Share this article on:
The ACT government has announced it is undertaking an investigation into a data breach following the revelation that a piece of its network infrastructure was compromised by a vulnerability.
Barracuda, whose email gateway system hardware the ACT government uses in its network, revealed the vulnerability on its website on 24 May after discovering it on 19 May.
“Based on our investigation to date, we’ve identified that the vulnerability resulted in unauthorised access to a subset of email gateway appliances,” Barracuda said in a statement at the time.
The ACT’s Digital and Data Special Minister of State, Chris Steel, alongside chief digital officer Bettina Konti and chief information security officer Julian Valtas, fronted the media this morning to discuss how the Barracuda flaw may have affected the territory’s own data.
“This isn’t an attack on the ACT government; this is an attack on Barracuda systems,” Konti said. “It’s not a virus, it’s not malware — it is a vulnerability that was exposing information, or making available information, to a threat actor.”
“The work that we’ve got to do now is to understand, during the period the vulnerability existed, what was the information that went through that system, what was it connected to, and what information is in there that may have been able to be accessed.”
Barracuda’s own investigations are ongoing, but at this stage, it seems the vulnerability was first exploited in October 2022 — though it may have been in use for even longer — according to Barracuda.
“The vulnerability stemmed from incomplete input validation of user-supplied .tar files as it pertains to the names of the files contained within the archive,” Barracuda said in one of its advisories. “Consequently, a remote attacker could format file names in a particular manner that would result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product.”
Barracuda has confirmed that a third party has accessed the affected devices.
Chris Steel, Digital and Data Special Minister of State, believes there is a “strong likelihood” that some personal data has been accessed by a third party.
“We do believe there is a likelihood that some information could have been accessed through the vulnerability,” Steel said. “The type of information, though, that we’re talking about is likely to come from a subset of automated emails related to government systems that have been impacted.”
However, no threat actor has yet come forward, either to the ACT or Barracuda, Steel said. The ACT Cyber Security Centre and Barracuda are both now working with the Australian Cyber Security Centre to investigate the incident.
“It’s now for us as the ACT government, not a question of if this will happen but when, and we’ve been preparing now over many years to try and harden our cyber security measures,” Steel concluded.