Hackers breach Australian court hearing database

The court system for Australia’s second-most-populated state was hit by a ransomware attack that potentially exposed sensitive recordings of some court hearings.

Court Services Victoria (CSV), an administrative body that supports the operations of the courts in the state of Victoria, detected the attack on December 21. The incident led to the disruption of the audio-visual in-court technology network, impacting video recordings, audio recordings, and transcription services, according to CSV Chief Executive Louise Anderson.

CSV’s responsibilities include administrative support, management of court facilities, and registry services. Victoria is home to about 6.7 million residents, and its capital is Melbourne.

According to a statement from Anderson on Tuesday, the hackers might have accessed recordings of some court hearings between November 1 and December 21. No other court records, including employee or financial data, were compromised.

Australian media reported that during the attack, staff were locked out of their computers, and messages appeared on screens reading "YOU HAVE BEEN PWND."

The hackers, who weren't identified by CSV, left a ransom note threatening to publish files stolen from the court system. They also provided an address on the dark web for instructions on how to recover the files. CSV did not publicly reveal whether it received ransomware demands “for security reasons.”

The attack won’t affect court hearings scheduled for January, Anderson said. The agency’s security specialists said that after detecting the attack, they isolated and disabled the network and are now notifying people whose hearing recordings may have been accessed.

“We understand this will be unsettling for those who have been part of a hearing. We recognize and apologize for the distress that this may cause people,” the statement reads.

There are three main courts operating in Victoria: the Supreme Court, the County Court, and the Magistrates' Court. There are also several specialized courts, including the Children's Court, the Coroners Court, and the Koori Court.

According to CSV, the County Court cases had been most severely affected by the hack, with hackers potentially accessing all criminal and civil hearings recorded on the network. No hearings from the Children's Court have been compromised from November or December, but one hearing from October may have remained on the network.

Potential suspect

According to co-founder of the Australian cyber firm Internet 2.0 Robert Potter, who has seen the message the hackers sent to the victims, the attack was likely carried out by the Qilin ransomware group.

The ransom note is "very similar to their dark web posts, and the links match known infrastructure," Potter told Recorded Future News.

Russia-linked Qilin ransomware, operating since at least July 2022, primarily targets critical sector companies, encrypts their data and demands ransoms ranging from $50,000 to $800,000.

The hackers typically gain access to the targeted systems through phishing emails and employ a double extortion technique, researchers from Group-IB said. In this technique, the hackers demand a ransom payment not only for providing the decryption key to restore access to the files but also for not exposing the sensitive data they have acquired.

The group’s victims are mostly located in Australia, Brazil, Canada, the U.K., and the U.S. The hackers have previously stated that they do not target Commonwealth of Independent States (CIS) countries, including Russia, Belarus, Kazakhstan, and Moldova.

Australia under attack

Australia suffered numerous major cyber incidents over the past few months. In November, one of the country’s largest port operators, DP World, suspended operations at container terminals in several cities following a cyberattack.

In December, Australia’s largest non-profit healthcare provider was hit by a cyberattack, resulting in data being stolen from its networks.

Other prominent Australian institutions breached by hackers include one of the country’s largest health insurance providers Medibank, consumer credit business Latitude Financial, and Australia’s second-largest telecommunications company Optus.

The Australian government even wanted to ban businesses from making ransomware payments as part of its national cybersecurity strategy but dropped this plan.

“Every time a ransom is paid, we are feeding the cybercrime problem. Now, we are in a situation in our country where it is clearly not the right time at this moment to ban ransoms, and that’s because we haven’t done the hard work,” said Clare O’Neil, the Australian Minister for Home Affairs and Cybersecurity.