Metricon Homes, Australia’s largest home builder, suffers ransomware attack
July 30, 2025 |
Metricon Homes has been hit with a ransomware attack by Qilin. Qilin is a cyber criminal organisation that operates as a ransomware as a service whose modus operandi is to seize data and threaten to publish it on its Dedicated Leak Site (“DLS”) which is hosted on Tor. It was first detected in July 2022. It operates Agenda ransomware which supports multiple encryption modes. it targets large enterprises and its usal mode of entry is through phishing or spear phishing emails. It also has accessed exposed application such Citrix and remote destop protocol. As an aside “qilin” refers to a mythical creature in Chinese folklore, often described as a hooved, chimerical beast with a mix of dragon, deer, and ox features. It’s a symbol of good omens, prosperity, and wisdom, and is said to appear during times of peace, prosperity, or the presence of a sage or benevolent ruler. Notwithstanding the Chinese symbolism Qilin is a Russian Speaking group. It is quite effective. Cyberdaily reports that Metricon has confirmed an attack by Qinlin. Metricon has released a statement, of sorts, which says not much of anything. Definitely not best practice. Apparently other statements have been released but not accessible to the general public yet. Cyberdaily’s description of Qinlin’s communciation is consistent with its usual practice.
It is much too early to common on the how the breach occurred, and by the look of it Metricon will be parsimonious with information. But given Qinlin is known for phishing and spear phishing it is a timely reminder for companies to properly train staff and IT departments to have up to date detection software which can trap possible dangerous emails. Many companies have little of either.
The Metricon media release provides:
Metricon Homes has been responding to IT issues that have been impacting our systems over the past two weeks.
We have now become aware that a third party has named the company online alongside claims they have accessed some of our data. We are working to verify these claims as a priority and will provide further details when we have more information.
While we’ve experienced some disruption over the past two weeks, we’re pleased to confirm that most of our systems are now back online. Work on site has continued without interruption, and our team has made steady pre-site progress on customers’ builds with minimal delay.
Following initial detection of the incident, we have worked to secure our systems and establish a clear picture of what has happened.
If we discover that information has been impacted as a result of this incident, we will contact affected parties as required to provide support, guidance, and any assistance if necessary.
We take cyber security seriously and remain committed to keeping our stakeholders informed as we continue to respond to this incident. We have also notified the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC).
Thank you for your patience and understanding during this time. Our telephone system is now operational, in addition to our email system that was unaffected throughout the disruption.
If you have any questions, please reach out to your appointed Metricon team member via phone or email.
The Cyberdaily article provides:
The Qilin ransomware operation has listed Victoria-based Metricon Homes as a victim on its darknet leak site and is claiming to have stolen 128 gigabytes of data from the popular home builder.
“As part of our operations, we have acquired access to highly sensitive data, including confidential financial documents, proprietary architectural plans, and internal marketing strategies,” a Qilin affiliate said in a 21 July leak post.
“The disclosure of this information could cause significant harm to the company, as it contains materials that may offer competitors a substantial strategic advantage and weaken Metricon’s position in the market.”
According to the hackers, the exfiltrated data consists of more than 98,000 files, with several screenshots and documents already posted to the dark web as proof of the hack. The data includes details of company credits and the employees who hold them, credit card receipts, finance and HR information, profit and loss statements, and details of staff salaries and commission rates.
The hackers have said the data will be fully published within seven days.
Metricon Homes’ website recently had a notification that it was experiencing an IT issue, but it has now confirmed it is “responding to a cyber incident that temporarily impacted access to its internal systems and networks”.
“This issue was swiftly contained with the support of external experts. Metricon can confirm that there has been no impact to the safety of our operations, and construction activity has continued without interruption,” a Metricon Homes spokesperson told Cyber Daily.
“Metricon are now aware that an unknown third party has named the company online and disclosed a small amount of data they claim was taken from our IT environment without authorisation. We are currently investigating these claims as a priority.”
The company is continuing to investigate the incident and the scope of the data compromised and has committed to notifying impacted individuals directly. Metricon’s internal systems are back in operation, and payments to suppliers and tradespeople are continuing as normal.
“We have notified the Australian Cyber Security Centre (ACSC), the Office of the Australian Information Commissioner (OAIC), and law enforcement authorities. We have also updated our staff, suppliers and trades throughout this process. Our response efforts remain focused on system security, transparency, and supporting those impacted by this incident,” the spokesperson said.
Metricon CEO Brad Duggan added his own statement to the company’s response.
“We take this incident extremely seriously and are working with independent experts to understand exactly what occurred,” Duggan said.
“Our customers, team and partners expect us to protect their data, and we are committed to managing this incident with care, speed and openness.”
The Qilin ransomware-as-a-service operation was first observed in August 2022 and has claimed 625 victims since, making it the third-most active ransomware group as of publishing. Its most recent Australian victim was financial services firm Skeggs Goldstien, which fell victim to an affiliate of the group in June.
Metricon Homes is considered the largest home builder in Australia, and it provides property services in NSW, Victoria, Queensland, and South Australia.