Cyber Incident Victim: Government of Tasmania
Date:
Feb 2023
Location:
Australia
Summary
The Government of Tasmania was listed as a victim by the Clop ransomware group following exploitation of a vulnerability in Fortra's GoAnywhere file transfer tool, prompting an investigation by authorities. The attackers claimed data theft from over 130 organizations via this flaw, with additional victims including Australia's Crown Resorts—which confirmed limited file access but no operational impact or customer data compromise—and multinational firms like Procter & Gamble. Fortra implemented temporary service outages and provided mitigation guidance, including patches for the vulnerability, while coordinating with cybersecurity agencies to notify affected customers. This incident mirrored Clop's prior attacks exploiting file-transfer vulnerabilities to target global entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In February 2023, the Clop ransomware group exploited a critical vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere file transfer tool, compromising over 130 organizations globally. The attackers exfiltrated data from victims including governments, businesses, and educational institutions, with the City of Toronto, Virgin, Hitachi, and Australia’s Crown Resorts among those publicly confirming impacts. Clop gradually added victim names to its leak site over subsequent weeks, culminating in the March 24, 2023 listing of Tasmania’s government alongside the UK Pension Protection Fund and additional corporations. The Tasmanian Department of Premier & Cabinet acknowledged the claims and initiated an investigation, though operational disruptions or specific data compromises remained unconfirmed at the time of reporting. Crown Resorts separately verified limited file theft but stated no customer data or business operations were affected, while collaborating with law enforcement and gaming regulators. Multinational firm Procter & Gamble also confirmed a breach via the same GoAnywhere vulnerability on the same day Tasmania was listed.
Fortra responded to the widespread exploitation by implementing a temporary service outage to halt unauthorized access and issuing mitigation guidance, including patches for the vulnerability. The company coordinated with CISA to catalog the flaw publicly and asserted it was notifying potentially impacted customers, though multiple clients criticized Fortra for initially providing false assurances about their data security. This incident mirrored Clop’s 2021 campaign exploiting Accellion file transfer vulnerabilities, which compromised entities like Shell, Morgan Stanley, and the University of Colorado. The Tasmania breach highlighted persistent risks associated with widely deployed file-sharing infrastructure and demonstrated Clop’s continued focus on mass-exploitation of supply-chain vulnerabilities to extort high-profile targets. Investigations by Tasmanian authorities and other victims remained ongoing as of late March 2023, with no public resolution or confirmed ransom demands disclosed at the time.