From Nine to ASIC: The cyber attacks that cost Australia millions in 2021

Ajay Unni, the Chief Executive Officer and Founder of StickmanCyber

Cyber attacks have increased exponentially in the past year with the Australian government noting a 13% increase in reported attacks and a 15% rise in ransomware attacks.

The Australian Cyber Security Centre (ACSC) believes that cyber crime has cost Australian businesses and individuals $33 billion over the past year with the global cost of cyber crime expected to rise to $2 trillion by the end 2021 up from $400 billion in 2015.

Ajay Unni, the CEO and Founder of StickmanCyber, takes us through some of the most talked about attacks of the year, what was stolen and how the victims recovered their data.

“From governments to charities, media to ASIC, care homes to water suppliers and global meat processors, these attacks show that size doesn’t matter to hackers and as malicious actors become more sophisticated in their methods, everyone is at serious risk of becoming a target.”

Nine Network

Nine Network was at the centre of the largest cyber attack on a media company in Australian history, resulting in the news production systems around the country coming to a grinding halt for more than a day with the broadcaster unable to air several programs.

The Sydney Morning Herald, owned by Nine, reported the infection as “some kind of ransomware” attack, albeit using a malware strain not previously seen in Australia, with sources reporting to media that the ransomware had impacted several thousand machines.

While it’s still not clear if all the infected machines were shut down to prevent the malware from spreading further it is understood at least part of the environment was powered down.

UnitingCare Queensland

UnitingCare Queensland became the victim of notorious cyber group REvil in April with a ransomware attack shutting down many of their core systems and forcing them to resort to paper-based and manual workarounds in order to continue some of their operations.

REvil, just like their name suggests, deployed a category of malware called Sodinokibi/REvil, which encrypted the health care providers files and attempted to delete backups.

This led to a two month long ordeal for the health provider to regain control of its systems.

Whereas the hospital and aged care facilities managed to bring most of their applications and systems back online, the cyber attack led to them being suspended from the national My Health Record system, which allows patients to view their records online.

UnitingCare has since confirmed that there was no evidence that any patient’s health had been compromised by the cyber incident and they continue to work with the ACSC, technical and forensic advisors in order to facilitate an effective response to the attack.


The Australian Securities and Investments Commission (ASIC) was hit by a data breach in January that saw attackers gain access to files relating to credit license applications.

The cyber security incident was related to a vulnerability found in vendor Accellion’s legacy File Transfer Appliance (FTA) software that is used for storing and sharing documents.

Accellion’s FTA software was found to be vulnerable to the common SQL injection attack vector, where hackers can gain access to hidden parts of a database or file system.

Oxfam Australia

Oxfam Australia investigated a cyber-attack on their database that impacted the information of 1.7 million supporters, with hackers accessing files containing data on supporters who had signed petitions, taken part in campaigns and made donations or purchases.

While passwords weren’t compromised, names, addresses, dates of birth, email, phone numbers, gender, and in some cases donation history, may have been accessed.

In February, the charity launched an investigation after becoming aware of the cyber security incident and therefore notified supporters of the potential risk and referred the cyber security breach to the ACSC and the Australian Information Commissioner’s Office.

Transport for NSW

In February around 250GB of information including confidential emails and files, was stolen from Transport for NSW and dumped on the dark web, appearing on a leak site belonging to ransomware and extortion group CL0P in downloadable chunks of roughly 4GB each.

Additionally, the data theft was found to be part of a larger breach relating to the Accellion File Transfer Appliance (FTA) with CL0P publishing data from dozens of organisations in an extortion attempt after a vulnerability was discovered in the legacy Accellion service.

Cyber Security NSW managed the NSW Government investigation with the help of forensic specialists, to understand the impact of the breach, including to customer data.

Eastern Health

Earlier this year, Eastern Health was forced to shut down some of its IT systems and postpone elective surgeries following a widespread ransomware attack that crippled its server.

Although no patient data was confirmed to have been lost, ransomware forced the shutdown of information and communication systems across the hospitals operated by Eastern Health.

The cyber security incident denied the staff access to patient records, booking and management systems and prompted the cancellation of non-urgent surgeries, causing frustration for patients whose procedures had already been delayed due to COVID-19.

To combat this attack, back-up processes were implemented during recovery efforts, including the use of paper-based documentation, and some non-critical appointments were delayed.

The support of the state and federal governments alongside IT experts was crucial in helping Eastern Health to bounce back from the attack and resume normal functionality.

Swinburne University

In April, Swinburne University of Technology revealed that it had responded to a data breach that had made information about more than 5,000 people available online.

Swinburne was advised that some information, for example names, email addresses and phone numbers of an estimated 5,200 Swinburne staff, 100 Swinburne students and some external stakeholders had inadvertently been made available on the internet.

This data was event registration information from multiple events held from 2013 onwards.

Swinburne University of Technology’s investigation into the cyber security breach shows that the source of the data was an event registration web page that is no longer available.

The Melbourne institution said that it took immediate action to investigate and respond to the breach, including removing the information and conducting an audit across similar sites.

Northern Territory Government

The system was hit by a ransomware attack in January and was down for 3 weeks after the attack hit one of the suppliers and forced their sensitive database to be taken offline.

The NT Government confirmed that in spite of the government system being down for 3 weeks none of the data it is responsible for protecting was accessed by unauthorised third parties.

Rather than paying the ransom, a spokesperson for the Northern Territory Government Department said that they worked with the ACSC to remediate the ransomware attack.


Sunwater was targeted in a cyber security breach that went undetected for nine months.

The breach is said to have occurred between August 2020 and May 2021 and involved unauthorised access to the entity’s web server that stored customer information.

The hackers left suspicious files on a web server that facilitated the redirection of visitor traffic to an online video platform with the Brisbane Times reporting that the hackers had used the infrastructure to boost the Google search ranking of a Youtube video.

A Sunwater spokesperson confirmed that no financial or customer data had been compromised and immediate steps had been taken in order to improve cyber security once the unauthorised access to an online content management system was detected.

JBS Foods

In June, JBS Foods were the victim of a ransomware attack which led to a partial shutdown of their operations in the United States of America, Canada and Australia over a 5 day period.

The company was successfully targeted by a group of hackers who they categorised as some of the most specialised and sophisticated cyber criminal groups in the whole world.

The Federal Bureau of Investigation attributed the attack to REvil/Sodinokibi, a ransomware tied to some of the largest attacks on critical infrastructure, finance and healthcare.

The shutdown threatened Australia’s meat supply chain, with temporary staff lay-offs at some of the plants and reports from farmers that their shipments of livestock were cancelled.

To get their systems back online and resume operations, JBS Foods were forced to pay the ransom to the criminal group in Bitcoin, an amount equivalent to $14.2 million.

Ambulance Tasmania

In January it was revealed that the private details of every Tasmanian who had called an ambulance since November 2020 had been published by a third party entity onto an online list that was continuing to be updated each time paramedics were being dispatched.

The details included patient’s HIV status, gender and age.

This incident led to concerns that it could lead to discrimination, with suggestions that the breach could result in the Tasmanian government being open to litigation.

The source of the breach was found to be the ambulance provider’s paging system which was being used to convey critical health information between dispatch and paramedics.

Tasmania’s outdated ambulance communication network is an example of old systems running the state’s emergency services and making them vulnerable to cyber attacks.

Ever since the website was brought to the attention of the Tasmanian government it has been taken down and the ACSC has been authorised to remove it should it reappear.

Cyber-security professionals have called for Ambulance Tasmania to update its outdated communication systems to prevent any more cyber criminals from stealing data.