HWL Ebsworth data breach reveals potential loss of government information, including Defence data.

June 17, 2023 |

The HWL Ebsworth data breach saga is following a familiar trajectory involving a significant loss of data; announcement of the data breach, statements about working with the Australian Cyber Security Centre and other authorities, details slip out about how much material was lost, indications in a general statement about what personal information is involved (so far that includes dates of birth, drivers licences and names) and steps taken to remedy the breaches. That is a fairly familiar trajectory. This data breach has other features which makes it a less standard data breach; the focus is not on data generated by the firm but rather that collected from clients or otherwise related to the provision of legal services, that the sensitivity of the information is, seemingly, more related to government information rather than personal information and that third parties, especially government departments, are becoming very active to work out the extent to which the data breach affects them directly. The Australian reports in Data on secret missile testing site, attack helicopters and police operations stolen by hackers that the hackers have stolen files relating to military testing, police intelligence and government procurement. That data is of great interest to state players such as Russia and China and pretty much anyone else in the Indo Pacific region. It is hardly controversial that Australia’s friends collect data about the Australian government. That has always been part of the unspoken role of overseas embassies.

The Office of Australian Information Commissioner released a belated statement on the data breach, and reported here, providing:

On 8 May 2023, HWL Ebsworth reported a data breach to the Office of the Australian Information Commissioner (OAIC) in the OAIC’s capacity as regulator of the Notifiable Data Breaches scheme.

HWL Ebsworth provides legal services to a range of Commonwealth clients, including the OAIC.

On Saturday 10 June, HWL Ebsworth advised the OAIC that a document or documents relating to a limited number of OAIC files were included in the breach experienced by HWL Ebsworth.

HWL Ebsworth is currently providing further information to the OAIC about those documents. The OAIC will review those documents to see whether they contain personal information, and, consistent with requirements under the Notifiable Data Breaches scheme, will notify affected individuals where necessary.

The OAIC’s systems have not been compromised.

The statement begs more questions than it answers. The data breach was reported in early May and the Australian Financial Review has been covering the story regularly. It is difficult to understand how in the 5,000 hours HWL Ebsworth claims it has spent on the data breach could not have notified the Commissioner earlier than 10 June. And it could have gone into specifics more than “a document or documents” about a “limited number of OAIC files” . The statement leaves open the conclusion that HWL Ebsworth has not completed its task vis a vis the OAIC files. That is extraordinary. It has been 6 weeks since the firm was advised about the data breach. The opaqueness of the statement makes it almost meaningless except if the intention is to make a statement.

Many organisations have quite good outward looking cyber security, providing a hard shell against cyber attacks. A cyber wall surrounding a site so to speak. Unfortunately that is all too often the limit of the defences. Those defences are lineffective when hackers acquire valid authentications from an employee, as appears to be the case here, and enter the system.  Many organisations have very poor systems established for monitoring suspicious network activity or internal protections such as silos of information requiring separate authentication. In the case of the HWL Ebsworth data breach apparently Black Cat accessed the drives of 2,000 employees and copied what was there. How that could happen without raising any sort of alarm is a concern.

There are programs which can identify involving abnormal access patterns, database activities, file changes, and other out-of-the-ordinary actions. Those are indicia of a data breach. Network security tools which can be deployed to detect suspicious activity within a system and respond include:

  • IDS (Intrusion Detection System): An IDS  identifies and raises the alert about malicious activity in a network. It does not take action to prevent or remediate an attack. 
  • IPS (Intrusion Prevention System): An IPS  identifies a potential breach and takes action to prevent the attack by blocking the suspicious activity in question. 
  • SIEM (Security Incident and Event Management): SIEMs monitor and control network activity. An SIEM can identify breaches in-progress. This real-time detection helps with quick response times. 
  • NBAD (Network Behavior Anomaly Detection): An NBAD system uses knowledge of “normal” system behavior to identify abnormal behavior. 
  • SIA (System Integrity Assurance):  A System Integrity Assurance tool identifies and prohibits unknown or unauthorized changes in real time.
  • FIM (file integrity monitoring). FIM automates the monitoring of important files, systems, networks, and more. FIM software constantly monitors  and detect suspicious changes in real-time.  

It will be interesting to see if HWL Ebsworth had all of any of those systems.  Further there will be questions about its authentication system.

