Public agencies struck by cyber attacks for financial gain in UK and Australia and email attacks in Greece, Ukraine, Serbia and Cameroon
May 19, 2025 |
Governments hold masses of personal and financial information, usually acquired by compulsion. Which makes government websites a very attractive target for hackers. Government privacy protections can be spotty, good in parts and full of flaws elsewhere. Some departments are much better than others. In the UK the Legal Aid Agency has suffered a cyber attack resulting in criminal and financial information being stolen according to the Times. Meanwhile in Australia the MyGov network has been hacked and ATO refunds have been taken using stolen identies according to the Australian. This has prompted a strident and very long response from the ATO. The Australian followed up with an article about My Gov with More ATO tax hacking victims emerge as expert warns of myGov security issues.
Hackers are also running a worldwide cyber espionage campaign, dubbed Roundpress, using zero day vulnerabilities and n-day flaws.
The Times article provides:
Criminal records and financial information was among a “significant amount of personal data” stolen in a cyberattack on the Legal Aid Agency, the Ministry of Justice has confirmed.
The MoJ said it became aware of the cyberattack on the agency’s online digital services — where legal aid providers log their work and receive payments from the government — on April 23.
It said it then took action to bolster its security and informed all legal aid providers that some of their details, including financial information, may have been compromised.
The group that carried out the attack has claimed it accessed 2.1 million pieces of data but the MoJ has not verified that figure.
The MoJ then discovered on May 16 that the cyberattack was bigger than originally thought, and applied to all legal aid applicants since 2010.
The MoJ and Legal Aid Agency said in a statement: “This data may have included contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data — such as contribution amounts, debts and payments.”
The MoJ and Legal Aid Agency have urged anyone who has received legal aid since 2010 to be alert for suspicious activity and to reset passwords.
Jane Harbottle, chief executive of Legal Aid Agency, apologised for the breach.
“I understand this news will be shocking and upsetting for people and I am extremely sorry this has happened,” she said. “Since the discovery of the attack, my team has been working around the clock with the National Cyber Security Centre to bolster the security of our systems so we can safely continue the vital work of the agency.
“However, it has become clear that to safeguard the service and its users we needed to take radical action. That is why we’ve taken the decision to take the online service down.”
Harbottle said contingency plans were in place to make sure that those in need could continue to access legal support and advice.
The Australian article provides:
Hackers are harvesting potentially thousands of bogus tax returns as they exploit ongoing security weaknesses in the Australian Taxation Office’s online portal and the commonwealth’s myGov system.
Unsuspecting taxpayers and their accountants are discovering that hackers have infiltrated their myGov accounts, filed fake tax returns and directed the refunds to their own bank accounts despite the ATO having taken steps to clamp down on the practice.
The incidents are the latest of several brazen massive frauds and hacking attacks around Australia, including a series of hacks targeting superannuation funds in April, and they show the ongoing dangers posed by hackers who are holding information stolen from prior data breaches.
While victims, accountants and the tax ombudsman have all flagged issues in the myGov and ATO systems that they say have at least contributed to the success of the frauds, the ATO said incidents of “unusual activity” in ATO accounts were likely related to identity theft.
“Identity information can be compromised in a variety of ways, including requests for information by malicious actors, phishing emails, large-scale data breaches, and individual device or home network hacking,” the ATO said.
“The ATO can confirm that its systems are secure, resilient and have not been compromised.
“The ATO continues to remain vigilant for new and emerging cyber threats.”
Questions to the ATO about the exact number of Australians caught up in the saga, the amount of money both paid out to and recouped from fraudulent returns, and whether or not any arrests have been made over the incidents, were not addressed. But victims who have been through the process of resolving the breaches believe there are likely thousands of others in the same position.
Perth woman Kate Quinn, who works in the not-for-profit sector, discovered that hackers had filed a fraudulent tax return in her name earlier this year when her husband asked their accountant to prepare their tax returns.
The accountant found that they were no longer authorised to manage her tax affairs and that an $8000 tax return had been lodged on her behalf for the last financial year. The hackers had changed Ms Quinn’s linked bank account details, ensuring that they received the tax refund.
Ms Quinn told The Australian she was staggered to find just how easy it was for hackers to commit the frauds when armed with the necessary information.
