Cyber attack on Victorian Court system; the growing disquiet

January 3, 2024 |

It is not surprising that the cyber attack on the Victorian Court system has brought in comments from the Attorney General and intense media focus. The Chief Executive of Court Services Victoria released a statement yesterday (after my post of yesterday) where she stated.

On Thursday 21 December 2023, Court Services Victoria (CSV) was alerted to a cyber security incident impacting Victoria’s courts and tribunals.  

The cyber incident led to unauthorised access leading to the disruption of the audio visual in-court technology network, impacting video recordings, audio recordings and transcription services.

CSV took immediate action to isolate and disable the affected network and to put in place arrangements to ensure continued operations across the courts.  As a result, hearings in January will be proceeding. 

Recordings of some hearings in courts between 1 November and 21 December 2023 may have been accessed. It is possible some hearings before 1 November are also affected.  The potential access is confined to recordings stored on the network. Further details for each court are found below.

No other court systems or records, including employee or financial data, were accessed. 

Maintaining security for court users is our highest priority.  Our current efforts are focused on ensuring our systems are safe and making sure we notify people in hearings where recordings may have been accessed. 

We understand this will be unsettling for those who have been part of a hearing.  We recognise and apologise for the distress that this may cause people.  CSV has established a Contact Centre with dedicated staff which is available to those seeking further information or assistance. This includes support from IDCARE, Australia’s national identity and cyber support community service. The Centre can be contacted from today via telephone or email:   

We are working closely with the cyber security experts in the Victorian Department of Government Services. All relevant authorities have been notified of the incident and are assisting with the investigation and response. 

All courts have put in place arrangements so that they can continue to safely and securely hear matters while CSV re-establishes the affected network.  We appreciate the cooperation of court users during this period. 

The work on the restoration of systems includes works to strengthen security across the broader court and tribunal-wide technology environment.

With limited exceptions, court and tribunal hearings are held in public and are not confidential.  The unauthorised use of recordings of hearings is not permitted. 

The table below sets out which recordings of hearings may have been accessed. 

Jurisdiction Data range Hearings where recordings may have been accessed
Supreme Court 1 December to 21 December Court of Appeal, Criminal Division, Practice Court and two regional hearings in November.
County Court 1 November to 21 December All criminal and civil hearings recorded on the network.
Magistrates’ Court 1 November to 21 December Some committals that were heard during this period.
Children’s Court 1 November to 21 December No hearings in the date range. A recording of one hearing in October which may have remained on the network.
Coroners Court 1 November to 21 December All hearings in the date range.
VCAT 1 November to 21 December No hearings.

Frequently asked questions

What is the cyber incident that’s happened?

Court Services Victoria (CSV) became aware on Thursday 21 December of a cyber incident that impacted in-court audio and video (AV) systems.

During the incident, there was unauthorised access to CSV’s audio visual in-court technology network.

Recordings of some hearings in courts and tribunals between 1 November and 21 December 2023 may have been accessed. It is possible some hearings before 1 November are also affected.

The potential access is confined to video and audio recordings stored on the network. Other court records are not impacted.

This table below sets out which hearings may have been impacted:

Jurisdiction Data range Hearings where recordings may have been accessed
Supreme Court 1 December to 21 December Court of Appeal, Criminal Division, Practice Court and two regional hearings in November.
County Court 1 November to 21 December All criminal and civil hearings recorded on the network.
Magistrates’ Court 1 November to 21 December Some committals that were heard during this period.
Children’s Court 1 November to 21 December No hearings in the date range. A recording of one hearing in October which may have remained on the network.
Coroners Court 1 November to 21 December All hearings in the date range.
VCAT 1 November to 21 December No hearings.

Have you contained the cyber incident?

Yes. CSV took immediate action to isolate and disable the affected network and to put in place arrangements to ensure continued operations across the courts.

The audio-visual network is separate to other CSV systems.

No other court systems or records were accessed or impacted.

What does this mean for people who attended court hearings during this period?

Court user audio only or audio and video recordings of what was said in a hearing may have been accessed.

Court and tribunal hearings are mostly public, and not confidential.

CSV has been working with justice system agencies, such as Victoria Police, Victoria Legal Aid and the Office of Public Prosecutions on areas where there may be particularly sensitive material.

Will I be contacted and how will I be contacted?

Where possible, courts are notifying parties whose hearing may have been affected.

Who can I talk to about my concerns?

CSV has established a Contact Centre with dedicated staff which is available to those seeking further information or assistance. This includes support from IDCARE, Australia’s national identity and cyber support community service. The Centre can be contacted during business hours from Tuesday 2 January 2024 via telephone or email:  

Call: 03 9087 6116
Email: CSVData@courts.vic.gov.au

Will my upcoming court case be affected by this incident?

All courts have put in place plans so that they can continue to safely and securely hear matters.

