Get all your news in one place.
100’s of premium titles.
One app.
Start reading
The Canberra Times
The Canberra Times
Jasper Lindell

ACT payslips, documents were at risk in suspected China spy operation

Special Minister of State Chris Steel, who said there was no reason to believe data had been taken in the ACT. Picture by Karleen Minney

ACT public service payslips, documents scanned to email on photocopiers and automatic responses to information provided in online forms were at risk of data theft for almost 200 days in a breach attributed to spying on behalf of China.

But ACT Special Minister of State Chris Steel said there was no evidence any information had been taken from government systems.

While the ACT has not attributed the data breach to anyone, an investigation by cyber security firm Mandiant found with "high confidence" the actor behind the worldwide breach "conducted espionage activity in support of the People's Republic of China".

An ACT government assessment of the security breach that involved a Barracuda email system found there was a low risk of serious harm to individuals as a result of the breach in the territory's system.

"Our recommendation to the community is that no action is required as a result of this incident," Mr Steel said.

Mr Steel announced on June 8 the ACT had become aware of an issue with the Barracuda system, which is a security monitoring system for emails.

ACT chief digital officer Bettina Konti on Monday said the government had assessed more than 120 systems that interacted with the Barracuda email system.

"However, while this information was vulnerable during the period of 12 November to 26 May, there is no evidence that we can find that this information having been removed. Key factors that contributed to our recommendations include this isn't an attack on ACT government," Ms Konti said.

"The vulnerability of our information was due to a zero-day vulnerability incident directed at Barracuda, which was a third-party organisation, and all their client systems being affected as a flow-on effect."

Ms Konti confirmed both public and private sector cyber security experts had been engaged by the territory government to assess the impact of the security breach.

"[The] ACT government has also not received any contact from anyone claiming responsibility for the incident. And a substantial period of time has now passed," she said.

"There's no evidence of this information being misused, such as being posted to the dark web."

The ACT government will continue to monitor the dark web for evidence of its information being posted or offered for sale.

An investigation by Mandiant, which is owned by Google Cloud, found an actor linked to Chinese IP addresses that sent phishing emails to victim organisations to gain access to information.

The emails included TAR files to exploit the vulnerability in the Barracuda system.

"Through infrastructure analysis, Mandiant identified several points of overlap with infrastructure attributed to other suspected China-nexus espionage operations," Mandiant said in a blog post on June 15.

Asked whether anyone in the ACT had received emails of this kind, Ms Konti only said the vulnerability was in the Barracuda system used by the ACT government.

"Very soon after Barracuda themselves issued the statement to say, Hey, we've discovered a vulnerability, we immediately took it offline and rebuilt the Barracuda email server so that there was no longer the vulnerability," she said.

Barracuda Networks, in a statement in June, said the breach was committed by an "aggressive and highly skilled actor" which had suspected links to China.

Mandiant recommended Barracuda customers continue to hunt for the actor and investigate affected networks.

More than half of affected organisations were located in the Americas, while 22 per cent were in the Asia Pacific region, Mandiant said.

"Overall, Mandiant identified that this campaign has impacted organisations across the public and private sectors worldwide, with almost a third being government agencies," the company said.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.