Global cyber criminals have given the NSW Labor Party 10 days to pay a ransom after gaining access to its computer network in a major cyber attack.
The ransomware group Avaddon, which originated in Russia, is behind the breach and is threatening to release a trove of sensitive information including images of passports, driver’s licences and employment contracts.
“NSW Labor, the company does not want to co-operate with us, so we give them 240 hours to communicate and co-operate with us,” Avaddon said in a post on its website.
“If this does not happen before the time counter expires, we will leak valuable company documents.
“We have a large amount of data on contracts, a lot of confidential information, confidential contracts, driver’s licences, passports, employment contracts, information about employees, resumes and more.”
A ransomware is a form of malware which encrypts the victim’s files whereby the attacker then demands a ransom to restore access to their system.
A NSW Labor spokesman said the matter was of “serious concern”.
“We have referred the matter to police and we are conducting a full investigation,” the spokesman said.
NSW Police confirmed on Wednesday afternoon it had been alerted to a ransomware attack on the party. Sydney City Police Area Command has commenced inquiries.
The Avaddon ransomware was created in mid-2020 in a Russian underground forum. Research into Avaddon suggests it has been linked to various cyber attacks, having infected and leaked data from at least 23 organisations as of February this year. A research paper from Rey Juan Carlos University in Spain said the ransomware runs distributed denial-of-service attacks against victims that do not pay the ransom.
The criminal group also threatened to launch a denial of service attack against the party if it did not pay up - which is a common strategy of Avaddon to remind victims and the public they are still in their system.
An Australian Federal Police spokeswoman said the agency was aware of the matter, however it was not investigating.
Matthew Westwood-Hill, principal Investigator at cyber security firm at CyberCX, said Avaddon can be inside a network for “quite a period of time” before installing ransomware.
“During all that time they are very stealthily gathering information, copying off valuable sources, locating what servers are doing what, and once they’re finished that and don’t care about being identified – that’s when they will release the ransomware,” he said.
“They’re not silly. They will spend time, they will go through and identify where the valuable sources of information reside ... for example - background checks and police checks.
“The biggest thing about these ransomware groups is they’re not based in one location. They might have server infrastructure within the Russian area, but because the individuals are spread out globally it is difficult to attribute where they come from.”
The hack is the latest in a string of high-profile cyber attacks in Australia including on the Nine Network, owner of The Sydney Morning Herald and The Age.
Mr Westwood-Hill said in many cases it is not Avaddon which does the original breach, with the group instead paying other attackers for access to networks they have already breached.
Defence Minister Peter Dutton earlier this week said Australia was “already under attack” in the cyber world and suggested the nation’s cyber spy agency would need to be beefed up in the coming years to fight the wave of hacks.
“Under attack by state actors, under attack from very sophisticated criminal syndicates based in the Middle East, based in Asia and based in Europe,” he said.
“So that’s the reality and it’s not seen and there’s no casualties on the battlefield but there are companies and victims every day.”
Start your day informed
Our Morning Edition newsletter is a curated guide to the most important and interesting stories, analysis and insights. Get it delivered to your inbox.