Some changes to hearing arrangements are in place while the affected network remains disabled. Information about any changes can be obtained from the relevant court.

If you have a question about an upcoming court case and how this might be affected, please contact the relevant registry

What has been done to secure CSV’s IT systems?

CSV took immediate action to isolate and disable the affected network and arrangements were put in place to ensure continued secure operations across the courts.

What are you doing to make sure this doesn’t happen again?

The work on the restoration of systems includes works to strengthen security across the broader court and tribunal-wide technology environment.

Who is responsible for the breach?

We don’t provide information or details on cyber threat actors.

How can I make a complaint about how this incident was handled?

Please email privacy@courts.vic.gov.au if you wish to raise any concerns.

Have financial records and employee data been accessed or otherwise impacted?

No. No other court systems or records, including employee or financial data, were accessed.

Have those responsible for the hack made any demands of Court Services Victoria? Have any threats been made to release the recordings? 

For security reasons, we will not comment on the specific details of our response to this cyber incident. 

Are police investigating and what assistance are the courts receiving from government security agencies? 

CSV has notified the relevant authorities, including Victoria Police whose cybercrime squad is investigating. 

We are working closely with the cyber security experts in the Victorian Department of Government Services. 

We have also secured support from IDCARE, Australia’s national identity and cyber support community service. 

Why was a statement released today when the courts first became aware of the incident on December 21? 

CSV took immediate action to disable the network and notify the relevant authorities. 

It was not immediately apparent which recordings and transcripts were affected. It has taken time to establish this. 

How were the courts alerted to the cyber security incident? 

Computers used to control audiovisual court hearings were disrupted. 

Some compromised recordings may involve people whose identities are protected by court orders or legislation. What is being done?  

CSV has been working with justice system agencies to identify sensitive matters. Courts are notifying parties whose hearings may have been affected and those parties can discuss any specific concerns at that time. CSV has also partnered with IDCARE, Australia’s national identity and cyber support community service, to work with people to address their concerns.  

CSV is not currently aware of any recordings being released but will notify the relevant authorities should this occur. Maintaining security for court users is our highest priority and we recognise and apologise for the distress this incident may cause.  

Can you clarify when the incident occurred? 

Whilst we became aware on 21 December, it occurred on 8 December. The system holds recordings for some time, so the primary investigation period is 1 November to 21 December, which is when we identified the problem, before isolating and disabling the affected network.

The statement is something of a curate’s egg, good in parts.  It identifies, in necessarily broad terms, files that may have been accessed from particular courts and tribunals.  That said there may be others.  The breach happened on 8 December but was not detected until 21 December and only then when computers were disrupted.  That indicates a likelihood that there was an absence of an instrusion detection system that monitors network traffic for suspicious activity and alerts when such activity is discovered. These systems are designed to detect anomalies quickly so that hackers can be detected they do real damage. They can be either network- or host-based. A host-based intrusion detection system is installed on the client computer, while a network-based intrusion detection system resides on the network. Intrusion detection systems either looki for signatures of known attacks or deviations from normal activity. The deviations or anomalies are examined at the protocol and application layer. There is more to it, involving differing systems such as network intrusion detection system (NIDS), host intrusion detection system (HIDS), signature-based intrusion detection system (SIDS) and anomaly-based intrusion detection system (AIDS). Given the malware was on the systems for 13 days before it was detected, and only then when the computers were disrupted it is reasonable to suggest there was no intrusion detection system, or at least a good one, operating.

The media reporting has already unveiled what Court Services won’t say, that Qinlin, a Russian based hacking group, was responsible.  The Court Services did not explain how the ransomware accessed the system.  It is reasonable to provide that information.  It will come out sooner rather than later. 

None of the reports or statements have indicated whether the Victorian Information Commissioner is investigating.  It is definitely his jurisdiction.  Unfortunately the enforcement powers under the legislation is very limited. 

In the Age the breach is covered by ‘This will be unsettling’: Victorian court hack may expose sensitive witness testimony, the Australian with Victorian courts hack: fears for victims and informants and 9News with State’s court suffers ‘unsettling’ and ‘distressing’ cyberattack. 

The Age article provides:

Sensitive witness testimony in high-profile court cases may have been compromised after Victoria’s court system suffered a cyberattack last month.

On Tuesday, Court Services Victoria (CSV) chief executive Louise Anderson confirmed the statutory body discovered on December 21 hackers had accessed the audiovisual archive of the state’s courts.

“Recordings of some hearings in courts and tribunals between November 1 and December 21 may have been accessed,” Anderson said in a statement.

She added that some hearings before November might also have been affected, but potential access was confined to recordings stored on the network.

The hackers could have gained access to witness testimony from several sensitive cases, including key evidence from a murder trial involving a prominent Melbourne underworld figure, which is the subject of a suppression order.

CSV will soon notify people whose hearings may have been accessed. The hackers may have potentially gained access to testimony provided under witness protection.

