Cyber Incident Victim: Australian Defence Force
Date:
Dec 2019
Location:
Australia
Summary
A Citrix vulnerability was exploited in an incident potentially compromising the Australian Defence Force's recruitment database, operated by contractor ManpowerGroup. The system, containing highly sensitive personal information including medical and psychological records, was taken offline and quarantined for ten days following detection. The Australian Signals Directorate alerted Defence about the Netscaler flaw after its public disclosure, though mitigation actions occurred weeks later. Widespread global exploitation of the Citrix vulnerability by multiple actors was observed, with no specific threat actor linked to this incident. Crisis response protocols were activated, including frequent emergency meetings, though officials characterized the database isolation as precautionary rather than confirmation of unauthorized access.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Citrix Netscaler vulnerability (CVE-2019-19781), publicly disclosed on December 25, 2019, became the focal point of a cybersecurity incident affecting the Australian Defence Force's recruitment systems. The Australian Signals Directorate (ASD) identified potential risks to the Defence Force Recruiting Network (DFRN), operated by contractor ManpowerGroup, and formally notified the Department of Defence on January 24, 2020—approximately one month after Citrix's vulnerability disclosure. Internal detection activities reportedly occurred before Christmas 2019, prompting twice-daily crisis meetings among Defence officials. Between February 2 and February 12, 2020, Defence took the DFRN database offline for quarantine as a precautionary measure, with ASD director-general Rachel Noble characterizing this action as demonstrating "an abundance of caution." The DFRN contained highly sensitive personal information including medical examination records, psychological assessments, and other recruitment-related data, though specific evidence of data exfiltration wasn't disclosed.
Global exploitation attempts targeting the Citrix vulnerability surged following its public disclosure, with ASD observing widespread malicious activity across government and commercial entities. Defence officials confirmed during Senate Estimates hearings that the department received ASD's January 24 notification but didn't immediately disconnect the system, waiting until February 2 for full quarantine. Noble defended this eight-day response window as reasonable given the need for coordination with ManpowerGroup. ASD revealed it handles approximately five incident reports daily and one cybercrime report every ten minutes, contextualizing the operational environment. The incident remained unattributed to specific threat actors, with officials emphasizing the vulnerability's broad exploitation landscape rather than targeted activity against Defence systems. Defence Department representatives acknowledged uncertainty regarding whether DXC Technology, ManpowerGroup's service provider, had applied Citrix's January 20 security patches prior to the quarantine action.