Victorian businesses hit by hackers with theft of medical records included in the haul

September 7, 2023 |

Victoria has been singled out for data breaches by the Russian ransomware gang AlphV, better known as BlackCat. According to ACS Information Age The haul includes medical records, from TissuPath, in the 4.95 terabytes of data stolen. A medium sized law firm Tisher Liner was also successfully breached. The breaches of TissuPath, Strata Plan and Barry Plant Blackburn probably came through a breach at Core Desktop, which provided each of those businesses with IT services. Core Desktop became aware of the data breach on 22 August, 2023, a fortnight ago.  Attacking companies through service providers is an effective method of attack.  Too many companies do not do take proactive steps to make sure their service providers have proper data security.  Another problem is that many companies do not have defence in depth.  They don’t invest in programs that detect unusual activity and don’t properly silo sensitive information.  Maintaining a secure outer perimeter and thinking that is sufficient is poor data security.

This most recent spate of attacks occurs on the back of a data breach of Pizza Hut by ShinyHunters involving the data of a million customers.

The ACS article provides:

Terabytes of stolen data is being held hostage by Russian ransomware gang AlphV after it launched a string of attacks against Victorian businesses.

The cyber criminal group AlphV, also known as BlackCat, has claimed responsibility for several attacks against Victorian companies, including pathology company TissuPath, real estate agency Barry Plant, law firm Tisher Liner FC Law, and owners corporation service provider Strata Plan.

In a series of dark web posts, the group claims to have stolen an alleged 4.95 terabytes of data – nearly 1 terabyte more than what it claimed during AlphV’s hack against law firm HWL Ebsworth in April.

According to the listing for Barry Plant on AlphV’s dark web blog, the company has refused to negotiate with the ransom gang – leading the cyber criminals to allegedly “release the entire dataset”.

“In light of the refusal by representatives of Barry Plant company to engage in negotiations, we have decided to release the entire dataset,” read the dark web blog post.

The group claimed to have leaked email content, non-disclosure agreements, property applications, criminal records, passports and IDs of Barry Plant’s clients and employees.

Barry Plant’s share of the allegedly stolen data is the largest, totalling a purported 3.2 terabytes – though the company’s Chief Executive, Lisa Pennell, stressed the attack was isolated to its Blackburn office and did not breach the rest of the company’s systems.

TissuPath and Strata Plan have also suffered purported leaks – totalling 446 gigabytes and 1.43 terabytes respectively – with AlphV claiming to have leaked medical records of TissuPath clients.

“446 GB and 735,414 files has been exfiltrated,” read the dark web post for TissuPath.

“We’ve download all the data you have. Data dump contains Medical Records of your clients,” it added.

TissuPath expressly confirmed a range of patient data had been exposed during the incident, including names, dates of birth, contact details, Medicare numbers, and private health insurance details.

“We can confirm that we are investigating a data breach at a third-party IT supplier involving pathology referrals issued to TissuPath between 2011 and 2020,” said TissuPath.

“Importantly, TissuPath’s main database and reporting system that stores patient diagnoses was not compromised. Further, we do not store patient financial details and other personal information documents, such as drivers licence numbers.

“We are very sorry this has happened, and we sincerely apologise to our patients who may have been affected.”

Meanwhile, ABC reports director of Strata Plan, Simon Chamaa, has disputed the ransom gang’s claims of data theft, stating the company’s data “remains secure”.

“Rest assured, that Strata Plan’s data remains secure,” said Chamaa.

“Thanks to our precautionary measures already in place, we have not experienced any impact on our systems.

“Strata Plan is actively investigating the matter with the assistance of cyber security experts, and we are dedicated to addressing this matter swiftly and effectively.”

Meanwhile, Tisher Liner FC Law is still working to validate AlphV’s claims amid ongoing investigation.

Attacks stem from Melbourne IT firm

AlphV’s announcements followed a cyber attack at third-party IT service-provider Core Desktop – a Melbourne-based company which serviced TissuPath, Strata Plan and Barry Plant Blackburn.

According to the ABC, the company notified its clients that it first became aware of the hack on 22 August, with suspicions the attackers gained entry to its system due via phishing.

“Our cyber forensic team do not have a firm understanding of the origins of the entry but initial suggestions are that it was from a targeted client-side phishing attack which infiltrated our control systems, impersonated privileged accounts and encrypted some servers,” read a letter to clients.

According to managing director at Core Desktop, Rodney Bloom, the company was “not really aware” of what information has been compromised.

“It’s not our data so we don’t know,” said Bloom.

After hiring forensic cyber security specialists, the company has regained control of its systems and further reported the data breach to the Office of the Australian Information Commissioner and the Australian Cyber Security Centre.

Differing outcomes suggest differing security

Andrew Wilson, CEO of Australian encryption company Senetas, suggested the responses from the businesses targeted by AlphV pointed to differing security implementations.

“This attack has had one common factor, but strikingly disparate outcomes,” said Wilson.

“On the one hand we have Tissupath in the position of reporting compromised highly-sensitive personal data.

“On the other, Strata Plan’s confident response that its customers can ‘rest assured’ that their data is secure.

“From this we can infer one big insight – Strata Plan likely strongly encrypted its data beforehand, and Tissupath did not.”