“We understand this will be unsettling for those who have been part of a hearing,” Anderson said. “We recognise and apologise for the distress that this may cause people.”

The worst-affected courts were those that frequently hear serious criminal cases – including rape and murder trials requiring victim and witness anonymity for their safety. However, most hearings across the court system are not confidential.

CSV said all criminal and civil hearings recorded in the County Court from the start of November to December 21 were exposed. In the Supreme Court, all criminal division and court of appeal hearings recorded from December 1 to 21 may have been accessed.

In the Magistrates’ Court, only some recorded committal hearings were accessible.

The Australian article provides:

Cyber criminals may have accessed sensitive evidence given by rape and child abuse victims, police informants and covert officers after hacking into Victoria’s court system, lawyers warn.

Russian hackers are suspected to be behind the ransomware attack that Victorian authorities say potentially involved unauthorised access to a broad range of recordings of criminal, civil and coronial hearings over at least two months.

The Victorian court hack is the latest in an escalating barrage of cyber breaches at major organisations.

Melbourne barrister Robert Richter KC said courts held extremely sensitive information that also protected the identities of informants and covert operations. “I imagine the most important would relate to cases in which pseudonyms are recorded in a traceable way,” Mr Richter said.

“It’s not so much about the demand for ransom, as it is about any leaks to the black net which would enable people who want to trace either complainants or witnesses to whom pseudonyms have been given. I only hope that none of the information that has been downloaded makes its way to nefarious contacts.”

Criminal defence lawyer Bill Potts said the “disturbing” cyber breach could put lives at risk and raised serious questions about the security of court information.

Courts were often closed to the public for evidence about sexual assaults and offences against children, he said.

“Witnesses would be living in fear,” Mr Potts said.

He added: “If you can hack it, there’s always the danger they can alter the details. I would hate to see a situation where hackers were able to get into the system and wipe people’s criminal records, alter the details of trials or publicise matters of significant sensitivity. You have victims of crime giving evidence about the worst moments in their life.”

Audio and video recordings of hearings in the Supreme Court, County Court, Magistrates Court, Children’s Court and Coroners Court may all have been accessed to varying degrees between ­November 1 and December 21 last year. Court Services Victoria was alerted to the cyber security incident on December 21, but only released a statement on Tuesday.

Court Services Victoria chief executive Louise Anderson said: “Our current efforts are focused on ensuring our systems are safe and making sure we ­notify people in hearings where recordings may have been accessed.

“We understand this will be unsettling for those who have been part of a hearing. We recognise and apologise for the distress that this may cause people.”

Cyber security expert Robert Potter said that, on the dark web, the Qilin ransomware group had claimed responsibility for the attack. “The particular group is Russia-based, recruits its membership in Russian and operates in Russian, so fairly confident saying it was a Russian ransomware group,” he said. “When you don’t pay the ransom, they just start trying to leak your data. They’ve hit Australian companies before.”Cyber security expert Robert Potter. Picture: Bloomberg

Qilin offers ransomware to affiliates in exchange for a cut of extorted funds, and does not target Russia-aligned states.

Mr Potter suspects the hackers gained access to the court network through a “phishing” attack on staff using emails with malicious attachments or links.

“It’s like a double extortion attack: with the first part, they lock up the data; then on the second, they try and sell the access back to you and delete it if you don’t pay the ransom,” he said.

Katherine Mansted, executive director of cyber security firm CyberCX, said recent attacks on the courts and health care sector showed the scale and intensity of the problem facing businesses and organisations.

“This is not something that just affects the big end of town; it’s not something that just affects small organisations that have ­obvious insecurities,” Ms Mansted said. “It’s something that is hitting the Australian economy hard across multiple sectors.”

The security breach follows a hack of the St Vincent’s Health network of hospitals and aged care facilities in December and cyber attacks on organisations including Medibank and Optus.

Cyber criminals known in the industry as “big-game hunters” focused on targets they thought would deliver the highest return. Others went for “easy wins”, ­attempting to extort businesses and organisations wherever a weakness could be exploited to deploy ransomware or steal data.

“The result of all of that is that we see a huge amount of cybercrime across the economy,” Ms Mansted said. “Some of it we see in media reports like this; some of it is disclosed to the public, particularly where it affects citizens’ data or where it results in obvious disruption to businesses, and some of it isn’t.

“It’s a bit like an iceberg. What we see is just the tip of a pretty broad and systemic problem.”

Ms Anderson said a contact centre had been established for people seeking further information or assistance. All relevant authorities were notified, and Victoria Police’s cybercrime squad is investigating.

“The cyber incident led to unauthorised access leading to the disruption of the audio visual in-court technology network, impacting video recordings, audio recordings and transcription services,” Ms Anderson said. “CSV took immediate action to isolate and disable the affected networoooruieuyrspid65k.”

Even the Victorian Bar has released a statement.

Leave a Reply





Verified by MonsterInsights