She said ATO officers had told her that it could take hackers only seconds to execute the fraud.
“They hack in, they untick ‘notify me or notify my tax agent’ and change the bank account details. (The ATO officer) said it probably takes all of 10 to 15 seconds (to) change the bank account details and the money’s gone, and the case is closed and no one’s notified,” she said.
Ms Quinn said the changes to her myGov information were made without triggering any of the two-factor authentication processes designed to reduce the risk of hacking incidents.
She said she was shocked to discover during her interactions with the ATO just how common such incidents were.
She said she spoke to several ATO personnel who were working full-time solely on investigating and resolving such incidents, and as a result of those interactions believed there were thousands of other people in the same situation.
She was initially told the backlog of cases was so large that her matter might take at least a year to resolve, but after four months she escalated her matter to the ATO’s complaints department and had it sorted out in a matter of days.
“There are people who are really desperate to get their returns and people who would have been counting on that money. I just find it incredible,” she said.
More than 14 million taxpayers have linked their myGov account to their ATO Online accounts.
Accountant Adrian Raftery told The Australian one of his clients had an almost identical experience. Like with Ms Quinn, the fraud was discovered only when the accountant went to file the most recent tax return.
In this case, the hackers had not only filed a new tax return but had also successfully amended the prior year’s return and had tried and failed to amend another. The hackers had successfully collected more than $14,000 in fraudulent returns before their third attempt failed.
He said the ATO should have systems in place to automatically flag instances where bank account details were changed, tax agents removed and amended or unusually large returns filed.
“If there was an amendment done to a prior-year return that was lodged by a tax agent previously, but an amendment is done personally, that should be a trigger point for the ATO, combined with a change in bank account details,” he said.
The original source of the data used for the hacks was unclear, but Mr Raftery suspected much of the information may have come from historical data hacks of large super funds. He said he believed full scale of the hacking was likely to be much larger than authorities believed.
“I’m certain there’s probably been a lot of $1000, $2000 and $3000 refunds that have been issued to third parties without people knowing,” he said.
The claiming of fraudulent returns through myGov and the ATO’s online portal has long been an issue. The Inspector-General of Taxation and Taxation Ombudsman previously launched an investigation into the problem in late 2023 and handed down interim findings more than a year ago.
That report made more than a dozen recommendations aimed at tightening the ATO’s systems, including introducing additional security measures for instances where bank account details and contact information were changed.
The ombudsman found at the time the ATO had “limited” automated checks and controls, and its account monitoring processes likely had “limited effectiveness in mitigating the risk”.
In a statement, the ATO said it had taken a number of steps to improve its security.
“In the past year, we have introduced a range of measures to better protect client identity and accounts, including Online Access Strength, client-agent linking, and a new risk model targeting fraudulent links to the ATO’s Online Services for Individuals,” the ATO said.
“We continue to encourage individuals to use myID when interacting with the ATO’s online services and to set up to the highest identity strength where possible to make it harder for fraudsters to exploit their identities.”
The ATO statement provides:
The Australian Taxation Office (ATO) is aware of media reporting that the ATO has been ‘hacked’. This is incorrect. The ATO’s systems are secure, resilient and have not been compromised.
The safety of taxpayers’ information is of the utmost importance to us, and the ATO continues to remain vigilant for new and emerging cyber threats.
If an individual sees unusual activity on their ATO account, it may be related to identity theft. Identity information can be compromised in a variety of ways, including requests for information by malicious actors, phishing emails, large-scale data breaches, and individual device or home network hacking.
When the ATO suspects that a taxpayer’s identity may be compromised, the ATO activates stringent security measures to protect the taxpayer.
If an individual is found to be a victim of third-party fraud, we will work with them to fix their client account and remediate it to its true and genuine position. The ATO will then work to recover the monies.
In the past year, the ATO has introduced a range of measures to better protect client identity and accounts. The ATO will soon be deploying additional security features in the ATO app, which will enable taxpayers to better protect themselves. This includes the ability to receive secure messages from the ATO when key information, such as bank account details, are changed.
The ATO continues to encourage individuals to use myID when interacting with the ATO’s online services and to set up to the highest identity strength where possible to make it harder for fraudsters to exploit their identities.
