|
April 9, 2025
Wednesday 9 April 2025
Lucas Baird & Paul Smith
The Australian Financial Review
The superannuation account details of thousands of Australian retirees are up for sale online, according to cybersecurity researchers who say the data was taken by covertly installed software known as “infostealers”.
The details emerged as the opposition accused Labor’s Cybersecurity Minister Tony Burke of being missing in action on the breach of some of the nation’s large super funds, which resulted in the removal of hundreds of thousands of dollars from member accounts.
It follows the controversial construction industry fund Cbus, chaired by former Labor treasurer and party president Wayne Swan, belatedly telling regulators on Monday that it too was attacked.
“Another day and more radio silence from the cybersecurity minister after cybercriminals have raided Australians’ retirement savings,” Coalition campaign spokesman James Paterson said.
“It’s hard to escape the conclusion that Tony Burke is giving Cbus a free pass because it’s chaired by the Labor Party president Wayne Swan and is run by the CFMEU,” he continued. “Labour was outraged about the Optus and Medibank data breaches but has nothing to offer the victims of this attack.”
Burke declined to comment when approached by The Australian Financial Review – marking the fifth day in a row since the attack that he had not made a statement on it.
His office said the national cybersecurity co-ordinator, Lieutenant-General Michelle McGuiness, was responsible for the response. Her office was created after the Optus and Medibank breaches.
The theft of the data available on the dark web is separate from last week’s attacks on big super funds and from the phishing attack that targeted executives at the sector’s peak organisations, also last week.
Dvuln, a Sydney-based cybersecurity research firm, said it had identified more than 5800 account details from some of the nation’s largest funds up for sale on dark web forums, Telegram channels and other marketplaces. Israeli cyber-intelligence firm Kela said it had also found details for thousands of other superannuation fund members up for sale.
Dvuln chief executive Jamieson O’Reilly said his team had passed details of its findings to the Australian Signals Directorate and the affected funds. The dark web is a hidden part of the internet accessible only through specialised software, and often used by criminals to sell stolen goods.
Infostealers are an increasingly common form of malware that infects people’s devices. They collect sensitive information such as website login credentials, credit card details and social media accounts. They get on computers and phones in various ways, including when victims click on links in phishing emails or malicious websites, or if they download infected software.
MinterEllison cyber-risk partner Shannon Sedgwick said the stolen information could be used by cybercriminals for account takeovers, financial fraud or extortion, identity theft and ransomware attacks.
The super funds are not to blame for the details being stolen, but while the onus is on individuals to protect their devices, Sedgwick said companies should help mitigate the risks with rigorous checking procedures.
”Infostealer malware is often used by low-level-threat actors because it takes little technical skill to procure and deploy … Historically, personal devices are the primary targets, as they don’t have the benefit of corporate security oversight and mobile device management tools,” Sedgwick said.
“By implementing complex passwords and multifactor authentication, patching software, using antivirus software, and staying vigilant against phishing attacks, individuals can significantly reduce their risk of falling victim to infostealer threats.
The Financial Review revealed last week that criminals had hacked accounts at AustralianSuper and Australian Retirement Trust – the country’s two biggest funds with a combined $676 billion of pension savings under management.
REST, Hostplus and the MLC Expand platform, run by ASX-listed Insignia Financial, were also hit in the attack.
The funds have been criticised for not having multifactor authentication in place to protect their customers’ funds.
The first attacks occurred using a technique called credential stuffing, where criminals use details leaked in a different incident and found on the dark web to get into other accounts that have the same passwords.
The Australian Prudential Regulation Authority said on Tuesday it had “heightened” monitoring activity since the attacks.
“Supervision has been heightened across the industry with a focus on information sharing and the monitoring and containment of issues, with the objective of protecting Australians,” a spokeswoman said. “Australian superannuation funds and other Australian financial institutions are required to protect members’ funds and information security.”
Dvuln’s O’Reilly said there had been similar attacks in the past where cybercriminals had sourced credentials from infostealer malware to launch credential stuffing attacks against customers of various companies including cryptocurrency exchange Binance, financial firm Revolut and biotechnology outfit 23andMe, which were obtained not by compromising the infrastructure of these entities but by malware on customer devices.
Critically, O’Reilly warned that if an infostealer virus was still on someone’s device, it could track if and when a password is changed. He said this meant the current advice to members about the super breach was “flawed”.
“The government has said ‘use a strong password or a different password’ – if you have malware on your device, it doesn’t matter.”
O’Reilly said the discovery of stolen account details showed that companies needed to spend more on monitoring for compromised accounts, and ensuring those accessing accounts are who they say they are.
“Companies should be increasing the scope of their monitoring. If we can find these accounts, so can AustralianSuper, and they can do what they need to do to protect customers.”
Irina Nesterovsky, chief research officer at Kela, said it had found nearly 50,000 examples of account credentials from the named funds “that were stolen through different infostealing malware infections and shared on various cybercrime platforms”.
Kela has found records associated with dozens of other superannuation funds, but it is unclear if they were used in the co-ordinated attack last week.
“The threat of infostealing malware and its impact of sourcing valid credentials is recognised as one of the top threats to cybersecurity,” Nesterovsky said. “It is therefore possible that cybercriminals who intended to target customers of Australian superannuation funds used this source of data to gain access to the accounts.”