Australia’s .au domain administrator denies data breach after ransomware posting

Updated Aug. 21 at 10:24 a.m with additional information from auDA.

The organization that manages Australia’s internet domain .au denied that it was affected by a data breach on Friday after a ransomware gang added it to their list of victims.

The nonprofit at the center of the situation, known as auDA, is supported by the Australian government and is the administrator of the .au domain name system. More than 4 million domain names are registered to .au and the organization is deemed “Australian critical infrastructure.”

But on August 11, the NoEscape ransomware gang claimed to have attacked the organization and stolen 15 GB of sensitive data that included personal information and more.

The organization released a statement on Friday denying any data breach.

“auDA was alerted to an alleged data breach this afternoon. We are investigating the allegation. We have so far found no evidence of such a breach,” the organization said. “We will provide an update as soon as we have more information.”

In response to questions sent about a potential ransomware attack, the organization directed Recorded Future News to an updated release sent out on Saturday.

They initially contacted the Australian Cyber Security Centre (ACSC), the Department of Home Affairs and the Office of the Australian Information Commissioner (OAIC) after the attack. The organization is working with a cybersecurity firm to investigate the incident.

“Today, the cyber criminal has provided evidence of a small sample of data they say is in their possession. It includes screenshots of a file list from a computer,” they said. “Our investigation remains ongoing, including to verify the cyber criminal’s claims and the provenance of this data.”

They warned people to be wary of phishing emails and malicious attachments.

Cybersecurity experts with CyberKnow noted that much of what NoEscape claimed to have taken would not be things managed by auDA or given to the organization, like medical information.

But the ransomware gang has quickly made a name for itself with several headline-grabbing attacks in recent months.

On Friday, The German Federal Bar (BRAK) Association confirmed it had suffered an attack on its office in Brussels after NoEscape said it attacked the organization.

The gang, which is also stylized as N0_Esc4pe, made waves in June and July after forcing Hawaiʻi Community College to pay a ransom following an attack.

Bleeping Computer reported that the gang is allegedly a rebrand of the Avaddon ransomware gang, a prolific operation that shut down in 2021.

The Australian Cyber Security Centre partnered with the FBI on an alert about the gang in May 2021.

Update (Aug. 24, 10:24 a.m.):

auDA said it has completed its investigation into the incident and said there is “no evidence that cyber criminals have accessed auDA systems or have auDA data.”

On Sunday, they examined the files leaked by the NoEscape ransomware group and said they were not stored on their systems.

“The source of the data breach was an Australian sole trader, with an Australian domain name. That sole trader’s server was subject to a malware attack by the cybercriminal on 10 August 2023,” the organization explained.

“The sole trader’s data was encrypted and a ransom payment was sought. The sole trader did not respond to the cybercriminal and did not pay any ransom. auDA was then alerted that the cybercriminal claimed to be in possession of auDA data and commenced an investigation immediately. There is no evidence that cybercriminals have accessed auDA systems, or have obtained auDA data.”

auDA worked with several Australian government agencies and private sector cybersecurity firms on the investigation.

The NoEscape ransomware group updated their post on Monday morning, criticizing auDA’s response and threatening “to sell access to bank accounts with balances over $4,000” – though it is unclear what that is in reference to because auDA is not a bank.

They also reduced the ransom payment timer from eight days to three in response to auDA's most recent statement.