Russia-linked hackers have posted around 16,000 Tasmanian education department documents on the dark web, some including the personal information of students, officials said.
Tasmania’s science and technology minister, Madeleine Ogilvie, confirmed on Friday that hackers leaked info after breaching third-party file transfer service GoAnywhere MFT.
The breach, which reportedly occurred in late March, has exposed information such as student names, addresses, phone numbers, and more on a criminal dark web forum.
Australia’s smallest and southernmost island state is now in “serious incident response” mode, and is working to notify affected victims, Ogilvie told Australia Associated Press (AAP) reporters in the Tasmanian capital, Hobart.
The government has also advised anyone who believes they may have been affected to monitor their financial statements and be alert for any suspicious activity.
GoAnywhere MFT Was Compromised in March by Cl0p
Fortra’s GoAnywhere MFT file transfer software was already vulnerable in Feb. 2023 when researcher Brian Krebs unearthed a serious flaw.
In March, the notorious ransomware gang Cl0p — dormant since Nov. 2021 following an INTERPOL crackdown — exploited the inherent vulnerability and breached over 130 organizations, including Hitachi Energy, Shell, Saks Fifth Avenue, Proctor and Gamble, and others.
Cl0p is an elite-tier ransomware gang that favors the educational system. It hacked the University of Colorado and the University of Miami in March 2021, as well as four Korean companies and three other U.S. universities, causing $500 million in damages.
The flaw — now fixed by Fortra — was a highly dangerous remote code execution (RCE) security flaw. It was also a zero-day flaw, meaning that cybercriminals took advantage of it before it could be remedied with a security patch.
If exploited, cybercriminals can leverage RCE to plant malware, steal data, and more, remotely.
Financial Statements, Invoices, and Personal Data Stolen
Hackers reportedly compromised the Tasmanian department of education’s computer system for schoolchildren, posting stolen financial statements, invoices, dates of birth, as well as parents’ names, and the names of the schools and their staff.
Pulse Hobart reported that approval letters for student assistance sent to parents were leaked, revealing sensitive and personal information about the children.
The anonymous criminals claimed on a dark web forum that this data was stolen via a ransomware attack on the Tasmanian government, though Ogilvie said hackers had not made any ransom demands so far. If any demands are made, the federal government was advised not to pay.
There is also no evidence that the Tasmanian government’s own IT systems were compromised, Ogilvie said.
The breach raises concerns about how resilient the Australian government is in the wake of relentless cyberattacks and highlights a growing threat — cybercriminals constantly seeking profit by exploiting vulnerabilities in vulnerable third-party apps and computer systems and networks.
Australia suffered a major cyberattack orchestrated by the ransomware group “BlogXX” in October 2022, which had compromised the data of 9.7 million Medibank customers and their authorized representatives.
Concerned Individuals Are Advised to Contact Australian ICO
Individuals who suspect they, or someone they know, may have been affected should contact the Office of the Australian Information Commissioner. Ogilvie also announced at a Friday afternoon press conference the establishment of a helpline number the public can call.
Individuals should also watch out for suspicious messages or emails claiming to offer information or assistance during this incident, as these may be phony.
If you run a business or institution, we recommend not paying ransomware demands and to contact organizations like No More Ransom that offer free anti-ransomware tools and decryptors.
