Earlier this month, it was revealed that a personal information database belonging to Australian Defence Force Recruiting was suspected to have been compromised, and was brought offline in an attempt to contain the breach. The Defence Force Recruiting Network (DFRN) database stores sensitive information about Australian Defence Force recruits under contract with a third-party company. 
The database contains personal information regarding medical conditions and records, as well as interview summaries. The Australian Defence Force (ADF) determined that the sensitivity of the data was grounds to shut down the database for 10 days once the breach was discovered, so an investigation could be conducted. However the investigation found little evidence to suggest that any data had been stolen.
Liberal MP Andrew Hastie, who is among serving ADF members whose personal information is stored on the database, has suggested that the length of time the database was down strongly indicates a targeted attack from a sophisticated actor.
This attack is another in a number of recent attacks targeted toward the Australian Defence Force. Other recent attacks include a breach of student data from the Australian National University’s National Security College in 2018. A national security contactor was also breached in 2017, with thieves stealing a considerable amount of defence supplier data.
It was later discovered that AFR’s system was one of many worldwide that was found to be made vulnerable by a critical bug (CVE-2019-19781) in Citrix’s NetScaler Application Delivery Controller (ADC) and NetScaler Gateway server products which is used by over 80,000 organisations worldwide. The bug was disclosed in December 2019 and, if exploited, could allow actors to load malicious software onto target systems.
The Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) issued an alert on Christmas Day 2019, well before the DFRN attack, warning of the severity of the bug, and that an attacker without correct credentials could have the ability to execute code on a vulnerable network. It has been reported that the ACSC had informed Defence on January 24th that the DFRN may have been compromised due to the Citrix bug.
The attack occurring so soon after the disclosure of the bug shows the importance of keeping up on vulnerabilities that may affect systems deployed within an organisation and patching bugs that affect security as soon as possible, especially highly targeted organisations such as Defence. Prior to Citrix issuing a patch, they recommended that all vulnerable systems should be paused in order to reduce the attack surface until a patch could be released.
Patch management is critical to ensuring strong cybersecurity, as it significantly reduces the attack surface that malicious actors can target. Strong system monitoring and logging can also help detect suspicious activity before damage can occur. Agilient specialises in helping organisations develop world class strategies to help prevent against today’s actors. Our expert consultants tailor scalable solutions to suit your organisation’s needs and requirements. If you’d like to learn more about how we can help – contact us today.
Author: Jack Schofield