TL:DR
Australia is not under cyber-attack, instead a series of opportunistic cyber-events are impacting some high-profile organizations.
There has been an increase in interest in Australia across Deep/Dark web forums, cyber criminals are no different to anyone else, increased media attention raises the national profile.
Many of the posts below are generic cyber-events by low-sophistication opportunistic actors.
Many of the posts below are not new. The volume however, has increased but the requests and data/access for sale has always been there and will continue.
The best bit of advice, control what you can control:
Password management,
Digital footprint,
Online engagement.
Situational Awareness I hope helps to clarify that these are not unique, targeted incidents but part of the undercurrent of the internet that has been around long before the Optus breach and will be around long after it. Just know that the Government, cybersecurity companies and threat researchers like myself work hard to combat these threats.
I would like to start this report by explaining the reasons for creating it, in the hopes that it does not cause panic, but instead awareness. It is fitting that it is still Cybersecurity Awareness Month.
I believe that Situational Awareness reduces the anxiety, fear and misconception around cybersecurity and cyber-attacks.
I am writing this report to showcase what the cyber landscape across the Deep/Dark Web and chat forums has looked like since the announcement of the Optus breach, which has pulled back the curtain for much of the Australian public to what is happening in cyberspace. For many, the Optus breach was the first time they heard about or cared about a data breach or a ‘cyber-attack’. Those like myself who sit in this space daily, while shocked by the potential size of the Optus breach were also looking at it as business as usual.
But the public has been awoken, cyber has been splashed across major outlets at unprecedented levels in this country and since the Optus breach there have been several other high-profile companies in the headlines.
But, what if I told you that was not the full picture? What if I said to you that there is much more happening behind the curtain than you would expect? What if I said to you that these breaches and cyber-events whilst in the media at present are far from unique?
Because that is the reality, since the Optus breach I have tracked around 50 ‘cyber-events’ relating to Australia across several Deep/Dark web forums and chat services. With awareness comes understanding and with understanding the stress and uncertainty that is now around cyber might well be alleviated, it is not my intention to create more fear and concern, but to take you fully behind the curtain and explain to you just what is there in the hopes that next time this happens there will be more understanding. (Yes, there will be other big breaches)
Once again - Australia is not under cyber-attack, there is no sustained campaign against us.
What is a Cyber-Event?
Firstly, let me define what I mean by a cyber-event in the context of this report. A cyber-event is any post, breach, ransomware leak, or anything related to Australia since the 24 September till 24 October.
To clearly showcase the cyber-events that are related to Australia I have broken them down into groups:
Documented Breaches
These are the breaches that have been heavily documented in the news:
Optus breach - confirmed 10,200 customers impacted, possible that up to 8 million others impacted.
Telstra & NAB via MyRewards - 300,000 staff/customers impacted (data was from 2017)
Medibank breach - Ongoing, unclear impact at this time. - This might be the only attack in this least that was conducted by a more sophisticated attacker, possibly ransomware gang.
Vinomofo breach - 700,000 customers impacted.
Mydeal Australia - 2.2 million customers impacted - was sold in recent days.
AMEB Exams - Customers impacted.
Energy Australia - 323 customers impacted.
All breaches are bad, but some of these would not have made a regular news cycle, there have been big and terrible breaches this year that have not had the same attention. Highlighting two things:
Post Optus breach companies have an appetite to get ahead of the news cycle and publicly disclose more than they may have done.
The media, following the standard news cycle are seeking out breach and cyber related stories.
Ransomware
I will name the victims of the Ransomware attacks as they have all been posted to leak sites for some time now.
Lockbit Ransomware Gang - Have posted 137 victims since 22 September:
17 October - Kilvington.vic.edu.au
16 October - Matrix networks (incorrectly named) - Posted four companies with Matrix:
stileslawyers.com
clarkann.com.au
rpca.com.au
nationaltrust.org.au
12 October - omegaservices.com.au
Karakurt Extortion Gang - Have posted 5 victims since 22 September:
20 Oct - Latitude 37
Qilin Ransomware Gang - Have posted 6 victims since 22 September:
25 Sep - dialog.com.au
These are not unique victims and make up a small number of victims posted daily to leak sites.
