Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Australian domain registrar auDA apparently hacked, in talks with ACSC - UPDATED

An Australian internet company fell foul of a relatively new player on the hacking scene late last week when the NoEscape ransomware gang claimed to have stolen 15 gigabytes of sensitive data.

user icon David Hollingworth
Mon, 21 Aug 2023
Australian domain registrar auDA apparently hacked, in talks with ACSC
expand image

SEE UPDATE BELOW

At first, .au Domain Administration Limited – better known as auDA – denied the claims of the gang, saying in a statement on 18 August that despite being notified of the incident, they had “so far found no evidence of such a breach”.

The company posted a statement on 20 August, admitting that the threat actor had shared limited proof of the attack.

============
============

“Today, the cyber criminal has provided evidence of a small sample of data they say is in their possession,” auDA said. “It includes screenshots of a file list from a computer.”

The not-for-profit is continuing to investigate the incident, and the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and the Department of Home Affairs have been informed.

According to NoEscape’s leak site, the group posted about the breach on 11 August, saying that it had 15 gigabytes of data, including a long list of sensitive personal information.

“We have 15GB of stolen data, namely: powers of attorney and legal documents with seals, passports, personal data, medical reports, loan repayment, dismissal documents, declarations, death certificates, access to customer bank accounts (name pw bsb acc number), taxes, projects, and much more confidential information,” NoEscape said.

“Allocate a person to the place of the negotiator and let him contact us,” the group added, “we will explain everything and help to you [sic] avoid these problems.”

(Cyber Security Connect has not seen the leak site since the onion addresses seem to resolve to a blank page, but threat monitoring site Falcon Feeds has a reliable screenshot.)

NoEscape itself seems to be a relatively new group, first appearing in May 2023. It operates both as a ransomware-as-a-service operation, providing affiliates with custom payloads and the infrastructure to manage their campaigns. The group also runs its own extortion operations, which the auDA incident appears to be.

The gang has set a date for posting its next update about 10 days after its initial 11 August notice.

UPDATE 21.06.23, 7.26pm

auDa has since released a further update, confirming that no data belonging to the company has been compromised. The timeline, as supplied by auDA, is as follows:

Our investigation has identified:

  • The source of the data breach was an Australian sole trader, with an Australian domain name
  • That sole trader’s server was subject to a malware attack by the cyber criminal on 10 August 2023
  • The sole trader’s data was encrypted and a ransom payment was sought
  • The sole trader did not respond to the cyber criminal and did not pay any ransom
  • auDA was then alerted that the cyber criminal claimed to be in possession of auDA data and commenced an investigation immediately
  • There is no evidence that cyber criminals have accessed auDA systems, or have obtained auDA data
David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.