June 17, 2023
Russian cyber hackers who infiltrated the computer systems of law firm HWL Ebsworth have obtained government files apparently relating to the top-secret Woomera missile testing site, navy’s attack helicopter replacement project and Australia’s politically sensitive enhanced engagement in the Indo-Pacific.
Sources said The hack – one of the largest in Australian history – had also seen the ransomware gang obtain documents concerning police intelligence about protests at an immigration detention centre, the escape of prisoners, and projects involving special forces.
While a court injunction obtained by the giant law firm has sought to limit public knowledge of the content of the hacked documents, The Weekend Australian can reveal there is deep concern and fury in Canberra, where at least 45 departments and agencies fear data they shared with HWL Ebsworth has been compromised.
The Defence Department, a major client, appears particularly exposed, with monthly reports updating work on defence matters leaked and published online by the hackers, known as BlackCat/AlphV or Alpha Spider.
Other data stolen includes an unknown number of driver’s licences, including names, dates of birth and photos, employment contracts, briefs of evidence, legal negotiations and consent orders.
National intelligence agencies are also caught up in the hack, with numerous documents relating to the Australian Federal Police, the Australian Criminal Intelligence Commission and Austrac, and one document to ASIO. The Australian Signals Directorate, one of the agencies working to shut down the data leak and track the hackers to their bases offshore, is also caught up in the hack, with documents relating to the ASD among the 1.4 terabytes published so far from the 4 terabytes that were stolen.
More than 2.5 million documents were compromised by the hackers, who gained access to HWL Ebsworth’s Melbourne servers after obtaining a mid-ranking lawyer’s credentials in April. Once inside the law firm’s system, the hackers accessed the drives of almost 2000 employees, copying their downloads, documents and other data.
The Weekend Australian has been told the data hack is being widely discussed within the cyber security industry, and is known to have been downloaded multiple times in overseas jurisdictions.
Sources in Canberra said that while a Russian-linked criminal ransomware gang had stolen the data, it was “inevitable’’ that state actor adversaries, such as Russia and China, would have downloaded the data and would be closely examining it.
The Attorney-General’s Department has established a working group to deal with the fallout of the hack, while a crisis committee has been established across government, with daily meetings of senior officials trying to work out what documents have been taken.
The Weekend Australia has been told one Defence-related document relates to the redevelopment of the top-secret Woomera missile testing site in South Australia. Another is about the $3bn plan to replace Australia’s fleet of Taipan attack helicopters with Seahawk Romeo combat helicopters at the HMAS Albatross naval base near Nowra.
One document relates to the Indo-Pacific enhanced engagement strategy, which is designed to counter Chinese influence in the Pacific. A source said it related to infrastructure projects in Solomon Islands.
Other documents are about asylum-seeker boats approaching Australia, joint South Australian-Australian Federal Police intelligence and planning for a protest. Others relate to the escape of detainees from an immigration detention centre and the seizing by the navy of two Russian fishing vessels some years ago. A number of invoices have also been made public.
While the Albanese government is largely refusing to say what data has been leaked, two agencies – the Office of the Australian Information Commissioner and the NDIS Quality and Safeguards Commission – have confirmed they lost data.
The Australian Taxation Office didn’t directly confirm it had lost data but warned people to be on the lookout for suspicious online activities, while the commonwealth DPP said on Friday it was “participating in the whole-of-government response to the HWL Ebsworth cyber incident”.
Opposition cyber security spokesman James Paterson expressed deep concern about the leaking of commonwealth data from sensitive agencies, including the Department of Home Affairs, the Department of Foreign Affairs and Trade, and the Office of the Australian Information Commissioner.
“Protecting Australian government data is more important than ever in light of recent significant cyber incidents and our current strategic environment,’’ Senator Paterson said. “The Albanese government must take every action necessary to secure the compromised data.”
Cyber Security Minister Clare O’Neil said the government had “been on the ground since day one at HWL Ebsworth, helping them manage the technical incident, understand the implications of the breach and support their customers’’.
“When we arrived in office, there was no meaningful cyber incident response function in the Australian government,” Ms O’Neill said. “Today, the management of these incidents – where my department, the Australian Signals Directorate, the Australian Federal Police and the company itself work in partnership to manage these incidents – is integral to our overall national cyber resilience.’’
A Defence Department spokesperson said HWL Ebsworth had advised it of the ransomware attack. “This is not an attack on Defence ICT,’’ the spokesperson said.
“Defence is actively engaging with HWL Ebsworth as part of the whole-of-government response to his incident, to determine the extent of the attack.’’
The Australian Federal Police declined to comment.
HWL Ebsworth, run by managing partner Juan Martinez, is one of Australia’s largest law firms, and has contracts across government worth tens of millions of dollars. The company said it understood and acknowledged “the impact that this issue has had on all affected clients and we have maintained close contact with them”.
