The Vice Society ransomware group today claimed responsibility for a December 2022 attack on an Australian state fire department that led to a widespread IT outage. Fire Rescue Victoria warned current and former employees and job applicants of data leak.
Although the threat group did not share many details about the leak or its negotiations with the fire department, it released a data set as proof of its claims. The leaked data includes budget documents, job applications and other sensitive information.
The Fire Rescue Victoria, which operates 85 fire stations in Melbourne and surrounding areas, also informed the Office of the Australian Information Commissioner of a possible data breach and is currently analyzing the data set shared by the threat actors on the dark web.
The analysis is a “complex task” but the fire department has engaged unnamed cybersecurity specialists and will provide further information as it becomes available, the FRV said.
Since the mid-December outage, the FRV has reinstated a number of systems, including access to telephone and email, but the overall IT infrastructure is not fully operational. Daily operations continue using offline resources such as dispatch crews, mobile phones, pagers and radios.
The fire department cautioned citizens not to download the data set from the dark web. Buying stolen credentials is a crime, punishable by up to 10 years in prison.
A Brief Timeline
On Dec.15, 2022, FRV reported technical issues with its IT systems on Twitter. It said that firefighting crews and trucks remained operational to incident response and that community safety was not compromised.
A day later, the department said a preliminary investigation confirmed the cyberattack. “Most of our systems, including FRV network, emails and dispatch” were impacted, FRV said at the time.
By Dec. 24, the FRV was able to recover some affected systems including phones with the help of external cybersecurity experts and Australian state and federal government partners.
At the time, the fire department maintained that it had no evidence of data being stolen but two days later, confirmed that the cyberattack involved the theft of some of its private data.
On Jan. 6, FRV notified the OAIC of a possible data breach stemming from Dec. 15 cyberattack. It said that the attack affected a number of FRV’s internal servers including the email system and it was reasonable to believe that personal information may have been accessed or stolen, in the process.
The leaked details includes personally identifiable information such as full names, addresses, email addresses, phone numbers, dates of birth, health information and other PII including employment history, criminal history, political or religious views, according to the notification sent to the OAIC.