30th August 2016
Computers from a federal research network, a peak sporting body, a school and a local council are among tens of thousands of machines which have been hacked and had their login details put up for sale in a dark web marketplace, a Four Corners investigation has revealed.
- A dark web database contains the server details of more than 70,000 global organisations
- Security firm Kaspersky found 5,855 Australian organisations listed on the database
- Airlines, schools and a leading sporting body are among the targeted Australian organisations
Other major companies including Jetstar and Suzuki have systems suspected to have been compromised, but both companies deny being breached.
In June this year, security firm Kaspersky released a report that revealed more than 70,000 computers around the world had been hacked, with their usernames and passwords put up for sale on the dark web.
Computers like these can be rented by cyber criminals and used to launch attacks against others for as little as $6, according to Kaspersky.
Director of Threat Intelligence at cyber-security firm Mandiant Tim Wellsmore, who is also a former manager at the Australian Cyber Security Centre, said they could also give “access to whatever is on that computer system” or be used to launch Denial of Service (DoS) attacks similar to the ones which targeted the Australian Bureau of Statistics’ census form.
“That marketplace exists and there’s quite a strong marketplace for these attacks to occur, [because people] don’t want to use their own computers to launch them,” he said.
“They want to use somebody else’s that doesn’t look like an attacker, and unfortunately there are thousands of these servers or computers out there for sale that can be used for these attacks.”
Five days later, Kaspersky published a separate list identifying 170,000 computers which may also be suspect, including 5,855 in Australia owned by companies, local councils, law firms and schools.
The ABC is not suggesting presence on the Kaspersky list automatically means the servers have been hacked.
However, several of those identified on the list had been breached.
One included a machine from the NECTAR cloud — a federally funded network run by the University of Melbourne that hosts virtual servers for Australian researchers.
It appeared to have been for sale since January last year.
NECTAR confirmed the breach, but would not say what — if anything — had been compromised.
“The impacted virtual machine has been locked down to prevent further access,” the statement said.
“Each user’s virtual machine is isolated from other user’s virtual machines running on the cloud, which provides an extra layer of security protection.”
A computer run by the nation’s peak body for rowing, Rowing Australia was also hacked and believed to have been up for sale since last December.
While the server points to the Australian Sports Commission, it is managed independently by Rowing Australia and Four Corners understands contains administrative functions not athlete data.
“We have engaged an external cyber security expert to conduct an investigation into this matter and develop strategies to protect our systems and data,” Rowing Australia’s chief commercial officer Katherine Ginbey said.
Computers owned by Ararat Community College in Victoria and the Town of Port Hedland in Western Australia have also both been confirmed to have been breached.
The college is currently conducting an investigation to secure its system and assess if anything was stolen.
A server owned by Jetstar was found on the Kaspersky list of suspected computers, however a statement from the airline said they “could not find any evidence that the system has been compromised or breached.”
“[A configuration] was incorrectly enabled on this particular server however there are several layers of security that need to be navigated before anyone could gain access to the server,” the statement said.
Suzuki said it was already aware of the database and had taken appropriate action to ensure the integrity of any system data.
It would not comment further on its internal security policies.
Former manager at the Australian Cyber Security Centre Tim Wellsmore said the high number of suspect Australian servers came as no surprise to him.
“Many people may think of those as computer servers sitting in in an office somewhere,” he said.
“Those servers would be computers everywhere across Australia, including in people’s homes that are just sitting there already compromised waiting to be used for an attack.”
“It’s a market-driven economy unfortunately and … because of some of the vulnerabilities out there in the software that are quite easy to be compromised, there’s a lot of these … for sale”.
In its analysis of the 170,000 server addresses, Kaspersky said it made “sense for the system administrators of the listed IP addresses to check carefully for a potential past compromise of their servers.”