In the following section I will remove organization names unless I know they have been mentioned publicly prior. I will also provide context to each to provide further understanding.
Australia Organizations/Data Posted
24 September: Western Australian organization - REPOST, this was posted earlier in 2022 but reposted due to Australian popularity.
26 September: 2 million Australian emails posted for free - Old data from other breaches or a scrape of data.
26 September: Education Institute data for sale - Education institutes in Australia and globally are being targeted by cyber criminals.
27 September: Optus data sample - Targeted post (was later removed)
27 September: Optus data sample - This was reposted almost instantly (once its on the internet it stays on the internet)
27 September: Selling Bank panels for all countries - Generic post.
28 September: Education Institute data for sale - Education institutes in Australia and globally are being targeted by cyber-criminals.
6 October: 92953 Crypto accounts, part of global data for sale - Crypto accounts are super popular and crypto exchanges are heavy targets for cyber criminals.
11 October: Australian shop access for sale - Access does not mean a breach.
13 October: 700 Australian company emails - Likely a scrape, emails that are possibly from the LinkedIn data.
14 October: Clublinks.com.au - REPOST, this is from a Lockbit ransomware breach earlier in 2022, was posted due to a request.
14 October: ccz.com.au - REPOST, this is from a Lockbit ransomware breach earlier in 2022, was posted due to a request.
14 October: 1 million Australian linkedIn scrape - REPOST, LinkedIn has been scraped more than once, this was reposted due to Australian popularity.
15 October: Australian travel agency data for sale - Nothing more on this.
17 October: Nova FM data from 2021 - REPOST, this has been posted many times, again was reposted due to Australian popularity.
19 October: Australian Solar system company customer data - REPOST, this was posted earlier in the year, been added again due to Australian popularity.
19 October: 8.1 million Australian emails for free. - This is a COMB (combination of many breaches) It will be old breach data - could date back 5 or more years.
20 October: Australian shop access - Access dot not mean a breach.
20 October: Australian Data, 32,000 posted for free - No clarification what this is from, possibly from an exposed bucket.
22 October: Australian data for sale, alleged 3 million entries - This is likely old data collated to try and resell due to Australian popularity.
22 October: Australia/Asia beverage company - Access does not mean a breach.
22 October: Australian recreation organization data - Posted as something else by a low-sophisticated seller, possibly as a scam.
Australia Data or Access Requested
24 September: Australian ID and Passport fake service - Generic post
24 September: looking for Australian domains - Generic post
24 September: Request for Australian data - Generic Post
24 September: looking for Australian drivers licenses - Generic Post.
25 September: Looking for Australian Amazon accounts - Generic Post.
27 September: Request for Optus data - Specific request related to Optus.
29 September: Looking for Optus data - Specific request related to Optus.
28 September: Looking for Australian Office365 Logs - Generic post.
30 September: Looking for Australian databases. - Generic post.
3 October: Looking for Australian bank leads. - Generic post.
8 October: Looking for any Australian data. - Generic post.
14 October: Request for any Lockbit data from Australian companies - Specific request from a low-sophisticated user.
17 October: looking for Australian databases - Generic Post.
21 October: looking for Australian logs - Generic Post.
24 October: Looking for Australian financial accounts - Generic post.
24 October: looking for any Australian databases - Generic post.
Almost all of these are generic posts that are put on forums all day everyday for countries all over the world, often they get little engagement.
Final Points
Knowledge is power and awareness reduces anxiety, well at least that is what I hope from sharing this. Just know that while cyber-events are in the news that they are not always targeted. They are not unique and it is likely there will be more in the future, but having the situational awareness of the threat landscape can help reduce the anxiety and fear created by the Optus breach.
The Following are Excellent Resources and Guides:
https://www.cyber.gov.au/ - Australian government will post advisories and advice here.
https://www.scamwatch.gov.au/ - Australian government information on scams and guidance on how to deal with them.
https://haveibeenpwned.com/ - Website that lets you check if your email address has been involved in a databreach.
https://risky.biz/subscribe/ - News website that provides newsletters and podcasts about the cyber landscape.
https://www.bleepingcomputer.com/ - News websites that provides updates and insights about the cyber landscape.
I mean you have to admit though 8 breaches just in October is a bit of a blip