Wilson further lamented that Australian citizens’ personal data is once again being held to ransom “not because of a sophisticated attack” but due to “simple mistakes” like falling for a phishing email.

“We desperately need tougher legislation that will mandate that all personal data is encrypted both at rest and in motion as a last line of defence,” said Wilson.

“We also as a nation need to have assurances that once data is captured by a private business, that the data has an expiry date.”

An ABC article provides:

    • In short: Russian hackers have claimed they are behind a series of cyber attacks on a number of Victorian companies, and say they have stolen at least 4.95 terbytes of data
    • What’s next? Some of the companies affected say they are communicating with their clients about the reported breach, but at least one has disputed the hackers’ claims and says it has not been impacted

A notorious Russian ransomware gang which infiltrated one of Australia’s largest law firms has now targeted a string of Victorian businesses, which it is extorting over terabytes of stolen data.

The cybercriminal group AlphV, which is also known as BlackCat, has claimed responsibility over attacks on several companies including:

    • TissuPath, a pathology company
    • Strata Plan, an owners corporation service provider
    • Barry Plant Blackburn, a real estate agency
    • Tisher Liner FC Law, a business and property law firm

AlphV claims to have stolen at least 4.95 terabytes of data, which it has threatened to publish.

The attack comes after the same group went through with a threat to publish 1.45 terabytes of data on the dark web in June after one of Australia’s largest law firms, HWL Ebsworth, refused to bend to its ransom demands.

The group has also attacked FIIG securities, an Australian bond broker.

“Due to your representatives’ refusal to negotiate, we are launching a campaign involving email distribution and calls to your clients,” the hackers said in a post on their dedicated leak site, which was documented by FalconFeeds.io, a threat intelligence platform.

“Your clients will be offered the option to pay a fee for the removal of their data from the public leak. You still have a chance to prevent a catastrophe,” they said.

Two messages to businesses threatening to release client information
 
Threat intelligence platform FalconFeeds.io documented the threats sent to Victorian businesses.(Supplied: FalconFeeds.io)

It is unclear what type of data the hackers claim to have, but TissuPath, the pathology company, said patient names, dates of birth, contact details, Medicare numbers and private health insurance details were exposed.

A spokesman said it was in the process of contacting everyone affected by the breach and that it took its privacy obligations “extremely seriously”.

“We can confirm that we are investigating a data breach at a third-party IT supplier involving pathology referrals issued to TissuPath between 2011 and 2020,” the spokesman said.

“Importantly, TissuPath’s main database and reporting system that stores patient diagnoses was not compromised. Further, we do not store patient financial details and other personal information documents, such as drivers licence numbers.

“We are very sorry this has happened, and we sincerely apologise to our patients who may have been affected.”

Hacks connected to Melbourne IT firm

TissuPath, Strata Plan and Barry Plant Blackburn were all clients of Core Desktop, a company based in South Melbourne which was hired to provide IT services.

The ABC has obtained a letter that Core Desktop sent to its clients which revealed it became aware of the hack on 22 August 2023.

“Our cyber forensic team do not have a firm understanding of the origins of the entry but initial suggestions are that it was from a targeted client-side phishing attack which infiltrated our control systems, impersonated privileged accounts and encrypted some servers,” the letter said.

“They appear to have acted in a focused fashion and threatened a small number of Core Desktop clients.”

Core Desktop’s managing director, Rod Bloom, confirmed his company was the victim of a cyber-attack.

“We’ve communicated with all of our clients about the attack,” he said.

“We’re not really aware of what information has been compromised … it’s not our data so we don’t know.”

Mr Bloom said the company had reported the data breach to the Office of the Australian Information Commissioner and the Australian Cyber Security Centre.

Core Desktop has since regained control of its systems after shutting down access to all affected accounts, resetting login details for administrators, resetting client passwords and hiring forensic cybersecurity specialists.

Companies dispute hackers’ claims of stolen data

Lisa Pennell, who is the chief executive of Barry Plant, stressed that the cyber attack was isolated to its Blackburn office and that the rest of the company’s systems were not breached.

The hackers are claiming to have stolen about 3 terabytes of data from Barry Plant.

“We have become aware that a third party supplier to a small part of the property management business of one of our [franchise] offices has had a cyber incident,” Ms Pennell said.

“This supplier is [an] IT-managed service provider and not owned or related directly to the Barry Plant Group more broadly other than providing their service to this specific local office in Blackburn.

“We are supporting our franchisee and have engaged market-leading experts to help us assess the situation.”

Simon Chamaa, the director of Strata Plan, said it was taking the cyber attack seriously.

The cybercriminals claim to have breached 1.3 terabytes of information belonging to Strata Plan but Mr Chamaa disputed that.

“Rest assured, that Strata Plan’s data remains secure. Thanks to our precautionary measures already in place, we have not experienced any impact on our systems,” he said.

“Strata Plan is actively investigating the matter with the assistance of cybersecurity experts, and we are dedicated to addressing this matter swiftly and effectively.”

Law firm Tisher Liner said it was still working to validate the claims and that its investigation was ongoing.

“We are aware of claims made by a third party regarding a breach of one of our managed service providers,” a spokesperson said.

“If we have any accurate information that requires further action, we will communicate with our clients, staff and other stakeholders as quickly as possible.”

Leave a Reply