The Australian article provides:

Russian cyber hackers who infiltrated the computer systems of law firm HWL Ebsworth have obtained government files apparently relating to the top-secret Woomera missile testing site, navy’s attack helicopter replacement project and Australia’s politically sensitive enhanced engagement in the Indo-Pacific.

Sources said The hack – one of the largest in Australian history – had also seen the ransomware gang ­obtain documents concerning police intelligence about protests at an immigration detention centre, the escape of prisoners, and projects involving special forces.

Other data stolen includes an unknown number of driver’s ­licences, including names, dates of birth and photos, employment contracts, briefs of evidence, legal negotiations and consent orders.

National intelligence agencies are also caught up in the hack, with numerous documents relating to the Australian Federal Police, the Australian Criminal Intelligence Commission and Austrac, and one document to ASIO. The Australian Signals Directorate, one of the agencies working to shut down the data leak and track the hackers to their bases offshore, is also caught up in the hack, with documents relating to the ASD among the 1.4 terabytes published so far from the 4 terabytes that were stolen.

More than 2.5 million documents were compromised by the hackers, who gained access to HWL Ebsworth’s Melbourne servers after obtaining a mid-ranking lawyer’s credentials in April. Once inside the law firm’s system, the hackers accessed the drives of almost 2000 employees, copying their downloads, documents and other data.

The Weekend Australian has been told the data hack is being widely discussed within the cyber security industry, and is known to have been downloaded multiple times in overseas jurisdictions.

Sources in Canberra said that while a Russian-linked criminal ransomware gang had stolen the data, it was “inevitable’’ that state actor adversaries, such as Russia and China, would have downloaded the data and would be closely examining it.

The Attorney-General’s ­Department has established a working group to deal with the fallout of the hack, while a crisis committee has been established across government, with daily meetings of senior officials trying to work out what documents have been taken.

The Weekend Australia has been told one Defence-related document relates to the redevelopment of the top-secret ­Woomera missile testing site in South Australia. Another is about the $3bn plan to replace Australia’s fleet of Taipan attack helicopters with Seahawk Romeo combat helicopters at the HMAS Albatross naval base near Nowra.

One document relates to the Indo-Pacific enhanced engagement strategy, which is designed to counter Chinese influence in the Pacific. A source said it related to infrastructure projects in Solomon Islands.

Other documents are about asylum-seeker boats approaching Australia, joint South Australian-Australian Federal Police intelligence and planning for a protest. Others relate to the escape of ­detainees from an immigration detention centre and the seizing by the navy of two Russian fishing vessels some years ago. A number of invoices have also been made public.

While the Albanese government is largely refusing to say what data has been leaked, two agencies – the Office of the Australian Information Commissioner and the NDIS Quality and Safeguards Commission – have confirmed they lost data.

The Australian Taxation Office didn’t directly confirm it had lost data but warned people to be on the lookout for suspicious online activities, while the ­commonwealth DPP said on ­Friday it was “participating in the whole-of-government response to the HWL Ebsworth cyber incident”.

Opposition cyber security spokesman James Paterson expressed deep concern about the leaking of commonwealth data from sensitive agencies, including the Department of Home ­Affairs, the Department of Foreign Affairs and Trade, and the Office of the Australian Information Commissioner.

“Protecting Australian government data is more important than ever in light of recent significant cyber incidents and our current strategic environment,’’ Senator Paterson said. “The Albanese government must take every action necessary to secure the compromised data.”

Cyber Security Minister Clare O’Neil said the government had “been on the ground since day one at HWL Ebsworth, helping them manage the technical incident, understand the implications of the breach and support their customers’’.

“When we arrived in office, there was no meaningful cyber incident response function in the Australian government,” Ms O’Neill said. “Today, the management of these incidents – where my department, the Australian Signals Directorate, the Australian Federal Police and the company itself work in partnership to manage these incidents – is integral to our overall national cyber resilience.’’

A Defence Department spokesperson said HWL Ebsworth had advised it of the ransomware attack. “This is not an attack on Defence ICT,’’ the spokesperson said.

“Defence is actively engaging with HWL Ebsworth as part of the whole-of-government response to his incident, to determine the extent of the attack.’’

The Australian Federal Police declined to comment.

HWL Ebsworth, run by managing partner Juan Martinez, is one of Australia’s largest law firms, and has contracts across government worth tens of millions of dollars. The company said it ­understood and acknowledged “the impact that this issue has had on all affected clients and we have maintained close contact with them”.

Leave a Reply

Verified by MonsterInsights