The ATO reminds taxpayers to be wary of scam emails, phone calls and text messages claiming to be from the ATO, particularly at Tax Time. The ATO may use SMS or email to ask taxpayers to contact us, but will never send an unsolicited message containing a hyperlink to log on to online services. Always access ATO services directly by typing ato.gov.au or my.gov.au into your browser.
If taxpayers have divulged personal information, such as your myGov details, or paid a scammer, they should contact the ATO immediately on 1800 008 540 so they can take appropriate steps to protect your information. In addition to calling the ATO, if taxpayers think their identity has been compromised and it has impacted their tax affairs, they should also inform their tax agent.
The Government webmail attack article provides:
Hackers are running a worldwide cyberespionage campaign dubbed ‘RoundPress,’ leveraging zero-day and n-day flaws in webmail servers to steal email from high-value government organizations.
ESET researchers who uncovered the operation attribute it with medium confidence to the Russian state-sponsored hackers APT28 (aka “Fancy Bear” or “Sednit”).
The campaign started in 2023 and continued with the adoption of new exploits in 2024, targeting Roundcube, Horde, MDaemon, and Zimbra
Notable targets include governments in Greece, Ukraine, Serbia, and Cameroon, military units in Ukraine and Ecuador, defense companies in Ukraine, Bulgaria, and Romania, and critical infrastructure in Ukraine and Bulgaria.
Open email, have data stolen
The attack starts with a spear-phishing email referencing current news or political events, often including excerpts from news articles to add legitimacy.
A malicious JavaScript payload embedded in the HTML body of the email triggers the exploitation of a cross-site scripting (XSS) vulnerability in the webmail browser page used by the recipient.
All that is needed from the victim is to open the email to view it, as no other interaction/clicks, redirections, or data input is required for the malicious JavaScript script to execute.
Source: ESET
The payload has no persistence mechanisms, so it only executes when the malicious email is opened.
The script creates invisible input fields to trick browsers or password managers into autofilling stored credentials for the victim’s email accounts.
Source: ESET
Additionally, it reads the DOM or sends HTTP requests to collect email message content, contacts, webmail settings, login history, two-factor authentication, and passwords.
The data is then exfiltrated to hardcoded command-and-control (C2) addresses using HTTP POST requests.
Each script has a slightly different set of capabilities, adjusted for the product it’s targeting.
Vulnerabilities targeted
Operation RoundPress targeted multiple XSS flaws in various webmail products that important organizations commonly use to inject their malicious JS scripts.
The exploitation ESET associated with this campaign involves the following flaws:
-
- Roundcube – CVE-2020-35730: A stored XSS flaw the hackers used in 2023, by embedding JavaScript directly into the body of an email. When victims opened the email in a browser-based webmail session, the script executed in their context, enabling credential and data theft.
- Roundcube – CVE-2023-43770: An XSS vulnerability in how Roundcube handled hyperlink text leveraged in early 2024. Improper sanitization allowed attackers to inject <script> tags into the email content, which would be executed when viewed.
- MDaemon – CVE-2024-11182: A zero-day XSS flaw in the MDaemon Email Server’s HTML parser, exploited by the hackers in late 2024. By crafting a malformed title attribute with a noembed tag, attackers could render a hidden <img onerror> payload, executing JavaScript. This enabled credential theft, 2FA bypass, and persistent access via App Passwords.
- Horde – Unknown XSS: APT28 attempted to exploit an old XSS vulnerability in Horde by placing a script in an <img onerror> handler. However, the attempt failed, likely due to built-in filtering in modern Horde versions. The exact flaw is unconfirmed but appears to have been patched in the meantime.
- Zimbra – CVE-2024-27443: An XSS vulnerability in Zimbra’s calendar invite handling, which hasn’t been tagged as actively exploited before. Unsanitized input from the X-Zimbra-Calendar-Intended-For header allowed JavaScript injection into the calendar UI. APT28 embedded a hidden script that decoded and executed base64 JavaScript when the invite was viewed.
Although ESET does not report any RoundPress activity for 2025, the hackers’ methods could be easily applied to this year too, as there’s a constant supply of new XSS flaws in popular webmail products