DOC ransomware attack – how a security expert rates its response

The Department of Conservation (DOC) has revealed an isolated ransomware attack occurred on July 21 at the Search and Rescue (SAR) Base at Aoraki/Mount Cook.

DOC Deputy Director General Corporate Services Rachel Bruce said DOC will be in contact with 11 people whose personal information may have been compromised.

The attack on the large government department follows the May 18 attack on the Waikato District Health Board, which harmed all IT systems and phone lines and caused surgeries to be cancelled.  

In the past year, there have also been cyber attacks on innocuous NZ organisations including MetService, Volunteer Service Abroad and Mt Ruapehu skifields.

Bruce described the July 21 ransomware attack as isolated and said “the Search and Rescue base is a standalone network with no connection to the DOC corporate network. As a result of the malware, staff were unable to access shared files that had been encrypted.”

The information which appears to have been taken was about individuals who have been assisted in DOC/SAR operations. Their information was encrypted by the hackers. DOC says it took immediate action once it became aware of the attack and five devices on the standalone network “were immediately isolated and sent to third-party forensic analysis specialists to determine what data had been compromised.”

The Office of the Privacy Commissioner was notified, SAR team members were given replacement devices after four days, and DOC contacted the individuals whose private information was taken, some of whom were tourists. Bruce said no other parts of DOC network or IT systems were impacted, and DOC continues to make improvements including ensuring staff are well informed of the constant risk of cyber-attack.

DOC told theBit that to maintain the security of its systems and processes it could not provide detail on many of our questions.

Bruce said staff became aware of the cyberattack shortly after it happened on July 21, and isolating hardware devices was done immediately.

“DOC’s Alpine Rescue Team remained ready and operational, and this issue did not cause any impact to their work in the field. DOC has followed government advice and has not paid a ransom.”

DOC ransomware attack: What you need to know

theBit spoke to Wayne Forgesson, CEO of Signal (a web-based threat and risk intelligence solution platform), to get a professional’s take on how well DOC responded to the ransomware attack.

Q.   Were the hackers successful?

A.   Mixed. The hackers got no money but successfully encrypted data belonging to SAR. A breach that results in the exposure of any data is disappointing and could lead to flow on impacts for those impacted.   

Q. Did penetration at one site affect a whole network?

A. No – DOC’s network is separate from the affected SAR site.

Q. Did the victim have adequate protection in place before the attack?

A. Unclear – but DOC concedes there is room for improvement.

Q.   Does the victim have adequate protection in place following the attack?

A.   The affected parties had their compromised devices taken away and were given new devices. SAR’s work in the field was not affected. A key mitigation will be making sure follow-on impacts are reduced as much as possible.

Q.   Did the victim respond to the attack swiftly enough?

A. Sounds pretty swift – though the public were only told a month after the attack.

Q. How many people suffered because of the attack?

A. 11 people’s private information was encrypted (meaning SAR couldn’t access it for a while) and there is the potential that data will be further exposed.

Conclusion

“To me the key message is it happened, they managed and they learnt from it,” Signal CEO Wayne Forgesson said.

“While at first glance this may seem like nothing of particular note, it does highlight that anyone can be the target of an attack regardless of how remote or obscure they may seem to be. We are seeing rapid growth in the number of ransomware attacks and publication of that information on the dark web. It looks like DOC acted promptly and in doing so managed to avoid a more serious situation. A key lesson learnt is that these sorts of attacks can impact anyone and everyone should be diligent with their protection and prevention.”

LEAVE A REPLY

Please enter your comment!
Please enter your name here