Government

Multiple government departments in New Zealand affected by ransomware attack on IT provider

A ransomware attack on Mercury IT, a widely used managed service provider (MSP) in New Zealand, is feared to have disrupted dozens of organizations in the country, including several government departments and public authorities.

The Ministry of Justice and Te Whatu Ora (Health New Zealand) are among the public authorities that have announced being impacted by a cyberattack on a third-party IT support provider. 

New Zealand’s privacy commissioner confirmed on Tuesday morning that “a cyber security incident involving a ransomware attack” was to blame, saying its upstream target was Mercury IT, which “provides a wide range of IT services to customers across New Zealand.”

Mercury IT is a small business with 25 staff according to its description on LinkedIn, which provides support, telecoms and infrastructure services to other organizations.

The data protection regulator said it was notified of the “evolving situation” on November 30, and added: “Urgent work is underway to understand the number of organizations affected, the nature of the information involved and the extent to which any information has been copied out of the system.”

The regulator said it would be opening a compliance investigation into the incident so it “can make full use of its information gathering powers” and encouraged “any clients of Mercury IT who have been impacted by this incident and who have not already been in touch with us to contact the Office of the Privacy Commissioner.”

In a statement, the Ministry of Justice said that the attack was preventing it from accessing 14,500 files relating to the transportation of deceased people’s bodies, and roughly 4,000 post-mortem examinations dating from March 2020 to November.

Its chief operating officer Carl Crafar said: “We are conscious that so-called malicious actors behind such activity can monitor public commentary on incidents of this nature so will not be providing more detailed information on our responses at this time.”

In its statement, Te Whatu Ora, the country’s health ministry, said its access to data relating to bereavement and cardiac services was impacted. It said roughly 8,500 records about bereavement care services were inaccessible, alongside 5,500 records from the cardiac and inherited disease registry.

“While the above records are currently inaccessible, there is no evidence at this stage that they have been subject to unauthorized access or download,” said the ministry.

“We would like to reassure the public that there has been no disruption to health service delivery and that all Te Whatu Ora health services are continuing to run normally.”

The ministry added that six other health regulatory authorities who used Mercury IT had also been affected, including the Optometrists and Dispensing Opticians Board of New Zealand; the Chiropractic Board; the Podiatrists Board; the New Zealand Psychologists Board; the Dietitians Board; and the Physiotherapy Board of New Zealand.

It is not clear what impact the incident has had on these services.

BusinessNZ, an advocacy group, has also announced being impacted. Accuro, a not-for-profit health insurance provider in New Zealand with more than 34,000 members, stated that its “day to day operations and customer service have been impacted” by an attack on its IT provider.

It follows a significant ransomware incident affecting Australia’s private health insurer Medibank, which last month stated it would not be making an extortion payment after hackers gained access to the data of 9.7 million current and former customers, including 1.8 million international customers living abroad, and began releasing the details online.

The incident caused outcry in the country and prompted the Australian government to announce a new permanent joint standing operation between the Australian Federal Police (AFP) and the Australian Signals Directorate that would be “offensively attacking” groups behind ransomware incidents.

It comes a week after the United Kingdom announced it would be introducing a new mandatory reporting obligation on MSPs to disclose cyber incidents, alongside minimum security requirements which could see them fined up to £17 million ($20 million) for non-compliance.

Explaining the move, the government said that MSPs “play a central role in supporting the UK economy” and warned they are “an attractive and high value target for malicious threat actors, and can be used as staging points through which threat actors can compromise the clients of those managed services.”

Alexander Martin

Alexander Martin is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.

Recent Posts

Deepfake news anchors spread Chinese propaganda on social media

In a series of videos posted on Twitter, Facebook and YouTube, Chinese state-aligned actors used…

6 hours ago

New info-stealing malware used against Ukraine organizations

A new information-stealing malware named Graphiron is being used against a wide range of targets…

12 hours ago

Hackers used fake websites to target state agencies in Ukraine and Poland

Hackers attempted last week to infect Ukrainian government computer systems with malware hosted on fake…

12 hours ago

‘No evidence of malicious access,’ Toyota says about serious bug exploited by outside researcher

Toyota said it remediated the vulnerability discovered by researcher Eaton Zveare. The company referred others…

13 hours ago

Turkey’s government restricts access to Twitter amid earthquake response

Internet traffic data showed that Twitter was totally inaccessible from with Turkey. The government has…

14 hours ago

CISA publishes recovery script for ESXiArgs ransomware as Florida courts, universities reel

CISA adapted work by two Turkish developers into a script for recovering files affected by…

16 hours ago