Black Basta,a known cyber ring,held a dark web auction for the information that was stolen from Victorian data management firm ZircoDATA early this year,alerting authorities.
A cache of sensitive files has been associated with a Russian-linked hacking group.Getty Images
In online forum posts – seen by this masthead – the group claimed its haul totalled 395 gigabytes,attaching as proof scans of passports,including individual immigration identifiers,and other sensitive documents it said were looted from ZircoDATA’s clients.
Another hacking group,Crypmans,also hit ZircoDATA in January,according to other dark web posts and breach alerts.
On Friday,this masthead – which had been using ZircoDATA to scan archived records from family violence and sexual support units in Melbourne’s east between 1970 and 1993 – had been caught up in the hack. It is now racing to track down about 4000 patients affected.
Other ZircoDATA clients with sensitive records stolen include an Australian legal translation service and a US investment firm.
Cyble,a cybersecurity firm that tracks hacking rings and monitors dark web chatter for breaches,said it was assisting multiple companies hit by both hacks – but it was not yet certain if the two were connected.
The company’s Kapil Barman said the gangs appeared to use the same vulnerability to get into ZircoDATA’s systems and both used Russian-language ransomware.
“We’ve found 191 Australian organisations affected by the ZircoDATA hacks,” said Sameer Pradhan,cybersecurity manager of Risk Associates who also works with Cyble.
Football Australia says it is aware of reports it accidentally leaked secret keys online that threaten the personal information of players and fans.
The federal government’s National Cyber Security Co-ordinator that the breach had affected government entities that were ZircoDATA clients,but said they was still working with the company to identify impacted data,so were yet to notify all those affected.
On Saturday,the Department of Home Affairs could not confirm who was responsible for the hacks or which government agencies had been affected,saying it was still investigating.
The CSIRO told this masthead that it was a client of ZircoDATA,but it hadn’t been notified of any exposure through the breach. It said the company did not have access to its research because it was used only “for hardcopy file transfer and disposal”.
The Australian Pesticides and Veterinary Medicines Authority,also listed by ZircoDATA as a client,did not respond to questions.
A by cybersecurity researchers last year found Black Basta,which emerged in 2022,has the fourth most active strain of ransomware online,and one of the most lucractive,with much of its revenue laundered through the sanctioned Russian cyrptocurrency exchange,Garantex.
“Since Australia started supporting Ukraine in its fight[against Russia’s invasion],we’ve seen attacks by Russian hacking gangs increase on companies here,” Barman said.
Russian cyber gangs often work with support of the Kremlin,but experts said it was too early to call the ZircoDATA breach.
Melbourne Polytechnic also revealed on Friday that enrolment details of about 60,000 current and former students had been snared from ZircoDATA,but the information taken was and limited to names,student ID numbers,dates of birth and addresses.
ZircoDATA did not respond to requests for comment. In February,it released a statement saying it had discovered a hack,which it had worked “to contain” and reported to authorities.
Monash Health chief executive Professor Eugine Yafele said on Friday he was deeply sorry about the breach,which did not affect Monash’s internal systems.
The National Cybersecurity Co-ordinator called the disclosure of private details about sexual violence and assault victims “distressing”.
With Kieran Rooney
Get the day’s breaking news,entertainment ideas and a long read to enjoy.