Cyber Incident Victim: Australian Capital Territory Government
Date:
Oct 2022
Location:
Australia
Summary
The Australian Capital Territory government experienced a cybersecurity breach involving exploitation of a Barracuda email security gateway vulnerability (CVE-2023-2868), attributed to a suspected China-linked threat actor (UNC4841). Attackers deployed malicious email attachments to compromise systems, utilizing custom malware families (SALTWATER, SEASPY, SEASIDE) to maintain persistence and exfiltrate email-related data. The breach prompted immediate system rebuilding to eliminate vulnerabilities, with ongoing investigations coordinated alongside national cybersecurity authorities and Barracuda. While personal information exposure was suspected, a comprehensive harms assessment remained underway. The incident affected multiple global organizations, with approximately one-third being government entities. Response efforts included phased forensic analysis and public assurance that remediated systems showed no residual threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Australian Capital Territory (ACT) government experienced a cybersecurity incident involving exploitation of a vulnerability (CVE-2023-2868) in Barracuda Email Security Gateway (ESG) appliances. Barracuda first identified this vulnerability on May 19, 2023, issuing patches on May 20 and 21. Subsequent investigation revealed the earliest evidence of exploitation occurred in October 2022, with Mandiant confirming threat actor UNC4841 began targeting organizations via malicious email attachments exploiting this vulnerability starting October 10, 2022. The ACT government detected the compromise through Barracuda's alerts and initiated response measures by June 6, 2023.
Upon detection, the ACT Cyber Security Centre immediately rebuilt the impacted Barracuda system to eliminate vulnerabilities. The government confirmed a breach occurred and initiated a harms assessment to determine data exposure scope. They stated confidence that containment measures neutralized ongoing threats and assured citizens their online systems remained safe. The investigation involved collaboration with the Australian Cyber Security Centre and Barracuda Networks. Mandiant's analysis, disclosed on June 15, 2023, attributed the campaign to suspected China-nexus espionage actors using malware families SALTWATER, SEASPY, and SEASIDE to masquerade as legitimate Barracuda services. These tools facilitated persistence, lateral movement, and data exfiltration from email systems. Globally, 55% of affected organizations were in the Americas, 24% in EMEA, and 22% in APAC, with nearly one-third being government agencies. The ACT government adopted a phased investigation approach: Phase one confirmed the breach, phase two (ongoing as of June 26) involved system-by-system analysis of potential data exposure with external support, and phase three would outline risk-based community actions. No specific data compromise details were publicly confirmed, though officials acknowledged potential personal information exposure. Weekly updates were pledged via a dedicated communications channel.