Cyber Incident Victim: NSW Health
Date:
Dec 2020
Location:
Australia
Summary
A cyberattack exploiting vulnerabilities in Accellion's legacy file transfer service compromised New South Wales government agencies, including NSW Health and a transport entity, resulting in unauthorized data access. Attackers linked to the FIN11 group leveraged SQL injection flaws to deploy web shells and exfiltrate information, though critical systems such as driver licenses, public transit payment infrastructure, and medical records remained unaffected. The incident involved extortion attempts with threats to publicly release stolen data, which occurred in some cases. Forensic analysis confirmed the breach was limited to the Accellion platform, with no lateral movement into other agency networks. The vendor patched the vulnerabilities and accelerated retirement plans for the outdated service.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In mid-December 2020, a cyber-attack targeted Accellion’s legacy File Transfer Appliance (FTA) service, impacting NSW Health and Transport for New South Wales among other entities. The attackers, identified by FireEye’s Mandiant researchers as UNC2546, exploited an SQL injection vulnerability in FTA to deploy web shells and gain unauthorized access to customer data stored within the file transfer system. This breach occurred before the attack was interrupted, resulting in confirmed data theft from both agencies. Transport for NSW acknowledged that information was compromised but did not disclose specifics regarding the nature or volume of stolen data, stating only that an investigation remained ongoing and that affected parties would be notified through secure channels. Cyber Security NSW collaborated with state government agencies to assess the scope and sensitivity of the exfiltrated data. Forensic analysis conducted by industry specialists determined that the attackers accessed data exclusively through the compromised FTA service, with no evidence of lateral movement into core operational systems such as NSW Health’s electronic medical records, Transport for NSW’s Driver Licence systems, or the Opal travel card infrastructure.
The attackers leveraged four vulnerabilities in Accellion’s FTA, all of which were subsequently patched. Accellion, which had approximately 300 FTA customers at the time, confirmed that fewer than 100 clients were affected, with up to 25 experiencing significant data theft. The threat actors, associated by FireEye with the FIN11 cybercrime group—a spin-off of TA505—engaged in extortion attempts, threatening to publicly release stolen data and following through in some instances. Accellion accelerated plans to retire the 20-year-old FTA platform, setting an end-of-life date of April 30, 2021, and ceased support for the product thereafter. The company urged customers, including NSW government agencies, to migrate to its kiteworks platform, offering free transition assistance. Cyber Security NSW emphasized containment of the incident to the FTA environment, with no further compromise of state systems detected beyond the initial file transfer service breach. Transport for NSW and NSW Health maintained operational continuity throughout the investigation, relying on forensic assurances that critical infrastructure remained isolated from the attack vector.