There’s good news and bad news about a sweeping series of ransomware attacks on Government and business sites.
The good: Brett Callow, a threat analyst with ransomware specialist Emsisoft has been monitoring the dark web, and says there is still no sign of data from any of the affected organisations being published online. Hackers often place small samples of sensitive data on the web in a bid to pressure a victim into paying up.
Callow has been monitoring the dark web since Friday, when the Herald first reported the wave of attacks.
The bad: authorities and organisations that have been hit are still unsure of the extent of the attack and what sensitive data could have been stolen.
Yesterday, new Privacy Commissioner Michael Webster confirmed a Herald report that Wellington-based managed services provider (MSP) Mercury IT had been hit by a ransomware attack.
That potentially compromised sensitive data it hosts for multiple clients, including health insurer Accuro, BusinessNZ, the NZ National Nurses Association, the Ministry of Justice - with 15,000 Coroners Court files taken out - and contractors to Te Whatu Ora, Health NZ - the entity charged with managing the centralised health system in the post-DHB era.
Callow says: “Managed service providers like Mercury IT can act as a gateway to their customers’ networks, and for this reason are a high-value target for ransomware actors.”
He adds, “We’ve seen multiple incidents like this in the past, including an incident in which REvil was able to encrypt the systems of 22 municipalities in Texas after compromising the MSP they used. Because of the risks, the UK is introducing mandatory reporting for MSPs as well as additional security requirements. This is something the New Zealand government should be considering too.”
The Herald has asked the Privacy Commissioner for comment.
An update to the Privacy Act in 2020 made it compulsory for individual organisations to report any data breach to the Privacy Commissioner, and Webster said he was planning a compliance investigation into the Mercury IT incident.
But the Government has resisted measures such as big fines on companies with lax data security, or making it illegal to pay a cyber-ransom, and Budget 2022 was thin on cybersecurity spending - particularly compared to across the Tasman.
National says it’s still in the process of formulating its ICT policy, which will be released next year.
GCSB leads response, Privacy Commissioner investigates
The GCSB’s National Cyber Security Centre is leading the response, supported by the police and Cert NZ. The Herald first reported elements of the attack last Friday.
“This is an evolving situation,” the Privacy Commissioner’s office said. “We were notified of the cyber security attack on November 30. Urgent work is under way to understand the number of organisations affected, the nature of the information involved and the extent to which any information has been copied out of the system.
“The Office of the Privacy Commissioner is planning on opening a compliance investigation into this incident so that it can make full use of its information-gathering powers.
“We encourage any clients of Mercury IT who have been impacted by this incident and who have not already been in touch with us to contact the Office of the Privacy Commissioner.”
Mercury IT director Corry Tierney said senior management and relevant Government authorities were made aware immediately a “malicious and unauthorised actor” had gained access to the company’s servers.
“We have engaged external specialist support,” he said.
“Our response to understand how this occurred, and address the impacts, is at an early stage; however, all possible steps have been taken to secure our environment.
“We are committed to supporting our impacted clients with their own investigations wherever possible and we apologise, sincerely, for the impact this attack has caused.”
Through a spokesman, Tierney refused to answer any questions.
“We cannot provide further information on the impact and our mitigation at this time as the actors behind this incident, or others, can leverage any publicly available information,” he said.
The Ministry of Justice said yesterday a cyber attack had blocked access to 14,500 coronial files and around 4000 post-mortem examination reports, the Ministry of Justice has confirmed.
About 30,000 customers of health insurer Accuro have had personal data potentially exposed via the attack on Mercury IT.
The Nurses Association has about 55,000 members.
The Privacy Commissioner warned people not to share any information spilled online.
“For individuals - be on the lookout for anything out of the ordinary. Watch out for suspicious texts, emails or unusual things happening with your accounts or records. Be particularly cautious of contact from an unknown source,” the Commissioner said. The agency has posted protection tips online here.