names, email and home addresses, phone numbers, date of birth, health information, banking details, government-issued identity information, driver’s license, passport, and Supernnauation details, and lastly, they were able to steal sensitive information such as users sexual orientation, race, disability, religion, qualifications, employment and criminal history, and political/religious views.
Mitigation & Response:
The agency has notified the Office of the Australian Information Commissioner about the incident. FRV has alerted job applicants to stay vigilant against phishing emails or SMS texts targeting them. Its also recommended by the agency that staff members reset their password and enable Multi-Factor Authentication (MFA) to further protect their accounts. Also, staff that uses their FRV password for other sites should change those as well. Luckily the link to Vice Society’s Tor data leak site that is hosting the company’s data currently doesn’t work.
Sincerely,
Dominic Alegrete
#CyberXE #CyberLeadersStartHere