NSW Health, Rio Tinto, Serco named in global SolarWinds cyber attack

7:51 pm on 23 December 2020

Several Australian organisations have been named in a growing list of victims of a major global cyber attack.

Serco logo

Logo of prison operator Serco. (File image). Photo: RNZ / Kim Baker Wilson

NSW Health was one of those organisations and said patient information was not stolen and its system was not "compromised", but cybersecurity experts said it appeared to be infected with malware.

In a worst-case scenario, this could have allowed the hackers to escalate the attack and steal information.

Analysis of intercepted internet traffic between NSW Health systems and a server used by the hacking group suggests this had gone undetected for about half a year, they add.

In effect, Australia's largest health department appears to have been infected with potentially dangerous malware since June.

The malware on its own posed little threat, but would have allowed the hackers to pursue a second-stage attack that could have disabled NSW Health's cybersecurity programs and given full access to confidential data.

There was no evidence hackers had escalated the attack in this way.

Alongside NSW Health, public service contractor Serco Asia Pacific and mining giant Rio Tinto have been named in lists of companies and other organisations believed to be victims of the attack.

Several other organisations around the world, including in the US and UK, are understood to have been targeted by hackers.

US Secretary of State Mike Pompeo has blamed Russia for the cyber attack. Russia has denied any involvement.

Over the past week, the attack - dubbed "SolarWinds" after the software company at the centre of the hack - has developed into what is being called one of largest and most consequential hacks ever.

From as early as March 2020, the same hackers secretly breached US federal agency computer systems, including the Department of State, the National Nuclear Security Administration, Homeland Security, Commerce and Treasury.

Malware may have been installed in June

There's no evidence Australian organisations were targeted by the hackers. They were more like collateral damage in a global attack that has opportunistically infected thousands of systems worldwide.

Rather than targeting high-profile victims directly, the hackers piggy-backed on the company that made software running on hundreds of thousands of corporate and government networks.

The company, US-based SolarWinds, said it was unknowingly infiltrated in early 2020.

Hackers inserted malicious code into an updated version of SolarWinds software, called Orion, which was delivered to customers between March and June 2020.

About 18,000 SolarWinds customers installed the tainted updates onto their systems, the company said.

Serco Asia Pacific, which runs Australian prisons and immigration detention centres and has contracts with the Australian Defence Force, said it was aware of an attack, but no data was accessed.

Rio Tinto declined to comment.

NSW Health said it was alerted on 14 December that SolarWinds Orion had experienced a cyber attack.

"To date, there has been no evidence found that NSW Health systems have been compromised and no evidence there has been any breach of patient information," a NSW Health spokesperson said in a statement.

"eHealth NSW can confirm that it has received the necessary updates from the vendor to ensure ongoing protection of its services."

'Very high likelihood' NSW Health compromised

Still, security experts said it was highly likely NSW Health systems were infected with malware.

Since news of the SolarWinds attack broke about two weeks ago, multiple cyber security researchers have published lists of organisations that installed the Orion update on their systems.

After the malware, called Sunburst, is installed on a host system, it lies dormant for 12 to 14 days. It then contacts a central "command and control" server used by the hackers to pass on information about the infected system.

Sergei Shevchenko, chief technology officer at Australian cybersecurity company Prevasio, said this information would include information to identify what organisation it had infiltrated and what security programs it was running.

"By analysing the traffic generated, we can identify who the victims were," he said.

"Those companies might not even be aware they're infected."

Several companies, including tech giants Intel and Cisco, confirmed they were affected after being named on lists of potential hack victims compiled by Prevasio and other security researchers.

Canberra-based cybersecurity expert Robert Potter said the fact NSW Health was appearing on multiple lists compiled by different experts meant there was a "very high likelihood" its systems had been compromised.

"There would have been malware resident on the system," he said.

Malware just the first stage of attack

Shevchenko said traffic data showed Sunburst malware installed on NSW Health systems communicated once with the command and control server on 12 June, then four times the following month.

For many organisations, the hack ended at this initial exploratory stage.

For others, however, the hackers escalated the attack and tried to gain access.

"There is no guarantee the hackers did not attempt to deploy the second-stage malware for any organisations on the list," Shevchenko said.

FireEye, the company that discovered the SolarWinds hack when investigating a breach of its internal systems, said that hackers infected almost 18,000 networks but only escalated access to about 50 targets.

In a separate report, Microsoft said it identified 40 of its own customers where attackers deployed second-stage malware.

The only publicly known company where hackers escalated access is FireEye.

Naming hack victims highly unusual

That the names of hack victims have been made public is highly unusual and reflects the size of the SolarWinds attack, according to Shevchenko.

"By publishing the list, we're raising awareness in our industry of the scope of the attack and how many victims there were."

Potter said a Chinese security firm was the first to name victims of the hack. This shocked many in his industry, which typically operates behind the scenes and under the assumption that security researchers will not expose corporate secrets.

"That's super non-kosher in our industry," he said, referring to the Chinese firm.

"They've gone and laughed at a car crash and named everyone in the car."

Removing the Sunburst malware from the infected systems would be relatively straightforward now that the hack had been exposed, both cybersecurity experts said.

"They'd be able to nuke it easily," Potter said

If an organisation had been targeted for a second-stage attack, however, the clean-up would take considerably longer.

- ABC

Get the RNZ app

for ad-free news and current affairs