Cyber Incident Victim: Department of Transport and Main Roads (Queensland)
Date:
Dec 2017
Location:
Australia
Summary
Overseas hackers breached a Queensland government transport department's security network by compromising two staff email accounts, which were then used to conduct phishing attempts targeting other government departments and personal contacts to harvest credentials. The department swiftly blocked the malicious IP addresses, reset compromised passwords, and alerted internal staff and security partners to mitigate further risks; while sensitive data like names, addresses, and license details were held by the agency, no information was confirmed stolen, though experts emphasized such entities are high-value targets due to the critical personal identifiers they manage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In December 2017, overseas hackers breached the Queensland Department of Transport and Main Roads' security network. The intrusion occurred at approximately 3:00 AM and was detected and contained within five hours. Attackers gained unauthorized access to two official departmental email accounts, which they subsequently used to distribute phishing emails to other government departments and personal email addresses. These emails attempted to trick recipients into divulging passwords and sensitive information by directing them to counterfeit websites designed to appear legitimate. The department's review confirmed the compromised accounts contained no sensitive data, concluding there was low risk of information theft despite the attackers' access to systems storing Queenslanders' names, addresses, and dates of birth. Forensic analysis traced the attack to internet protocol addresses registered in Kenya and Canada, though cybersecurity experts noted such locations are frequently disguised in attacks. This incident occurred approximately six months after the department had issued public warnings in June 2017 about fraudulent license renewal scam emails targeting drivers.
The department responded by immediately blocking the identified IP addresses and resetting passwords for the two compromised accounts. Security teams notified all internal staff and threat intelligence partners, instructing them to block the fraudulent website linked in the phishing emails. A subsequent investigation verified that no sensitive data had been exfiltrated from the transport systems. Departmental records indicated robust defensive measures were already in place, having successfully blocked approximately 996,000 malicious network attacks during the preceding year and identified 1,382 emails containing novel viruses. The breach highlighted the department's status as a high-value target due to its repository of Queensland driver license numbers, which are widely used across Australia for identity verification in commercial and governmental transactions. No operational disruptions or financial impacts were reported following the containment of the incident.